Bank Of America Loses 1.2 Million Customer Records

Christopher Reimer writes "C|Net is reporting that Bank of America lost 1.2 million customer records when some backup tapes went missing while being shipped to a backup center. The lost records mainly effect U.S. government employees involved in the SmartPay program. From the article: 'The acknowledgment comes as several other cases of businesses losing consumer information have come to light.'"

I wonder how long ago they found out about this?

[bigtallmofo]

You may recall the recent Choicepoint security breach. Apparently there's profit to be made in between finding out about a security breach and actually announcing it!

ChoicePoint execs sold shares before theft news

ChoicePoint Inc.'s top two executives made a combined $16.6 million in profit from selling company shares in the months after the data warehouser learned that people's personal information may have been compromised and before the breach was made public, regulatory filings show. ChoicePoint's stock has dropped about 10 percent since last week when the company announced that criminals had duped it into allowing them access to its massive database. Alpharetta, Ga.-based ChoicePoint says the stock trading was pre-arranged under a plan approved by the company's board. Corporate governance experts say the pattern and timing of the trading by chief executive Derek Smith and president Douglas Curling raises questions. Smith and Curling did not respond to repeated requests through a spokesman for comment Friday.

Full Story: Twincities.com (Subscription Requred - use bugmenot.com)

Indeed.

[game+kid]

Especially from a company that prided itself in TV ads as one that "engineer[s] our own software" because "one error in a billion" in their checking was one too many.

Well, I guess they have at most 999,999,999 more transactions until we know that they've blown their *ahem*commitment to their consumers--unless you count each person affected as an error here, in which case we can probably sue them for false advertising. Or at least utter stupidity.

That said, I bet someone mixed those backup tapes in their bedroom with their pornos, in which case roughly half of the Government officials are thanking teh Bank this morning.

Data loss is not acceptable

[t_allardyce]

In Europe this bank would be in major trouble. Does the US seriously not have any laws what-so-ever regarding personal information? even for banks and medical records!? I know there are some states where you have to be told if its lost but thats pretty pathetic.

Re:Encryption?

[Motherfucking+Shit]

Yeah, and backups are also barcoded and hand-tranported by courier to and offsite storage/security vault.

Actually they may well be barcoded, they damn sure ought to be encrypted, and they are indeed hand-transported by courier to the backup location. In fact, several of the articles that I read had BOFA blaming ramp workers for stealing the tapes at some stage. IMO that's a cop-out, any ramp agent is going to be hard pressed to leave an airport with something he didn't bring in.

Bank record transportation is (or at least was, before Check21 went into effect) a major and rather vertical industry. The general chain of command is that a courier service picks up "the goods" (cancelled checks, backup tapes, whatever) from a bank, takes the cargo to the nearest airport, and drops it off in one manner or another. Depending on the bank and the courier, the goods are either dropped at the airport Post Office or taken to an airline's cargo input on the ramp.

From there, the obvious happens. Either the items are transported via USPS to their destination, or they fly as commercial cargo and wind up at the destination airport, where another series of couriers collects and delivers it to the receiving location. The article that I saw claimed that BOFA declined to describe how the process works. Well, this is how the process works.

The thing is, bank records are not exactly labeled "PERSONAL FINANCIAL RECORD BACKUPS, TOTALLY SECRET, PLEASE BE CAREFUL." The people who are working as couriers for banks know what they're picking up, but they also know that they're constantly under scrutiny. Once this stuff hits the ramp, it's just cargo as far as airline employees are concerned. It gets on a plane, flies to a destination, and things reverse; ramp agents unload random cargo as far as they know, and then some courier who knows damn well that he's being watched takes it to the receiving bank.

From all accounts, BOFA seems to be blaming ramp agents. I call bullshit. For one thing, nobody goes on or off a ramp without some sort of security check; I should know, I'm on the ramp almost every day. And most of the "secure" cargo flowing through a given ramp is unmarked and can't readily be recognized. The only time you pick up on something "special" is when Customs imounds a shipment.

As far as the explanations I've heard, I say BOFA are full of shit. This wasn't a ramp worker nabbing a case of backup tapes - he'd never have gotten off the ramp. This is negligence one way or another.