Bank Of America Loses 1.2 Million Customer Records

Christopher Reimer writes "C|Net is reporting that Bank of America lost 1.2 million customer records when some backup tapes went missing while being shipped to a backup center. The lost records mainly effect U.S. government employees involved in the SmartPay program. From the article: 'The acknowledgment comes as several other cases of businesses losing consumer information have come to light.'"

heh

[aendeuryu]

SmartPay program

Doesn't sound so smart right now...

Well..

[kunwon1]

As a US Government employee (US Air Force to be precise) I can tell you that Bank of America is regarded by most of us (us = gov't employees) as a faceless entity that cares nothing for customer service. I doubt this will come as much of a surprise to those of us who have been required by our occupation to associate with them for some time. Maybe now the powers that be will get their collective head out and pick a new bank.

Re:Well..

[heybo]

You are right BoA IS a faceless entity that cares nothing about their customers and only their profits. I live in Atlanta (their corp offices are here) I have been screwed out of my own money my them, and have heard 1,000s of stories that are the same. This has been happening with this bank for over 20 years that I know of. Still people continue to use them.

I will not use them in any form. I will drive 10 miles out of the way to NOT use even their ATM machines. (No they ain't even getting my $1.50 for a transaction.

Well...

[JavaMoose]

This is really getting out of hand. For every case like this we hear about, I wonder if there are a few that get swept under the rug?

Now, I generally frown on lawsuits, but this is one type of case where it works. The people on these lists need to start filing class action lawsuits against these companies. Large corporations only feel something when they lose money, maybe it would send the message that you will be held accountable if you do not take security seriously.

As we all know, nothing is as valuable as our information.

Re:Well...

[reallocate]

This is really getting out of hand. For every case like this we hear about, I wonder if there are a few that get swept under the rug?

You're hearing about this because of the flap about CheckPoint, and you heard about CheckPoint because of the current flap about identity theft.

If not for those circumstances, these stories would very likely have been reported in the business press, but otherwise below the general public's radar.

So, you have no reason to assume that the first appearance of an event on TV or in Slashdot means it never happened before.

BofA ought, of course, be held responsible for their behavior. I don't know if these cardholders can sue, since the card's were issued to them in conjunction with their federal employment. And, unless they are able to document loss as a result of the loss, I'm not sure what grounds they'd have for a suit.

That said, BofA just dug itself a big hole for the next contract recompete. Their accountablity may come in the form of losing that recompete. (Don't imagine, though, that a contract of that size will be given to some local mom-and-pop bank.)

Re:Well...

[bombadillo]

You are absolutely correct about law suits needing to be filed. My wife and I work for two large corporations. I am talking name brands that everyone knows. I was talking to her about a project that I was working on and how the users info is sorted in the Database by credit card number. There are a few things wrong with this. From a non-security stand point people have more than one credit card. So you would have plenty of duplicates. From a security standpoint there were loads of problems. Such as the data would be FTP'd from the mainframes to the unix midrange servers. So all of that data would be distributed about the enterprise. Makes absoutetley no sense. Especially since there was no reason for the application I was working on to know a credit card number. The only data needed was name and products bought. When talking with my wife about how bad it was she told me that it was the same way in her company. I can only think that these companies built there systems a long time ago and no one has taken on the ambitious project of updating their procedures. From a career standpoint I can't blame them. There is not a big demand to secure these systems better. It would be a huge effort with little reward. If things didn't work your career would be over.

If law suits start being filed there will be a sudden demand to get these systems more secure. It's always annoyed me that financial companies have charged us for their "credit protection" services. I have always felt that if my ID was stolen it would most likely be the fault of a financial institution and not me.

Encryption?

[lachlan76]

But aren't the backups encrypted? Right?

I wonder how long ago they found out about this?

[bigtallmofo]

You may recall the recent Choicepoint security breach. Apparently there's profit to be made in between finding out about a security breach and actually announcing it!

ChoicePoint execs sold shares before theft news

ChoicePoint Inc.'s top two executives made a combined $16.6 million in profit from selling company shares in the months after the data warehouser learned that people's personal information may have been compromised and before the breach was made public, regulatory filings show. ChoicePoint's stock has dropped about 10 percent since last week when the company announced that criminals had duped it into allowing them access to its massive database. Alpharetta, Ga.-based ChoicePoint says the stock trading was pre-arranged under a plan approved by the company's board. Corporate governance experts say the pattern and timing of the trading by chief executive Derek Smith and president Douglas Curling raises questions. Smith and Curling did not respond to repeated requests through a spokesman for comment Friday.

Full Story: Twincities.com (Subscription Requred - use bugmenot.com)

This has been coming for a _long_ time...

[ites]

When businesses started collecting huge amounts of detailed via through the web in the mid 1990's, it was clear where we were heading:

1. unlimited storage capacity meant complex and detailed records could be kept on every person.

2. guaranteed incompetence meant these records would be abused, lost, exposed and manipulated.

I don't see either of these trends changing.

Applies to both commercial and governmental databases. Chaos, mess, confusion, abuse, on a huge and ever-increasing scale.

Welcome to the 21st century. You can opt out by unchecking the "Connect to the Internet" box about 10 years ago...

One more thing...

[kunwon1]

GSA Smartpay is a program through which gov't employees are issued what is essentially a company credit card, but the US Gov't is the company. They're used for official purchases, for gas cards for government owned vehicles, etcetera.

The following website explains it in governmentese:
http://www.gsa.gov/Portal/gsa/ep/channelView.do?pa geTypeId=8199&channelPage=%2Fep%2Fchannel%2FgsaOve rview.jsp&channelId=-13497

Big Brother's Little Helper?

[handy_vandal]

ChoicePoint Inc.'s top two executives made a combined $16.6 million in profit from selling company shares in the months after the data warehouser learned that people's personal information may have been compromised and before the breach was made public, regulatory filings show. ... ChoicePoint says the stock trading was pre-arranged under a plan approved by the company's board.

One might easily assume that the executives are profiteering swine, and that the company's board members are colluding at the trough.

Furthermore, ChoicePoint has a ... questionable history:

Consider what happened in Florida leading up to the 2000 presidential election. In 1998, the state hired a company called Database Technologies to scrub its voter rolls of ineligible voters. The scrub list was mandated by Florida legislators after a voting fraud investigation revealed dead people had cast ballots in the 1997 Miami mayoral election.

DBT combed through Florida's rolls and handed over the "ineligible" list to elections officials in May 2000 -- within days of the company's merger with ChoicePoint.

The problem was that DBT'S list purged the voter rolls not just of felons, who are disqualified from voting in Florida, but of eligible voters whose names resembled those of the felons.

While Florida and DBT failed to check a number of criteria that could have distinguished the actual felons from the non-felons, one criterion that DBT did bother cross-referencing was race. BBC reporter Greg Palast and a handful of US journalists reported that the majority of the felons on the list were black, so thousands of legitimate black voters with the same names as black felons were struck from the rolls. Because Florida blacks vote heavily Democratic, a disproportionate number of votes for Al Gore were thrown out.

According to analyses by news organizations, somewhere between 8,000 and 22,000 qualified votes went uncounted. Whatever the number, it towers over 537 -- the margin by which George W. Bush won Florida, and therefore the national election.

The most jarring part, according to Palast, who broke the story, was that DBT knew the list was flawed -- because a Florida official told DBT, in a 1999 e-mail, "Obviously, we want to capture more names that possibly aren't matches and let the county supervisors make a final determination." Palast says the fact that the company would even hand over known mistakes shows that it doesn't always do its best -- contrary to its corporate mantra -- to protect the government against itself.

Source

With companies like that, who needs Big Brother? -kgj

at odds

[underworld]

These two statements seem to be at odds with each other:

"We deeply regret this unfortunate incident," Barbara Desoer, who is in charge of technology, service and fulfillment for the Charlotte-based bank, said in a statement. "The privacy of customer information receives the highest priority at Bank of America, and we take our responsibilities for safeguarding it very seriously."

Sen. Charles Schumer, a New York Democrat, told Reuters that he had been informed by the Senate Rules Committee that the data tapes were likely stolen off a commercial plane by baggage handlers.

So - they are so concerned about maintaining the security of their data that they gave it (in a very non-descript way mind you) to a group of people outside of their organization who have a history of struggling with integrity.

yippee...

Annoying

[FreeLinux]

I doubt that you meant it that way but, your post has rubbed me the wrong way. Your's is just the latest in a long running series of similar posts where the blame for a situation is redirected at the victim.

The tapes were believed to be stolen by airport bagage handlers during shipment to BoA's offsite facility, likely another datacenter. It's still under investigation so the news agencies are not yet able to accurately report exactly what happened.

By all accounts BoA has made reasonable effort to protect its data, its tapes and its customers. BoA, and by proxy its customers, are the victim of theft. The blame lies squarely on the shoulders of the thieves and no where else.

In ANY incident, there will always be something more that could have been done to prevent the incident from happening. But, it becomes a question or reasonable care. Was reasonable care taken? It certainly seems as if it was in this case.

Let's put the blame where it belongs. Don't redirect the blame to the victims.

They Are Getting Fined!

[Evil+W1zard]

They will be getting fined $500 for exposing individuals personal information and they will also be getting fined $50,000 by the FCC because someone at the company said "Oh Shit!"