Slashdot Mirror
Over Half a Million Bank Accounts Breached
Gone Phishing writes "CNN is reporting that about 676,000 bank accounts in at least four banks (Bank of America, Wachovia, Commerce Bancorp, and PNC Financial Services) have had personal information "illegally sold". Over 60,000 customers have been notified so far."
I'm sure the answer will be higher fees though, so in the long run the banks will be fine.
I'm glad to know that about 1 in 10 people were notified
I have a feeling that most people's social security numbers have been harvested by people who shouldn't have them
Some people believe 1-1=3 and for the sake of being politically correct, we should respect their differences
So, the people at the banks will face charges, as will the Lembo, the "mastermind".
But, what about the 40 collection agencies and law firms? Will they face civil charges? Criminal charges? Both? Surely they knew they were up to no good, and they were the ones funding the information theft in the first place -- all so that they could illegally harass debtors.
Will the Feds follow the money?
Support a few technologists in Washington.
If an individual or group intentionally leaked or sold this information it is most certainly a crime. Laws are a punishment, not a absolute way to prevent crimes. If the perpetrator is convinced they can get away with this and profit from it, then they are not going to be worried about the fine print of the numerous laws they are breaking.
Based on forensic examination of Lembo's computers, it was determined that he had employed upper-level bank employees to access and identify individual accounts in their respective banks," the police statement said.
It doesn't matter what laws you enact. If you RTFA, you'll see that this was an inside job done by corrupt upper-level employees. Setting aside security-Utopia for a second, at some point you have to trust your own employees, especially "upper level" ones. When that trust turns out to be misplaced, there's not a lot one can do to prevent malfeasance.
I'm a big tall mofo.
In a word, no.
We have several laws that apply to personal data. There are gaps you can drive a truck through, and the industry has spent decades doing just that. (I particularly like the part about how the laws specify that they only apply to "authorized uses" of personal data--so if it's not an authorized use, you can do anything. No, I'm not kidding.)
What I say does not represent the views of my employers, my friends, my cats, or myself.
There are several thousand smaller banks in the United States and many smaller banks have lower fees than those giants and a customer actually means something to those banks.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
Great. So far this year I've received a letter from from LexisNexis and Choice Point. When my identity was stolen at the beginning of the year I thought "How could this happen? I have been so careful with my information." Apparently is doesn't matter how careful *I* am when everyone else just seems to be giving it away. Something has to be done to punish these people other than sending me a letter with how to PAY someone to watch my credit and alert me to "changes".
Holders of mass amounts of critical info need to learn that if they lose it, or mismanage it, that they will be held liable for hundred of millions of dollars in civil penalties, and years in prison for the most egregious cases of negligence.
This is similar to the Choicepoint breach where account information was sold to an illegitimate company posing as a real customer. The main difference here is that there were "inside guys" who knew the selling of the data was to a bogus firm. What I find most interesting is that the main clients that the perpetrator (Orazio Lembo) sold to were.. wait for it... law firms and collection agencies! Talk about a vicious hive of scum and villiany.
I say it will only get worse because the Sarbanes-Oxley Act is coming into effect which requires companies to put into place access controls to monitor/audit who has access to what information (among other things). The SOX, in conjunction with the Gramm-Leach-Bliley Act are forcing corporations to get their financial house in order in such a way that this type of malfeasance is getting much harder to hide. Expect to see more of the same for quite some time.
While I think it's nice that these laws are having their desired effect I still envy those wacky europeans and their data protection laws.
Amoeba
Do not taunt Happy-Fun Ball
I don't like Bush's policies either, but let's not just make things up, ok? First, not all class action suits are "forced" to federal court, only very large suits.
Second, they're moved to federal court not because federal courts are more business-friendly, but because of procedural differences in state court vs federal court. State courts tend to be more relaxed in due process procedures, and award ridiculous damages that are confiscated by private law firms. The ease with which a class action suit can be won in a small jurisdiction for enormous rewards has caused capitalistic law firms to seek out groups of marginally damaged people and organize them for a suit. This has caused a tenfold increase in class action lawsuits over the last decade.
Meanwhile, plaintiffs from multiple states with complaints against the same defendant could not organize on a federal level and file in federal court, due to procedural restrictions that prevented class action suits from being moved out of state. Thus you had the dangerous situation of one state's courts determining a case that would have national prescedent ramifications, and this seriously violates the principles of federalism. For a guy who bitched in his post about removing checks and balances, you're also complaining about legislation that was intended to prevent one state from determining national policy via state courts that are cherry-picked by millionaire attorneys.
The legislation in question removed some of the roadblocks to moving large cases with multistate plaintiffs to federal court by granting original jurisdiction of a case to the District Courts instead of the state courts for large suits in which there are multistate plaintiffs.
You then characaterize all this in your tired anti-Bush ranting as some pro-business move that Bush enacted for his cronies. First, that's not how a bill becomes a law, and you ought to know that by now. Presidents do not sponsor legislation in committee, nor vote on them in congress. They sign them.
There are a shitload of legitimate things to criticize President Bush about, but I'm tired of this hate-filled ranting that's misinformed. It's really hard to push for social evolution and progress when most of the people on your side are ignorant and more concerned with politics than anything else.
Oops, I forgot our legislature is too busy removing checks and balances (Senate) and debating corrupt members (House) to get anything else done.
I'm not sure what you're talking about here, so I can't really respond to you. The only major battle I know of in the Senate is over appelate court nominations, and I haven't read anything yet about changes to how nominations are handled.
"I have never won a debate with an ignorant person." -Ali ibn Abi Talib
And fortunately you were technologically savvy enough to check that the link they sent was a legit one, leading to Vachovia's servers. Many do not know where to even begin to do that.
And you're right. Welcome to the 20th century, where requests to "confirm everything," to "update your personal information," or to change your ATM's PIN number because of an information breach can be sent to thousands of mailboxes in an instant, at no cost at all. Sending out a legitimate looking letter via mail, and trying to extract information from the recipient is much harder, takes much longer, and costs much, much more, and more easily tracked down.
Seems like the bigger the bank, the bigger the security breach.
Well, duh. You're certainly not going to see 600,000 peoples accounts stolen from a credit union with only 20,000 customers. That doesn't mean it's any more secure.
Badass Resumes
as for punishment, sure, that sounds good, but would be nearly impossible to implement in a fair manner as, in this case, lexisnexis was not responsible for the breach in any way, shape, or form. therefore to punish them for a breach not resulting from their actions would be unjust.
How about punishing them for their inactions? If somebody walked in to a military base and stole a nuclear warhead, would you throw up your hands and say "well, it wasn't the military's fault; they're not the ones who stole it"? Of course it's their freakin' fault! Who's supposed to be guarding this stuff??
Then of course, there's the issue of why they need to have this info in the first place. Just as you could argue if we didn't have nuclear weapons in the first place then there'd be no reason to worry about them being stolen, so you could argue that Lexis-Nexis - a company most of us have absolutely no contact with - should not have things like our social security numbers (which are for, you know, our individual social security payments, not anything else) to begin with.
If you are going to take it upon yourself to store my information, then you had damn well better safeguard it. And if you don't, then you should be held liable, and you should be punished severely when data is stolen through your negligence. (And in this case, I define negligence as "any case where your security was lax enough to allow data to be stolen" - or in other words, every single case of a security breach.)
If a company cannot secure this data to the point where it cannot be stolen, then they have no business holding this data to begin with.
Sure, a lot of clear-thinking people get upset to learn their private information has been sold, but I suspect there are also a lot of people who would gladly sell their information for no more than a nominal fee.
I'll bet at least 10% of the population would agree to your getting it all if you offered them $20.
Of course, there's a bit of adverse selection here; the people who would agree to this deal aren't the ones the marketers really want.
As fast as you build walls, people will find some way to breach them. It is outlandish to expect a company to do any more for you than you have contracted with them. When you signed up with your bank, did they promise unbreachable security? I presume that a person so conscious of identity theft would have inquired with their financial institution as to security measures prior to giving them anything, and failing sufficient security, not done business there? In the end, you entrusted your information to some one. Unless you have some agreement about what happens if that data should be compromised, anything they do for you is out of the goodness of their hearts.
"Because Science" is one step from "Because old book". Try "Because of my experiment testing my falsifiable assertion".
Here is perfectly good example of why RealID (tm) is a bad idea. Security is only as good as the people behind it. In case you don't know what RealID is, you'll know soon enough. It passed as part of an emergency war-funding bill. Your driver's license will be the new national ID card. Enjoy. Posting as an AC, because I'm just afraid of my ID being stolen.
My beef is not with banks... They are generally pretty dilligent about customer data--they've been doing this stuff for a while now. MY beef (and I believe the parent poster's beef) is a company he has never done business with acquiring, storing, and failing to secure his personal information. Certainly, we should punish the identity thieves--and severely. But the reality is that, in the case of ChoicePoint, (whom the parent poster cited as contacting him,) they simply didn't have adequate protections in place to keep somebody from pretending to be a "legitimate" buyer of personal information. (We'll leave for another day the argument that there should be no such thing as a "legitimate" sale of my personal information by anyone but me. If Choicepoint wants to PAY ME to list my personal information for their own potential profit, that is another story, of course.)
Bottom line? If ChoicePoint wasn't in the super-sleazy, ethically dubious game of gathering and selling personal information, the data that was "accidentally sold" to these inappropriate persons would never have been divulged--because they never would have had it in the first place to be ABLE To divulge it.
Who did what now?
Normally, the break ins involve Windows (in fact, Windows has some 40% of https space, Yet, has more than 95 % fo the thefts). But here windows is only 1 out of the 4. Solaris accounts for the other 3.
That assumes that they really are on the these sites. With the big break-in that occured with Visa/MC/Discover about 1-2 years ago, it took awhile, but they found a Nebraska clearing house running windows had been broken into, not the CC sites.
I prefer the "u" in honour as it seems to be missing these days.
Have you ever considered blowing the whistle on their lax security? Really -- contact some media outlets, try to contact large stockholders etc. It's the best thing you could do for the people whose data is held there. You'd be doing a service to society at large.
ERROR 144 - REBOOT ?
Sadly, someone from the IT group would always be abl e to see that info. And this information was leaked by high ranking executives! What's broken here is the people who were so easily convinced to give the data up... not the banks.
Actually, reading the article, it looks as though it was a bit of an inside job with Orazio Lembo paying off upper level bank employees. I think if everyone who banks at a bank that does a poor job of security simply takes their money out and goes with a different bank, perhaps a small, local one which often has better interest rates anyway, they would quickly change their practices. Sure, you would be giving up the convenience of tons of ATM locations. But compared with the inconvenience of having your idenity and bank account owned, I think having only a few available and free ATM locations is minor.
Similar to the upcoming US election results
since customers are notified, all they have to do is now change their names, ages, and addresses to regain their privacy...
thank you america, where this is all possible!
It's plain old fraud and the onus should be on the merchants and lenders who fail to verify the identity of the person they are extending credit to.
But no, this is too costly, so they try to put it back on the person who's information is used in the fraud.
It's NOT RIGHT! If someone else borrows money in your name, it's the lenders problem, not yours. Your identity was not stolen. You are still you. The lender is at fault because he failed to exercise due diligence in a climate where fraud is rampant.
Just think about it for a minute. You are NOT the victim of identity theft. You are still you and the other guy screwed some third party. Why should it cost you any money or any time... Instead, the idiots who carelessly or out of greed failed to verify that it was indeed you and not someone else requesting a credit report and credit should pay.
There's a simple solution too.
The credit reporting companies need to stop selling information to anyone other than the person who owns the information. Mainly you if it's your information. You want a loan, you request the information. Hell, if it takes a photo ID and a visit with a rep from the reporting company, then that's what it takes... But it's their problem to solve, NOT yours.
This is pure garbage. We *have* contracted banks to safeguard our personal information. Banks have a host of legal obligations regarding the safeguarding of personal information. And even if they didn't, their websites and agreements are full of statements like:
"Keeping financial and personal information about you secure and confidential is one of our most important responsibilities. Our systems are protected, so information remains secure." (Bank of America, Online Privacy and Security Policy)
I'm sure there are similar statements in the microprint contracts we all threw away the day after opening our checking account.
Heads *will* roll over this.
My girlfriend has made a sexual harassment claim against her boss in the past; not only did the claim go nowhere (because said boss is worshipped by his superiors), but now that more than a year has passed, she has received a poor performance review, on the basis of dubious yet difficult-to-refute statements. She too has decided to move on to another company rather than try to fight.
The people who stole this info were insiders, high-level employees of the bank. They committed the theft, they're responsible. The bank employed them, and was responsible for their actions. Just like if their security guards stole the money you deposited from a vault, before computers, they're responsible. Unless they found that the employees had breached the security protocols in some unpredictable way, not that the protocols were inadequate. Like relying purely on unaccountable trust of single employees without witnesses, as apparently in this case.
When we put our money in the bank, we reasonably expect they won't leave the door unlocked. When they do, or trust someone with a key, they are responsible. It's not each customer's responsibility to audit their security: that's what we have the Treasury, many other government organizations, and professional integrity to rely on. When a bank enables damages by allowing cracks in that security apparatus, they've got to pay the cost.
--
make install -not war