Slashdot Mirror
Over Half a Million Bank Accounts Breached
Gone Phishing writes "CNN is reporting that about 676,000 bank accounts in at least four banks (Bank of America, Wachovia, Commerce Bancorp, and PNC Financial Services) have had personal information "illegally sold". Over 60,000 customers have been notified so far."
This is why I switched to a local credit union a few years ago. Seems like the bigger the bank, the bigger the security breach. Worse... they nickel-and-dime you on everything else.
lol
The sad thing is this weekend I got two of those emails from differnt 'banks'. I wonder how many people fall for them. I actually tried to contact the real bank of the first email but their contact us page was impossible so there wasn't anything I could do.
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
"The case has led to criminal charges against nine people, including seven bank employees and alleged ring leader Orazio Lembo, who operated DRL Associates, a company that advertised as a skip-and-trace collection agency."
-----BEGIN PGP SIGNATURE-----
12345
-----END PGP SIGNATURE-----
Customer account numbers and balances were allegedly sold to a man who then sold the information to collection agencies, the Hackensack police department said in a statement. Reuters reports that the information has not been found to have been used in any identity theft schemes.
/snip/
The case has led to criminal charges against nine people, including seven bank employees and alleged ring leader Orazio Lembo, who operated DRL Associates, a company that advertised as a skip-and-trace collection agency.
Hmmm... working for a bank and a "collection agency". Sounds like a conflict of interest banks might want to look out for and possibly stipulate that working for a collection agency is not permitted while working for a financial institution.
The closest the US has is the DCMA, which prohibits the reverse-engineering of encrypted data for the purpose of copying it, which essentially makes it a crime to steal encrypted personal data, but I've yet to hear of anyone actually prosecuted this way and it is extremely unlikely to ever happen.
Largely because commercial companies often don't encrypt personal data for customers.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
...do the police intend to track down the information to and "reclaim" it from the collection agencies, advertisers, etc.?
My bank offers:
1. Higher interest rates
2. Interest-bearing checking accounts
3. No fees ever
4. Free online billpay
5. ATM fee refunds (since they don't have their own ATMs)
6. Postage paid envelopes for deposits
7. 24/7 Customer Service with almost 0 hold time
8. No BS
I switched to an internet bank a long time ago and I'll never look back. But I'm not going to tell you what the bank is because I don't want it to turn into a "big bank". Go find your own.
[figz@figz figz]$ kill -9 `ps -ef | awk '$1=="figz" { print $2 }'`
Everyone involved in this should be in jail Now! Ten years apiece is a good start.
And I don't mean Club Fed either.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I'm not quite sure you understand. It was ILLEGALLY sold. Without the permission of the account holder. Meaning that whatever you SAID you didn't sold...doesn't matter.
'If you're flammable and have legs, you are never blocking a fire exit.'
I have an account with Wachovia. About 6 months ago, I started putting rather significant sums in it. Enough that were the account to get robbed, I'd be seriously upset. What concerned me at the time was that I had used my check card for online transactions, though.
The thought that someone could wipe me out financially by cracking an online system got me worried enough that I opened a checking account at a local bank where I now keep a majority of my funds. I move enough into the Wachovia account for paying bills and stuff that are connected to it, but there's never enough in there to completely wipe me out anymore.
And obviously, with the new bank, I won't be using the check card online. It looks like mine wasn't affected and it doesn't look like the account info was being used for robbery, I still feel more secure with the new account.
Probably because the larger banks have more of a presence in the towns people live in. I hate getting charged a fee to get to money that is mine from ATM's. Here there are Bank of America machines everywhere. No atm fees, no having to request atm fees reversed.
I've NEVER paid a fee with my BoA account. I don't know how so many people have problems. Free bill pay, free online banking, free bank transfers, overdraft protection, free checking. Hell I even get free checks, not that I write checks anymore though. Only thing I don't like is the horrible interest rate, but thats why I've got a ING account in addition to my BoA accounts.
I've noticed with the small banks (and yes I've looked into them) the online banking sucks, bill pay is a pain in the ass to use and the tellers aren't too bright.
Actually, a lot of UK companies don't realise this yet either.
But the DPA requires:
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
Deleted
the material encrypted isn't relevant, only that it *was* encrypted.
It is, but any authored organized data is automatically copyright, which means that by creating a database entry with your name, address, SSN, ccard info, etc, in a structured and organized manner, where that structure and organization is preserved by the system, you have created a copyrighted work. Unless, by entering the data, you sign an EULA with the company that the data belongs to them. At which point, you're screwed but the company may be able to claim they have obtained the copyright from you.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I use a "big bank", but as far as I can tell, they make no money off me.
Everything I do with them is "free" - free checking, atm use, etc.
Whenever I have excess money in the bank, it gets swept into an online bank account that pays decent interest, or I send it off to my brokerage account where I gamble it away on bad stock picks ;-)
I buy my checks from random cheapo check printers.
As far as I can tell, I get the benefit of the big bank (lots of atms, grocery store locations, etc) and if anything should happen to my account, security-wise, it's their problem, not mine.
This issue is a bit more complicated than you think.
A while back I got a call at around 4:30 P.M. from a credit card company requesting that I verify I had applied for a Home Depot card via one of those "just sign the line below" forms. I hadn't, so I immediately began the tedious process of requesting credit reports and contacting my bank to check up on unusual activity.
Later, at about 7:00 P.M. the same night, I got an pre-recorded call requesting that I call an 800 number and reference a specific "case code". I wrote down the telephone number and the code, and the next day spent a few minutes on Google shagging down the number. Turns out it was for a law firm in Utah that specialises in handling collection cases (unfortunately, I cannot remember their name). I remember thinking, a) "I don't owe anyone any money" and b) "how in the hell did they get my number?".
Now, I guess I know.
The story ended well for me - there were attempts to steal my identity, but they were all apparently stopped. I never did call the collection firm, so I have no idea what they may have wanted to chat about - seems to me if it was important, they would have used a human instead of a tape. The links I followed from Google were mostly to blogs and forum entries relating to how other folks had recieved similar calls from this agency, and upon returning them had been informed by the collection agency that they owed some form of money to an bank/credit card company they were representing. The kicker was that they also tried to add an additional fee (some as high as $275 US), payable to the collection agency alone. Other links mentioned how this same company had been banned from business in a lot of states for trying to add this extra fee, and, in essence, refusing to clear the original debt until their extra fee had been paid.
I'm not tense. I'm just terribly, terribly, alert.
Exactly. It's in place. Everybody who has had data stolen should sue their banks. A bank that I just got a mortgage through sold my information, even though I explicity told them not to. Hence, I'm suing them. It's very simple, actually.
I don't respond to AC's.
One would hope that this type of thing wouldn't happen with a bank that serves the armed forces.
In a sane world yes. However in a sane world one would also hope that our armed forces could act as prison guards without torturing and humiliating their wards.
My old bank fired me for reporting that all daily loan applications including first and last names, social security for borrower and co-borrower and full addresses were wide open on an unsecured windows fileshare with everyone/full control access. All 50,000+ bank employees plus contractors with any windows domain login had full access to view all daily loan applications. These poor people weren't even our customers yet. I knew my manager would do nothing about it, so I started with a standard IT helpdesk call. At least then my report would be logged. Nothing happened. I then tried several other channels and after a few days, I found the "dept in charge of keeping us off CNN". They immediately secured it and were very thankful of my report. Since I had also noticed many other unsecure servers in my time there like daily intra-bank mortgage trade activity and others, I proceeded to report over 15 servers to this group. They fixed everything I reported and were thankful. They advised me not to scan their network because that would be considered hacking, but if I came across unsecured servers over the course of my normal work, I should report it. All was fine until some other managers got back to my manager asking who was the busy-body in his department causing them this extra security work? At bonus review time, my manager all of a sudden gave me poor ratings, disqualifying me from my $6000 bonus. He had given me an out-of-cycle raise just 5 months earlier for good performance. Go figure. After no raise and no bonus, I was pretty ticked and started escalating the issue with his manager and the nice security group. No response. I then put in for a transfer. My manager then writes me up for a written performance issue, listing security as one of the issues, and made my transfer ineligible for 90 more days. I continued to escalate but a few weeks later, he fired me for not addressing the "performance" issues. I've thought about finding a lawyer, but I'm much happier with my new employer now and try to just let it go. Ray
I work for a bank in New Jersey (that wasn't compromised). We received information about this a while ago. As I recall, bank employees were paid to provide information about specific individuals sought by collection agencies, which they would find by scanning lists furnished by these agencies and checking to see if the individuals were depositors with the bank. If you're not being sought by a collection agency, the odds are low that your information was compromised.
Bank of America only recently started operating in New Jersey, with the acquisition of Fleet. So I would assume that former depositors of Fleet as well as those who've opened accounts at area branches since the acquisition are vulnerable (as well as depositors at the other affected banks, obviously), but probably not Bank of America customers in other parts of the country.
Nope. It shouldn't be that hard to have every employee's access to every account logged.
I worked at a large financial institution (life insurance, in a branch of a bank. Hell what I'm saying is 100% accurate so let me say that I'm talking about RBC Insurance - Life, whose offices are in Mississauga, Ontario) a while back, and had full access to hundreds of thousands of customer's data, including specially separated "high net worth" clients. I looked around and realized that on any of the developer PCs (where the user was admin. Actually these morons set DOMAIN\Users as admins, which meant that there was no PC to PC security and any hack could occur by co-opting a coworker) a USB key or PDA could siphon off everything.
Realizes how insanely loose the controls were, I proposed initiative after initiative to tighten up the system, and to add some sort of read logging, but I learned firsthand that financial institutions, presuming this one was par for the course, are 95% politics, and 5% actual concern about customers. The only way any sort of checks and balances were going to be implemented is if it properly gave a handjob to every useless mid-level manager planning their next Machiavellian maneuver (and successfully ensured that I didn't look good out of it, as a shop like RBC is configured in such a way that only the mediocre persist. If you look good, the next time a management churn occurs some clueless twit will purge the clueful). It really was eye opening, and the status quo was maintained and everyone acted like nothing was wrong.
Of course you really have to work in a place like that to fully appreciate how terribly incompetent such organizations are, and to maek it more fun they churn their management around with no logic or thought. Remarkable stuff.
Bank of America has separate computer systems for BoA East and BoA West. I too opened my account in CA, but filled out a credit card form with my family's MI address. The result: I had both a checking and credit card account with "BoA", but couldn't see the two in the same online account manager. -e;
The reason we don't have systems like that is because there isn't any financial incentive to implement them.
The reason we don't have this is because, in the USA, the crooks are writing our laws.
Avoid Missing Ball for High Score
The way I see it, many of the companies that collect personal information, (banks, radioshack, etc) see little or no value in the information they are protecting, it's only their value of reselling it (e.g., like a pawn shop). As a old tired example, why does radioshack need a phone number when you buy a battery?
IMHO, the goal should be to make economics work for us. The cost of them collecting and securing it should balance the value the get from selling it. Then if the expected return on investment is zero, why would they even bother to collect it? It's just because right now it costs them little to collect it and they can resell it for more is why they do it right now.
One way to get this to assign big penalties to losing control of the info so that the expected cost is high. Another way is to just bill them up front (e.g., tax companies for collecting the information). I'm guessing that in the end, some combination of things would be optimal.
Another thing to look at is to licence people (not companies) to handle information. For example, it takes a registered notary public (not a flunky that the bank assigns) to witness signatures on major business transactions. Why can a company assign some skript kitty to process social security numbers? Why should a bank VP have any access at all? Getting notary public certification is trivial for anyone with a 1/2 a brain, but they make it very clear that your butt is on the line, not the company's butt, so most of them take it pretty seriously. Something about a few hours studying for a test and a name on a license and some personal responsibility makes most folks take their jobs less like a joke (although you occasionally get the rougue CPA or notary, it isn't very common)... Maybe it's time for a certified public information collection certificate or something like that...
Anyhow, that's just food for thought...
I can't understand the "Group Think" that is going on. The same people who want to unleash the FBI on kiddies who download mp3's seem to never hold businesses accountable for anything.
We are so ripe for authoritarian rule. We want to leave control of our lives to others, and all we expect of security is to punish someone who doesn't cross every t and dot every i when they report on the failures.
The fact that Wachovia has my money and social security number and can demand many things of me without proof (such as fees and late charges), means that conversely, they should be responsible and compensate me for any damages resulting from their failure to live up to this trust. I think I need to pull my money out this week.
I thoroughly expect the news service to retract and fire anyone who reported this, but might have gotten the date wrong.
>>"ad space available -- low rates!!!"
Um... have you thought this through? If what you believe were the law, then any company that has a legal issue, such as liability for security breach, illegal dumping of toxic waste, products that become sentient and wipe out humanity, etc. could get complete absolution if it got bought out by another company. "Oops! Sorry! You can't punish us! We got bought out be Totally Innocent Corp." And you can bet, a buyer can be made to appear at an opportune time, whether it be a real buyer or a shell company set up for the express purpose of ducking liability.
When Company A buys Company B, Company A should not only get the assets of that company, but it also take on the debts of that company and the responsibility under the law for any past actiona of that company. And I believe that's how it works under the law.
How did you find out that they sold your information?
Ya, it is simple ... until you get Republicans trying to pass "tort reform" to take the bite out of lawsuits. Their contributors are getting very irritated because lawsuits cost them too much money. They would like to be able to practice their crookery knowing that there is a cap on the damages they will have to pay. Enter the Republicans.
No, the point was that laws and typical awards vary from state to state. It used to be that you could just pick a state: if a company does business in five states and screws people in all five of them, you could pick any one of the five. If one of the five is friendly to plaintiffs, you'd pick that one. That doesn't mean that all states are plaintiff-friendly.
You could say that the old way was unfair, but I think if you do business in a state you should be subject to its laws. It's certainly more fair than all these companies incorporated in Delaware, where they have no customers but lots of friendly courts.
Also, it makes no sense to claim that the President can't be responsible for a law. I don't know how hard he pushed this particular bill, but he's the most powerful person in the country and the leader of the majority party. His support makes a huge difference in whether a bill gets passed, as he or any member of Congress will tell you.
-- . . ramblin' . . .