Chase Data for 2.6 Million Ends up in Landfill

svonkie writes to mention a ComputerWorld story about some bad news from some 2.6 Million Chase credit card customers. These folks are being told that tape backups with their information were mistakenly thrown away back in July. There's apparently no need to worry about possibility of compromised personal information; the company believes the tapes were destroyed at a landfill. Just the same, "To prevent similar incidents, Chase said it is strengthening its security procedures and is conducting a review of all data storage and protection processes. Chase began notifying the affected customers about the incident yesterday and said the process is expected to take two to three weeks. The company is offering one year of free credit monitoring to people whose Social Security numbers were on the tapes."

indexes?

[Loconut1389]

if they think the tapes were destroyed, how do they know exactly which card numbers were on the tapes? I mean they may know the bulk, but not all, right? or would they? If they got rid of the tapes, would the still have the indexes?

Re:indexes?

[LiquidCoooled]

Forget indexes, they were backup tapes not originals.
This wasn't offline archiving, this was backing up the live data.

All the original records still exist.

Encryption!?!

[dgatwood]

Is this data not encrypted!?!

Yikes! A dumpster diver's paradise!

Re:Encryption!?!

[Schraegstrichpunkt]

It is, but the key is written on the outside of the tapes. Apparently it's some sort of poor-man's DRM.

Re:Encryption!?!

[MECC]

I was working on a project with equifax, one of the companies that keeps a repository of consumer credit data. We were setting up a VPN to their internal network. I offered to give them my public key so they could encrypt some configuration data. They promptly sent it all in the clear, keys and everything.

*sigh*

The sad part is there doesn't appear to be an effective evolutionary mechanism to rid the gene pool of such undesirable traits. Maybe this guy should be in charge of their data security, to help make sure the clueless don't contaminate the rest of the world.

company named appropriately

[User+956]

These folks are being told that tape backups with their information were mistakenly thrown away back in July.

Well, they better go Chase it!

In other news, 3 mil. shot in head by corporation

[spun]

Company spokesman says, "Ooops. Our bad. Please, Mr. Government, whatever you do to punish us, don't give us lots of money. We hate that." Government officials are trying to determine how much money to punish them with.

They *believe* they were destroyed?

[SpaceLifeForm]

Gee, what if this was an inside job, and they
were placed in the trash to be retrieved later
before making it to the dump?

Re:They *believe* they were destroyed?

[truthsearch]

That would stink.

(Sorry.)

If I were a Chase customer...

[deafpluckin]

...thinking that the tapes were destroyed is not an acceptable answer. From a PR standpoint they should've just lied or said they were taking actions to make sure they were destroyed.

Circuit City

[phatvw]

The article summary posted above fails to mention that these were Circuit City credit customers. That is a very important bit of info as many retail credit card holders often have no idea who the issuing bank is.

Re:Circuit City

[TubeSteak]

That is a very important bit of info as many retail credit card holders often have no idea who the issuing bank is.

True dat.

I have a CC with a "MBNA America" & "MasterCard" logo on it.

I called the 1-800 number on the back... and they responded:
"Hello, this is [Some Gal] with [Company I've Never Heard Of].

Makes me wonder, if your CC gets stolen/lost & you don't have a bill handy, how do you remember what number to call and report it?

I say...

[camperdave]

I say they nuke the site from orbit. It's the only way to be sure.

Re:I say...

[rolfwind]

The landfill or Chase?

Re:I say...

[quanticle]

Both. Its the only way to be sure.

Re:I say...

[rizole]

I love how this has been modded insightful.

"Blow stuff up with nukes"....+5 Insightful

Free credit monitoring

[earthlingpink]

One year of free credit monitoring?

Is it just me, or is the whole "pay for" credit monitoring industry a big con?

You have to PAY to find out what information may or may not be stored about you? It may be correct; it may be erroneous: you don't find out until you've stumped up the cash (and yes, I realise that the credit companies are required to make information available in the event that you are turned down for credit... but what about those who are just curious?).

And in this instance, what happens when that year is up?

Re:Free credit monitoring

[VanillaBabies]

As i recall you're allowed 1 free credit report a year every year anyway. Wasn't there a piece of legislation passed that said that?

Re:Free credit monitoring

The FTC website gives good explanation of how you can get a free credit report. You can get one per year for free (as parent mentioned), but you can also get them in other situations, such as if you are the victim of identity theft, or if you are unemployed, etc.. They lay out a few examples of how you can get one in the linked document.

Someone got an expired credit card number of mine and did some damage on eBay, lucky only for about $200. It still took me approximately 30 hours of my time just to clear the shit up with AOL, eBay, PayPal, and the collection agency that originally contact me. I also filed a local police report, contacted the FTC, and Equifax. By law one of the major credit agencies has to provide you with a free credit report in those situations. I'm not sure if anything can be done if your information was just "lost", rather than "stolen", but you are atleast guaranteed the free credit report each year regardless.

Re:Free credit monitoring

[aztektum]

that's great. 3 big companies are required to turn over any records they have pertaining to me once every 12 months, but only at my request.

the law should require ANY company that keeps customers private information for any period to at least proactively make the customer aware, then divulge it at no expense to the customer.

its my data, they're retaining it for some purpose, usually financial gain. i should be informed, given a cut or the option to have them expunge it.

Re:Free credit monitoring

[LifesABeach]

I have the same question as the parent above. But credit checking for only one year? The expiration dates on those cards go far longer than a year. And to think that the data is lost in some pile of trash the size of a small canyon is, to me, criminally foolish. I think a better public relations spin would be to tell Visa, or Master Card that Chase wants to know of any wrongful use of the 'trashed' credit card numbers. Chase could then look like a hero by aggressively bringing to the courts notice, those bad guys that 'found' the data. Chase could go on to say, "Stealing from the customers of Chase is great way to get on CNN, while wearing hand cuffs." Big Business may hate bad press, Bad Guys hate it even more, and the little guy likes it when Big Business gives them better service.

Re:Free credit monitoring

[h4ck7h3p14n37]

It's not just a big con, it's incredibly unethical. People should be able to find out what data is stored about them as well as be able to correct erroneous information for no cost. In a computer ethics course I took as an undergraduate we learned about ethical issues related to databases; I can't recall the name of the text we used, but I believe there was a section talking about six ethical principles.

Re:Free credit monitoring

[LordKronos]

You are able to find out what data is stored. You are entitled to a free annual copy of your credit report from each of the 3 reporting agencies. Further, you are allowed to request they fix incorrect information. If they don't comply and fix incorrect data, there is also a law (which I'm not fully familiar with) which allows you to sue them for it. A couple of the credit-related forums have regular reports of people suing creditors and credit reporting agencies for failure to fix incorrect information and walking away with easy cash for it.

Never trust the garbageman

[davidwr]

Now we know where this guy funds his science projects and student loans.

Chase is being up-front about this

[davidwr]

There's a news summary on their main web page:

Circuit City Customers

Chase is notifying a segment of Circuit City credit card account holders that computer tapes containing their personal information were mistakenly discarded.

So THAT is why they were Suicidal...

[Efialtis]

I worked for Chase when this happened.
The guys couldn't find the tape(s) and were SURE that they had ended up in the storage locker...
Guess they couldn't find them there...

obviously

[swelke]

To prevent similar incidents, Chase said it is strengthening its security procedures and is conducting a review of all data storage and protection processes.

How in the world would they just now find out that they threw such a thing away if they weren't already conducting some kind of review like that? The truth must be that they were already conducting the review, found the prior mistake, and then used the review as a way of atoning for the mistake.

Re:Inconceivable!

[rtjohn]

Inconceivable! You keep using that word. I do not think it means what you think it means

Their incompetence is no surprise

I used to work at a Chase subsidiary, and no amount of IT incompetence from them surprises me. Frankly I'm shocked we were never sued into the ground with the idiotic things they did; for example, sending out tax forms for RV loans late, resulting in customers losing tax refund money; also (it was a "loan servicer") we'd call people 3x or more/day after they'd already spoken to us.

The corporate intranet webshite had a form that all employees had to agree to yearly. My section all did theirs after I did, and each time they logged in *on different machines and with different accounts* the form thought they were me.

I know I could name many more things, but it's been a couple years and I've successfully blocked out most of those memories.

Re:Inconceivable!

[aGuyNamedJoe]

That suggests a limited imagination. It's easily concieved by anyone who's been following such news recently. What may be inappropriatelyconceivable is that there's a company that could never do such a thing -- if it's possible, it must be that they don't employ humans.

Why am I first hearing about this on Slashdot?

[mkraft]

I have a Chase Circuit City credit card. Why am I first hearing about this on Slashdot instead of from an email from Chase?

Re:Standardized management of customer data

[JustNiz]

Ahh... you mean like:
CardSystems in Tucson, who lost 40 million Visa and Mastercard account records. CardSystems is one of several companies that process transactions for banks and merchants.

http://news.com.com/Credit+card+breach+exposes+40+ million+accounts/2100-1029_3-5751886.html

No, it's corrupted.

[skids]

I know this for a fact, because of all the spam I keep getting telling me to fix the particulars of a Chase bank account which I have never had in the first place. Obviously there are bit errors in the data :-)

Re:Human error

[mypalmike]

> So what it came down to is someone not doing the proper procedure.

I think they missed the fine print in step 3:

Chase Inc.
Procedure manual.
Page 1.

While cleaning out the server room:

1. Place trash barrel in center of room.
2. Remove tape from backup drive.
3. Toss backup tape across room to storage rack on opposite side of room.*
4. Collect all trash and place in trash barrel.
5. Bring trash to dumpster.

* Be sure not to allow tape to land in trash barrel.

This and a letter from the VA Dept on the same day

[Infonaut]

Interesting timing. Just a moment ago I opened my mailbox and found a letter from the Department of Veterans Affairs. It seems they found the stolen hard drive that contained personal info on 26.5 million veterans. According to the letter, the FBI found the laptop and hard drive.

"Based on the results of forensic tests, the Federal Bureau of Investigation (FBI) has told us that they are highly confident the sensitive data were not accessed."

As a further backup, the VA has "obtained data breach analysis services as a means of further ensuring no misuse of this data occurs in the future."

Like Chase, the VA is "throughly examining every aspect" of their information security program. In the case of the VA snafu, an employee took the laptop home in violation of VA policy. The rash of these incidents makes me wonder how we can expect any sort of large organization to keep a lid on data spills like these, given that most people can't be bothered with basic security precautions even on their own computers. Even if the VA spends millions upon millions of dollars upgrading their security technology and processes (which of course will draw the wrath of opponents of government waste), I'm not sure it will make much difference.

Re:Shiny!

[Discordantus]

Er, parent post isn't offtopic. He's referring to the firefly episode "Trash", wherein a heist is pulled off by dumping a valuable object in the trash to avoid it setting off alarms on the way out. The valuable item is then retrieved from the trash bin before it makes it to the dump.

I have a related story sorta

[Desolator144]

I was helping a VERY untechnical office staff (most around 50+ years old) move to a new building and while going through the basement, we found floppy backups of their medical and insurance info and they told me they didn't need ones older than 10 years, which there were some of. Before I even said it, they suggested we destroy them somehow because of the sensitive data on them. I ended up putting a scissors blade through a couple hundred floppies, 3 at a time (that was FUN!) But if 50+ year old doctors know that they need to destroy stuff that holds customer data, who the hell would be stupid enough to just throw out tapes? Obviously someone Chase.

Re:Inconceivable!

[dman123]

As you wish.

[duck]