Slashdot Mirror
Bank of NY Loses Tapes With 4.5 Million Clients' Data
Lucas123 brings news that Bank of New York Mellon Corp. has admitted they lost a box of unencrypted data storage tapes. The tapes contained personal information for over 4.5 million people. From Computerworld:
"The bank informed the Connecticut State Attorney General's Office that the tapes ... were lost in transport by off-site storage firm Archive America on Feb. 27. The missing backup tapes include names, birth dates, Social Security numbers, and other information from customers of BNY Mellon and the People's United Bank in Bridgeport, Conn., according to a statement by Connecticut Attorney General Richard Blumenthal.
did they lose the station wagon the tapes were being transported in?
Hal Spacejock: Science Fiction with Nuts
While it may look bad, it's still only 1/5th of a metric Britain.
-Grey
Silver Clipboard: Time Management Tips
I thought you had an obligation to encrypt data containing sensitive personal information such as SSNs when transporting them? In Denmark you are required by law to store such data safely, I wonder if it's any different in the US.
They should have put one of those key finder things on the box.
Can we please go more than a few days without this happening yet again? Thanks.
Well, once 4.5 million people have sued them for breaching their privacy through negligence there really isn't much point staying open is there. Or we could have some fun and teach them a lesson the old fashioned way, run on the bank anyone?
Sending sensitive information from a bank to another company without encrypting it is just reckless and stupid.
digital diarrhea...
So what exactly is homeland security about? Its obviously not about protecting US citizens.
As a government body, shouldn't homeland security be involved in helping to prevent such digital leakage, even if just setting down the rules to follow and pursuing violators of the rules?
It's important to remember things such as this when the usual brainwashed-by-Fox conservatives say stuff like: "if you've nothing to hide, they why are you worried about privacy".
Events like this seem to have become a near-monthly event. I would've thought banks and credit card companies and thier ilk would have learned thier lesson the first time something like this made news and started at least encrypting this stuff. Or at least the second time it happened. Or the third, maybe if we're cutting them a lot of slack. Yes, it's expensive and yes it's hard work, but it'd be less expensive than a potential 4.5 millian lawsuits and less work than the PR mess that they now have to clean up.
Name-calling, insults, and general rudeness do not increase the chances that someone will suddenly agree with you.
They can't determine what was on the missing tapes
"The forensic investigation initially identified approximately 270,000 individuals and 409 institutions with data on the tapes. The Company worked closely with its institutional clients to notify these individuals, which was completed by early April."
"The continuing forensic investigation also identified approximately four million additional individuals and 293 additional institutions with data on the tapes. This data took longer to identify and extract because of the manner in which it was stored on the tapes, and BNY Mellon Shareowner Services immediately began the process, in coordination with its institutional clients, of notifying these individuals and offering them comprehensive fraud protection services."
http://www.bnymellon.com/tapequery/shareownerservices.html
The bank should do the responsible thing and offer every affected customer a new identity.
Or more likely, it happened all the time, and the organisations in question were given carte blanche to cover it up. Now that there's been plenty of these in the news, everybody is frantically owning up to their sins before legislation is passed that adequately punishes their neglect.
Yes, but you see, the encryption means that the bank itself has to do the work. In the case of lawsuits and PR issues, they have PR people and lawyers to deal with that, so the bank doesn't do much more work than lifting a finger and saying "go, mortal, and do thy job" or something.
It's always happened to some degree, the major difference is similar to the history of money itself.
It wasnt till recently that millions of peoples records was held on digital/analog media. Most things were still carried out via paper and pen which made the loss of millins of peoples data require dumptrucks.
It wasnt till around 2001 or so that things really became "online". And these things are only going to happen more and more frequently now, because as much scare as there may be when this stuff hits the news, it doesnt overrides peoples inherit laziness "oh a few clicks? fuckin A"...
Most people with a lot to lose (millions/billions of dollars), still do not do transactions via digital media, certainly not in an outgoing direction. Until they are hit, this probably wont change no matter how frequently it happens.
(Enter guy carrying way-too-full box of tapes)
la la la...
trip...CRASH!!!!
uh-oh, spageddios!
(Back at the bank of NY)
wah wah wah waaaaaah.
stuff |
I got a letter on Thursday informing me of the breach. It gave this URL: http://www.bnymellon.com/tapequery/
This page has changed since Thursday. Originally it was only one incident, now it's two. The letter said that I'd get 1 year of credit monitoring at all 3 bureaus, free; when I signed up, I was given (and the page above) two years. The letter said there was no indication that the information had been used, but it also didn't mention what the summary here says - that SSNs and birthdates were on those tapes (I assumed they were).
What really pisses me off isn't that it happened - it's that it took them three fucking months to inform me.
I have 2 accounts with them (for the same employer, which is really stupid). One account requires my SSN, the stock ticker, and a 6-digit PIN. Digits only. Not terribly secure - there's only 10^6 possible PINs, my SSN may be in someone's hands, and there are only a couple thousand stock tickers. The other is a seemingly random ID and a 6-31 digit PIN. My previous PIN was 12 characters. The new one is 31.
I reset both my PINs Thursday night, which took about half an hour - the sites, while not normally speed demons, were obscenely slow that night. I'm hoping it's because people were changing their PINs.
Yep, you're right. I honestly don't know why they haven't (or at least a class-action suit or something similiar). I'd love it if one of those "IAAL" types could fill me (and others) in on that.
My point was simply that it would seem prudent to plan for worst-case senerios. I would think that profit-seeking entities would someday learn how profitable risk management can be, in the long run.
Yes, I'm also aware "the long run" doesn't seem to be in our current corporate culture's lexicon. Hmm... it's possible I just answered one of my own questions.
Name-calling, insults, and general rudeness do not increase the chances that someone will suddenly agree with you.
IIRC, the Social Security Administration itself lambasts this practice on the grounds of 1) the SSN was never meant to be a defacto ID number, 2) they explicitly promised it would not be used as such, and 3) it is completely insecure.
Oh well, too late now.
I am very small, utmostly microscopic.
Damages for possibly identity theft and access to your bank account? Hm ... lets pick a figure out of the air of (say) the value of any actual losses plus compensation of (say) $5000 ... triple that as punitive ... so all they have to do is pay up 15 billion dollars and they can continue! No problem.
For every expert, there is an equal and opposite expert. - Arthur C. Clarke
Don't use the bank. Pick a different one. Or stow your fortunez under your mattress. A bank can't make money if you don't lend yours to them.
I hope the executives and all those staff involving in the storage of that data are held accountable. I would fire the lot and ensure they never work with sensitive data again in their careers.
Banks never transport the life savings of 4.5 million people without an armored car. There's probably even a lot of laws that prohibit such blatantly reckless behavior, to say nothing of their insurance coverage depending on following those rules. And if they do "lost" that life savings in transit, without an armored car, the bank has to replace it at the bank's cost, even if that drives the bank out of business.
Of course these people's life data is no different: the bank is responsible for protecting it. So the bank should be required to transport only encrypted media (in an armored car). If the bank "loses" the data, the bank should have to pay and organize the resecuring of all that data, including notifying all the many databases that maintain it, changing ID numbers, getting new ID cards, etc, at absolutely no cost in time or money to the people. And the bank should pay a service that monitors those people for ID theft for at least a dozen years, if not the rest of their lives, and assume liability (for losses and extra bureaucratic work) for any fraud using the data the bank "lost".
There oughtta be a law. As long as the cost of these "accidental losses" is minimal to the banks and other corps handling the data, they will of course spend as little as possible on securing it.
In fact there should be a Federal database of people whose personal data has been exposed. Every database that maintains any significant amount of personal data should be required to check that database every day or so to be sure they aren't using data exposed elsewhere. If they are, they should have to notify the FBI, the org that exposed the data, and the person whose data was exposed, then initiate the replacement process at the cost and effort of the org that exposed it.
Of course such a DB of exposed (and therefore exploitable, and at a rich org's expense) data would be extremely valuable, and the world's primary target of attacks by fraudsters and other bad guys. And the government (especially the one we have today) would be tempted to datamine that data for many other big brother purposes, all supposedly to "protect us" (from "the terrorists", etc). The government would love to use such a service as a pretext for other tyrannies, like a required "national ID card". But securing such a DB, even by the government, is absolutely possible. There are many databases already in use that are never compromised, in both government and private control. If the incentive and procedures are strong enough, this is an operation we can pull off. Probably if supported by a Constitutional Privacy Amendment that puts teeth back into the 4th Amendment, the government would protect our data at least as effectively as it protects, say, our nuclear arsenal. There might be some abuses, but they'd be much fewer, and the damage would be recovered by the irresponsible party instead of ruining the people's lives.
--
make install -not war
People will always make mistakes. They'll be careless and "forget" to encrypt. Or they'll put a post-it with the decryption key on the media. Or they'll disclose decryption information via some other easily intercepted channel (social engineering). Plus, consider the ever advancing capabilities of brute-force decryption technologies. Add to that malicious actions where people actively try to defeat security measures. 3 million IDs released today. 2.5 million next month. 12 million 6 months from now. You can only conclude that eventually (10 years? 20 years? sooner?) every US citizen's name, SSN, address, email address, birthdate, mother's maiden name, first pet's name, favorite sports, high school yearbook pictures, etc. will be widely available to anyone who wants it. So what do we do then? Clearly we will need a much tighter (biometric?) method of identification.
The more you regulate a company, the worse its products become.
In my experience many companies that should care about security don't. I have consistently made companies handling personal information (banks, insurance agencies...) aware of glaring inadequacies in their IT/physical security implementations, and provided recommendations on how to remedy the issues. The usual response to this is to be told that they aren't going fix them, so stop bringing it up. As I learn more in the areas of network engineering, programming, and database administration I see more and more vulnerabilities.
I see programmers taking shortcuts either due to ignorance, ineptitude, or unrealistic project deadlines being pushed on them. Most programmers don't have a very good understanding of security or network engineering/administration which often exacerbates the issue.
I see a pool of generally incompetent networking engineering/administration staff available every time I begin to interview to fill a position. I see network engineering/administration 'professionals' who eagerly drop responsibility like a hot potato by handing off projects to other business units (EX: development). Once the project is handed off they are often unwilling to work on educating employees in the other business units on items like security. To be a truly valuable network engineer you need to learn multiple technical disciplines and to work with them.
I see management make decisions without appropriately defining project scope, goals, and requirements. I have seen well-planned and thought out projects to enhance security denied simply on the basis that they provide no new shiny feature for management to fawn over or advertise. Management often views security as a cost and as much as they may love to throw around various business terms like Value-Added, Responsibility, Efficiency..., they don't really understand what they mean.
There usually isn't one department to blame. What I have seen is that there are not many 'jack of all trades, specialist of most' and unless your business is strongly compartmentalized with an excellent management team defining policies, procedures, project scope, requirements, goals etc... your business will suffer these issues. The problem being, very few companies can afford this type of configuration (HP, Dell, Defense contractors, etc..). Additionally, if you are a 'jack of all trades, specialist of most', you most likely have avoided working for these companies out of fear of being locked into one functional area, stunting your growth in others.
Based on the above, my question is where does a 'jack of all trades, specialist of most' go to be satisfied in their career?
1.) A large enterprise, where it is likely you will be focused on one functional area and bored.
2.) A small-mid size business where you are likely to see what you would consider atrociously handled sensitive data.
3.) A small-mid size business that doesn't handle sensitive data, but as a result doesn't pay very well and is often not very challenging from an IT perspective.
4.) Become an independant consultant at immense personal financial risk only to learn that you still have to work with the above companies?
5.) Other
to the other (IT focused) 'jack of all trades, specialist of most' out there, are you happy with your career? If so, what do you do - I am looking for some better options.
P.S.
On a side-note I learned something about myself from posting this - I am a lot more bitter than I thought.
---
If that is truly the case, then those tapes wouldn't have been worth a damn for restoration if there had been a disaster.
Sorry for not revealing too many technical details. I'd hate to give a criminal too much to go on.
We get story after story, month after month, about organizations like the Bank of New York or Los Alamos National Laboratories or the British Ministry of Defence losing tapes and disk drives and always, always, always the data is said to be unencrypted.
WHY don't all those centralized-configuration-managing IT departments check the FileVault or the BitLocker checkbox on every laptop that comes in the door?
That fancy automated remote configuration-management software keeps everyone's internal purchase-requisition application in sync... when they're doing the remote update why don't they install TrueCrypt at the same time?
Why don't their purchase orders to Dell for 10,000 new PC's say that as long as they're custom-preinstalling all that other crap anyway they might as well include a commercial encryption package?
Put indignation aside. What, exactly, is the real human organizational and managerial reasons why encryption just doesn't happen?
Are they more worried about employees keeping information from superiors than they are about losing sensitive information to outsiders? Or what?
"How to Do Nothing," kids activities, back in print!
In Canada it is illegal to use a SIN (Social Insurance Number) to identify a person for the purposes of a financial transaction. Employers can't even use it as a way to track employees.
Not that there aren't plenty of other ways of stealing people's identities but at least the government is impeding one of the easiest.
Some of what I say is fact, some is conjecture, the rest I'm just blowing out my ass...you guess.
Though banks must collect SIN numbers for the purpose of reporting your earned income (interest, dividend, etc.)
Why bother citing when someone will come along and tell you whom it is you're quoting, anyways ;)
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
Letting unencrypted or insufficiently-encrypted data out of their building is.
Sufficiently-encrypted means it can't be broken in a time-frame to be useful to an adversary. If the data is a politician's accepting of a bribe or paying an escort service, that means the life of the politician in question or more.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Despite the near monthly occurrences of these incidents, the fact is that they have very little material impact to the companies who perpetrate them. If consumers, rather than venting on message boards, would in some numbers actually act in such a way that really affects these organizations (like moving their accounts to another bank) you would see more attention. In fact, so few do that there is very little economic disincentive to take any real action by the banks. Send out a contrite press release and be done with it. We saw this week that very little seems to have changed in the security culture at TJX after their breach. Why should it? Their revenue has increased since the incident happened.
Great post, man! As to your question; I'm in college and doing an internship at a small (~20 employees) local company as their 'tech guy', although my major is software development. It's great because while I only make $11/hour, I've gained knowledge and experience in almost every imaginable field.
Our warehouse manager has a degree (or was just a few credits shy of it) in graphical design, and has just decided to go back and work on software development after we've talked about the lack of people who have the ability to both code and do graphical design. He's also started to get in to Linux as we've talked about it... he run Mac at home, so it's easy to use bootcamp/fusion. We constantly give each other ideas. Every now and then, we go off on a tangent and just 'do something'.
That's the value of the small business in my experience. You really do have an ability to influence and encourage your coworkers in a positive way. Also, getting a 'critical mass' to change the way things are done is much easier. I've started to get to the point where if I truly believe I have a good idea (say... encrypting the backups), and feedback from my coworkers is positive, but management disagrees or doesn't listen long enough to understand (I'm still mastering the elevator pitch) what I'm driving at, I'll just do it. The small business arena is the only place where you can away with this. Just do it, document it and own up if it blows up in your face. If you're, in the least, technically competent, you probably have more job security than you think and if you get fired, you'll land on your feet. Mediocre techs/admins/coders are a dime a dozen, but experienced and talented employees (not to mention jack of all trades, specialist at most) are hard to find and aren't unemployed very long.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
bony bony bony bony
Is it just me, or this kind of fun say?
Still waiting on that torrent... You know it's bound to happen at some point.
-Billco, Fnarg.com
I wonder how many of these 'lost tapes' are Tape Trolls forging the records and entering tapes as sent to storage, while they were never done in the first place, due to sleeping on the job...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
This thread was about a run on the bank by the depositors. Two completely different things and I stand by original statement.
Yeah, right. "Lost". Sure.
Data tapes, which are an archive firm's bread-and-butter, do not just "go missing". It just doesn't happen, folks. This data was stolen, sure as I am sitting here.
This archive firm should be held accountable, and so should the bank. I mean BOTH held FULLY accountable, if any of these people are ripped off. Heck, even if each of them is only held 50% accountable, I will be satisfied... as long as there are severe punitive damages as well as actual damages.
it's sad that we're more concerned afterwards. /me watches another identify theft commercial on G4 tv. (i miss techtv)
Looses Tapes With 4.5 Million...
Hackers have long memories. It works both ways.
But the bank still needs to have your SSN for tax-reporting purposes, and most of the accounts in question have tax implications (interest payments, capital gains, etc.).
So even if they weren't using your SSN for your ID number (which, as I noted in my earlier post, they do sometimes) they'd still have your SSN in the data that was compromised.
http://www.privacyrights.org/ar/ChronDataBreaches.htm
Unfortunately, much more often then monthly... I'd actually be surprised if it were ONLY once per month.
Why are they not held criminally liable under 18 USC 1028 for aiding and abetting identity theft? The mistake is so unconscionable that I'd think that if anybody has an incident that they should file a criminal complaint against the bank. Making it stick is another story but a creative judge could perhaps ruin somebody's day. see http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001028----000-.html
My thought is that the whole thing is broken. It isn't that the SSA is banning anyone from using your SSN. It is required for jobs, most financial transactions, and all that. But most everyone that does financial transactions uses SSN as a major portion of their security. SSN plus DOB and you can steal someone's identity with ease. So the "fix" is not to try to make SSN secure, but make it illegal to put anything on someone's credit record without their permission. If that were done, then everyone would figure out how to secure people instantly. Identitly theft is the act of financial institutions blaming someone for having fraud committed in that person's name. The fraud isn't the problem. It's that it messes with someone's credit report. They have problems caused by the financial institution's errors. That is the real crime, and should be illegal.
Learn to love Alaska
I always start worrying when I'm told not to worry...
The bank in this case is "guilty" -- and therefore responsible for -- transporting data on the public streets in plaintext. As others have already mentioned in this thread several times, that is irresponsible... perhaps, quite literally, criminally irresponsible.
But even if it turns out that is was not currently a criminal act, it was certainly an act that was grossly negligent, and they should be held accountable for that.
The Socialist Security number was originally promised not to be used as an identification number. That went out decades ago. The federal government has for a long time required the SSN as your taxpayer ID, and requires it be recorded for all financial dealings. At some time they started requiring it be recorded by states to get a driver's license. It's required to get a passport.
Basically, it's your serial number, and its purpose is to allow the government to more easily control every aspect of your life. That's what governments like to do, you know.
Most people don't even think inside the box.
It would also make credit records useless, because people would refuse to allow anything negative - true or not - to be put onto their records.
You get a credit account. You give them permission to put records on your credit report. They leave good or bad, as you have already given them permission. Or you refuse to give them permission to report, and they deny you the credit account. I see no problem with it.
Learn to love Alaska
If they report anything, then this will be a breach of banking privacy and the customers can sue the bank.
The only exceptions:
- money laundering
- where the banks suspects illegal activities (drugs, terrorism funding)
- where they are compelled by a court law to disclose
- where it is in its interest to do so (it is not as ominous as it sounds --- if they sue you for non-payment, they must disclose to the court how much money you must pay)
Banks need some sort of official identification from their clients when opening accounts, so as to be able to prove that they were not negligent if the account is subsequently used for fraud. The UK court case which is relevant is Marfani & Co Ltd v Midland Bank Ltd [1968] 1 WLR 956, 970-971. This is also the reason that in the past, Banks used to ask for references from existing customers or notable members of the public before opening accounts; although this is no longer practical.
As for tax purposes, the solution is simple: the Bank takes an X% on any interest received and pays it directly to the government as tax on behalf of its customers. The customers do not have to declare the interest received as income, since it is already net of taxes. Result: The tax man has its money and the public fills-in less paperwork
I am sorry about the legalese in the post; I had to take some banking law courses and I am still recovering from them.
The easy availability of credit to consumers is somewhat curtailed, but there are ZERO cases of identity theft.
as I mentioned, it may not be (probably isn't) illegal. Nevertheless, I still feel it to be grossly negligent.
They hold the stocks for my wife's plan. I wrote to them because I noted that when I navigated to a particular page of her account there was a series of numbers and letters in a block of text at the bottom. Within this block was a string which represented her birthday and another which were the digits of her social security number. They never did respond.
That's why my posts always say "for citation, see child post" !