Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bank of NY Loses Tapes With 4.5 Million Clients' Data

Posted by Soulskill on from the way-to-go dept.

Lucas123 brings news that Bank of New York Mellon Corp. has admitted they lost a box of unencrypted data storage tapes. The tapes contained personal information for over 4.5 million people. From Computerworld: "The bank informed the Connecticut State Attorney General's Office that the tapes ... were lost in transport by off-site storage firm Archive America on Feb. 27. The missing backup tapes include names, birth dates, Social Security numbers, and other information from customers of BNY Mellon and the People's United Bank in Bridgeport, Conn., according to a statement by Connecticut Attorney General Richard Blumenthal.

15 of 156 comments (clear)

  1. Re:Stupid by mrbluze · · Score: 5, Insightful

    Sending sensitive information from a bank to another company without encrypting it is just reckless and stupid.

    This is (just) showing up the way business is done everywhere - on the cheap.

    On the surface, all companies go to the trouble to look good - glossy ads, well appointed offices, important landmark locations, etc. But often, just like in a restaurant, out the back it's all dim lighting, rusty hinges, paint peeling off walls etc.

    Now I'm not saying all companies, but companies of a certain culture. The rest of this comment was going to be total flamebait so I'll leave it there.

    --
    Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
  2. Re:So when is the bank declaring bankrupcy by Hankapobe · · Score: 4, Insightful

    Well, once 4.5 million people have sued them for breaching their privacy through negligence there really isn't much point staying open is there. Or we could have some fun and teach them a lesson the old fashioned way, run on the bank anyone?

    It wouldn't work. The Fed and possibly Congress themselves would bail the banks ass out to "protect our financial stability" or some other nonsense.

    When you're a big corporate entity in America, you don't have to worry about such trivial things that would put the little guy without the Government connections out of business.

  3. Re:Unencrypted? by mrbluze · · Score: 4, Insightful

    Don't you think they use their own bank? What and get exposed for tax evasion when they get audited?
    --
    Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
  4. Re:Stupid by Gazzonyx · · Score: 5, Insightful

    I've got karma to burn, I'll say it for you. This is the problem with MBAs who only watch the bottom line and "know the price of everything and the value of nothing". (stolen from someone on /. from a couple days ago. It's a great quote) The culture you're talking about is the culture of marketing and management making technical decisions they wouldn't dare have the guts to even try to explain to the average slashdotter. I guarantee somewhere there's an admin trying his best not to scream "I told you so". If there isn't, there should be one out of a job for sheer ineptitude. You don't store or transmit data in plain text, ever, period. Especially when it's actual customer information. For craps sake, I'm a developer and I know that much about administration. No, this was probably a decision made by someone who manages what they don't understand and can't be bothered to learn. Flame on.

    --

    If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.

  5. Re:Amazing how rarely this happened until recently by Vectronic · · Score: 3, Insightful

    It's always happened to some degree, the major difference is similar to the history of money itself.

    It wasnt till recently that millions of peoples records was held on digital/analog media. Most things were still carried out via paper and pen which made the loss of millins of peoples data require dumptrucks.

    It wasnt till around 2001 or so that things really became "online". And these things are only going to happen more and more frequently now, because as much scare as there may be when this stuff hits the news, it doesnt overrides peoples inherit laziness "oh a few clicks? fuckin A"...

    Most people with a lot to lose (millions/billions of dollars), still do not do transactions via digital media, certainly not in an outgoing direction. Until they are hit, this probably wont change no matter how frequently it happens.

  6. Re:really? again? by jimicus · · Score: 2, Insightful

    Events like this seem to have become a near-monthly event. I would've thought banks and credit card companies and thier ilk would have learned thier lesson the first time something like this made news and started at least encrypting this stuff. Or at least the second time it happened. Or the third, maybe if we're cutting them a lot of slack. Yes, it's expensive and yes it's hard work, but it'd be less expensive than a potential 4.5 millian lawsuits and less work than the PR mess that they now have to clean up. Maybe they haven't learned because none of these incidents have yet resulted in the "4.5 million lawsuits" you're talking about.

  7. Re:So when is the bank declaring bankrupcy by Angostura · · Score: 5, Insightful

    It has over 100 Billion dollars in assets.


    That's nice for it. The question is how liquid are those assets and how much cash can it actually get its hands on at short notice. As banks in Britain have noticed, assets just ain't worth what they were.
  8. Re:Digital leakage is getting to be more like by Vectronic · · Score: 4, Insightful

    Agreed

    FTFA:
    "he [Blumenthal] said that he is pressing the bank to explain how some backup tapes disappeared while others on the same van arrived intact at the Archive America facility."

    It's not a situation where it all got sent to the wrong place, or trashed accidentally, it was (what I would consider) obvious and intentional theft.

    However, that doesnt mean that it was intended to be sold as a "bundle" on the Black Market, it could just have easily been some disgruntled worker with no real "plan" other than to fuck with the company, or even just get one individuals information from the 4.5 million (although I would likewise assume the former, Black market)

  9. Re:I am one of the people affected by barzok · · Score: 4, Insightful

    Sorry to be replying to myself, but when I wrote my previous post I wasn't able to get to TFA. Now I can.

    TFA has a lot of information which wasn't given to customers in the letter. The tapes were unencrypted? I can believe that. I kind of assumed it, which is a sad state of affairs. There were names, DOBs and SSNs on the tapes? That I can believe, and assumed, but like I posted above, it wasn't made known via the notice that was sent out.

    But how the hell can this guy say "that none of the unencrypted data has been accessed or used?" That's impossible for them to know. The tapes are out of their physical control - the people in possession of them now could have skimmed all those records off already, and just haven't used them yet.

    The article doesn't mention the $25K of "insurance" that we get by signing up with the free credit monitoring. Except I'm an NY resident, and by NY state law they can't offer such insurance to me. WTF?

    So here I sit, having managed to go 30 years with a lone incident of a "guessed" CC number as my only brush with identity theft, and now I'm left to be looking over my shoulder for the next several years thanks to this.

  10. Re:So when is the bank declaring bankrupcy by SpinyNorman · · Score: 4, Insightful

    US bank assets arn't any better. Bear Stearns had 3.5 x the assets of Bank of NY (350B vs 100B), and that did not stop them from all but disappearing literally overnight before the Fed stepped in to bail out the Bear stockholders with taxpayers money.

    It's not just a matter of asset liquidity, but also of quality and mark-to-market value. Right now the issue is of toxic mortage securities that may be on the books at face value but in reality are worth who knows what. Thanks to the repeal of the Glas-Seagal act, there's nothing stopping commercial banks like Bank of NY from making the same stupid decisions as investment banks like Bear Sterns, and who wants to bet that the commercial banks know the markets any better than the investment banks (I'd have assumed the opposite).

  11. Re:Digital leakage is getting to be more like by NotBornYesterday · · Score: 4, Insightful

    Dunno. I haven't shopped any fake IDs or credit cards. By sheer swinging, wild-ass guess, I'd propose the following:

    Let's say that one out of 100 accounts gets pilfered lightly - says $100 is mysteriously transfered. That's $4.5 million. Let's say that another 1 out of 100 has their info used to produce fake IDs, and those IDs are sold to illegal immigrants/terrorists/underage college kids/whomever for $500 each. That's $22.5 million.

    So, close to $27 million if you only abuse 2% of the victims.

    What absolutely blows my mind is that if a bank transfers $4.5 million, they use multiple armed guards driving an armored truck. When they transfer 4.5 million customers' worth of data (worth presumably more than $1 each), they use ... who exactly? Archive America? Does anyone know what kind of security measures these jokers take?

    $4.5 million of the bank's money goes missing in a armored car heist, it makes national news immediately, and stays on for weeks. 4.5 million people have their information stolen, and the bank says ,"Meh, 'sno big deal. We'll tell them in a few months."

    --
    I prefer rogues to imbeciles because they sometimes take a rest.
  12. Those backups weren't worth a damn? by rtfa0987 · · Score: 2, Insightful
    "They can't determine what was on the missing tapes"

    ---

    If that is truly the case, then those tapes wouldn't have been worth a damn for restoration if there had been a disaster.

  13. Re:So when is the bank declaring bankrupcy by Chapter80 · · Score: 2, Insightful

    It has over 100 Billion dollars in assets. Keep in mind that depository accounts at a bank are considered the bank's _liabilities_. A bank's outbound loans are their assets.

    So if you go in and attempt to withdraw your money on deposit, and they pay you with an asset (other than cash on hand), they'd have to somehow give you a note - an IOU, where someone owes the bank money. That doesn't work too well.

    If you don't think bank runs exist today, you need to just look back 2 months ago, to the Bear Stearns failure.

  14. Re:Stupid by Tycho · · Score: 2, Insightful

    Hypothetically speaking, events like these these shouldn't be unexpected. If the security policies were initially decided on by executives, managers, outside consultants, and sales reps from Microsoft and HP, what do you expect? If the executives just signed off on what he saw and didn't do any research beforehand personally on best security practices using outside resources. If the IT managers were inept, clueless, and had no background in IT and at their last posting in Customer Service and if these managers are only interested in getting promoted and transferred to the another department. If the consultants were airheads and despite claims to the contrary and an even with a expensive presentation had offered no useful information. If the sales reps from Microsoft and HP were just interested in selling an excessive number of expensive Intel-based servers with several $100K subscription-based licences for Windows 2008 Server. If these things were to happen, it would seem to me that this would indicate that there were serious problems with the managerial staff of such a company.

    On the other hand, this situation may have been the result of a failure of imagination. If for instance, mailing these tapes became standard policy even though these tapes were never intended to have left the original facility and thus the records on the tape were never encrypted, this would have been a serious breach of the original security policy. The customer data should have been encrypted in every case, regardless of the storage medium used.

    Strangely enough, I think that some of the problems that are faced in industrial worker safety are similar to those in computer security and that one might find a few useful concepts in a safety review of a BP refinery fire here:

    http://www.bp.com/liveassets/bp_internet/globalbp/globalbp_uk_english/SP/STAGING/local_assets/assets/pdfs/Baker_panel_report.pdf

    I think that the concepts of process safety, which involves the safety in the design of the system are important. Also the concept of open communication between employees and management with no retaliation for mentioning a legitimate potential safety issue is also important.

    --
    Impersonating Tycho from Penny Arcade since before there was a PA.
  15. Re:So when is the bank declaring bankrupcy by Opportunist · · Score: 2, Insightful

    C'mon, you should know better than that.

    Of the 4.5 million people, only about 450k will notice it at all. And I think I'm taking an optimistic guess here.

    Of those 450k, only 450 have the money and the guts to actually sue a bank.

    And then some federal bullshitmaker (senator, congressman, I'm not firm in those things concerning the US) steps in and proposes a bill that whitewashes them retroactively (to "protect the economy" or some other BS) which passes unanimonously because it's tacked to something like flags for orphans, leaving 450 people without money on top of their privacy loss.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.