Bank of NY Loses Tapes With 4.5 Million Clients' Data

Lucas123 brings news that Bank of New York Mellon Corp. has admitted they lost a box of unencrypted data storage tapes. The tapes contained personal information for over 4.5 million people. From Computerworld: "The bank informed the Connecticut State Attorney General's Office that the tapes ... were lost in transport by off-site storage firm Archive America on Feb. 27. The missing backup tapes include names, birth dates, Social Security numbers, and other information from customers of BNY Mellon and the People's United Bank in Bridgeport, Conn., according to a statement by Connecticut Attorney General Richard Blumenthal.

More importantly ..

[Spacejock]

did they lose the station wagon the tapes were being transported in?

Re:More importantly ..

[Gazzonyx]

No, they lost the intern this time. If we're lucky it'll be the consultant next time! ;)

Re:More importantly ..

[commodoresloat]

Luckily, the tapes were all 8-track tapes so the authorities have said not to worry, nobody will be able to do anything with them.

Re:More importantly ..

[jagilbertvt]

Apparently the courier's van had a broken lock on the door. Also, from what I've heard, the tapes were encrypted when they were sent to Mellon, who then created unencrypted backups which were transported to another location.

http://www.peoples.com/online/help/0,,14408,00.html?cm_mmc=Peoples-_-incident-_-hp-_-whatsnew

New Unit

[Wellington+Grey]

While it may look bad, it's still only 1/5th of a metric Britain.

-Grey

Unencrypted?

[cephah]

I thought you had an obligation to encrypt data containing sensitive personal information such as SSNs when transporting them? In Denmark you are required by law to store such data safely, I wonder if it's any different in the US.

Re:Unencrypted?

[BiggerIsBetter]

Just make the punishment fit the crime: Release the personal information of the company directors into the wild.

Re:Unencrypted?

[mrbluze]

Don't you think they use their own bank? What and get exposed for tax evasion when they get audited?

Re:Unencrypted?

[kungfoolery]

I'm actually currently dealing with my company's legal department in regards to shipping data tapes from the EU to the US. Turns out, the EU considers the laws in the US as insufficient when it comes to guarding and protecting individual privacy (apparently, we're on a list of untrusted foreign entities when it comes to privacy protection). I believe there actually are laws in the US that requires encryption of this kind of data; but by no means are the requirements from the EU the same as anywhere else.

Re:Unencrypted?

[jimicus]

I'm actually currently dealing with my company's legal department in regards to shipping data tapes from the EU to the US. Turns out, the EU considers the laws in the US as insufficient when it comes to guarding and protecting individual privacy (apparently, we're on a list of untrusted foreign entities when it comes to privacy protection). I believe there actually are laws in the US that requires encryption of this kind of data; but by no means are the requirements from the EU the same as anywhere else. Encryption isn't the point.

The EU laws are more concerned with how you use the data than how you encrypt it. I can't speak for the rest of the EU, but the UK has the Data Protection Act which briefly states:

1. Data may only be used for the purposes for which it was collected. You can't ask me to fill in a questionnaire for market research purposes and then use my answers to crank up my life insurance premiums.
2. Data must not be disclosed to others without the subject's consent unless there is a legal obligation to do so. You can't sell my details to someone for marketing purposes unless I've said you can - but if the police come knocking demanding my data, that's OK.
3. Individuals have a right to access personal data, and may not be charged more than a nominal fee for this, subject to some exceptions. So I can write to you and ask what personal data regarding me that you store, but I can't write to the police and ask if they're carrying out an undercover investigation of me. (Well, I can, but they're not obliged to confirm or deny it).
4. Personal information may not be kept for longer than necessary.
5. Personal information may not be transmitted outside the EEA unless the individual has consented or "adequate" protection is in place. (Your company would probably be fine if they signed a contract saying "Regarding all data you send us, we shall store and process it within the law laid down by the EU", but IANAL).

The data protection act is one of the most misunderstood laws in the UK - it's been used as an excuse to avoid doing anything by all sorts of entities in cases where it's plainly irrelevant. Which is odd because it's one of the few laws which come packaged with a set of plain-English guidelines explaining what it's trying to achieve.

Re:Unencrypted?

Turns out, the EU considers the laws in the US as insufficient when it comes to guarding and protecting individual privacy (apparently, we're on a list of untrusted foreign entities when it comes to privacy protection)... For one thing, the EU doesn't consider ROT-26 to be twice as effective as ROT-13.

God Bless America

[Grimbleton]

Can we please go more than a few days without this happening yet again? Thanks.

So when is the bank declaring bankrupcy

Well, once 4.5 million people have sued them for breaching their privacy through negligence there really isn't much point staying open is there. Or we could have some fun and teach them a lesson the old fashioned way, run on the bank anyone?

Re:So when is the bank declaring bankrupcy

[Hankapobe]

Well, once 4.5 million people have sued them for breaching their privacy through negligence there really isn't much point staying open is there. Or we could have some fun and teach them a lesson the old fashioned way, run on the bank anyone?

It wouldn't work. The Fed and possibly Congress themselves would bail the banks ass out to "protect our financial stability" or some other nonsense.

When you're a big corporate entity in America, you don't have to worry about such trivial things that would put the little guy without the Government connections out of business.

Re:So when is the bank declaring bankrupcy

[Vectronic]

http://en.wikipedia.org/wiki/Bank_run

or skip to:
http://en.wikipedia.org/wiki/Bank_run#History

If 4.5 million people is only a fraction of the data the bank had (assuming all data they have is equal to the amount of people they cater to) then if say 20,000,000 people withdrew their money, they'd be fucked, even if they only withdrew $200

Especially considering the decline of the USD, granted, it probably wouldnt lead to a major event like the 'Great Depression' (although its possible) but it would kill that branch, break some bird eggs, make an omelet, etc.

If the "Government" bailed them out (which would technically be the bank giving the government money to bail the bank out) the USD would plummet even further to probably mere tens of pennies.

Re:So when is the bank declaring bankrupcy

[Hankapobe]

I'm aware of bank runs and what they did in the past in the US. Those days are gone. It would have no effect - even on that particular branch. The Bank of New York is a monster mega bank. It has over 100 Billion dollars in assets. This isn't some local yocal bank that Jimmy Stewart runs. And even then, with FDIC insurance, and the current rules for cash reserves, it won't happen. Regulations have been placed here in the US to prevent such a thing happening.

Re:So when is the bank declaring bankrupcy

[Angostura]

It has over 100 Billion dollars in assets.

That's nice for it. The question is how liquid are those assets and how much cash can it actually get its hands on at short notice. As banks in Britain have noticed, assets just ain't worth what they were.

Re:So when is the bank declaring bankrupcy

[Orange+Crush]

Disclosure: I work for BNY Mellon, and no, I have nothing to do with any of this. But we're not a traditional retail bank. It's mostly asset management (running mutual funds, portfolios, etc.). Not the kind of thing you can really make a "run" on.

Re:So when is the bank declaring bankrupcy

[SpinyNorman]

US bank assets arn't any better. Bear Stearns had 3.5 x the assets of Bank of NY (350B vs 100B), and that did not stop them from all but disappearing literally overnight before the Fed stepped in to bail out the Bear stockholders with taxpayers money.

It's not just a matter of asset liquidity, but also of quality and mark-to-market value. Right now the issue is of toxic mortage securities that may be on the books at face value but in reality are worth who knows what. Thanks to the repeal of the Glas-Seagal act, there's nothing stopping commercial banks like Bank of NY from making the same stupid decisions as investment banks like Bear Sterns, and who wants to bet that the commercial banks know the markets any better than the investment banks (I'd have assumed the opposite).

Re:So when is the bank declaring bankrupcy

[tompaulco]

The article says that Archive America lost the tapes, so how is this the banks fault? And why does the heading says Bank of NY loses this data, when in fact it was Archive America which lost all this data? My guess is because Bank of NY has money, but Archive America doesn't.

Re:So when is the bank declaring bankrupcy

[Chapter80]

the USD would plummet even further to probably mere tens of pennies.

Isn't that true now? The USD is worth ten tens of pennies.

:-) Just thought that wording was interesting!

Re:So when is the bank declaring bankrupcy

[Chapter80]

It has over 100 Billion dollars in assets. Keep in mind that depository accounts at a bank are considered the bank's _liabilities_. A bank's outbound loans are their assets.

So if you go in and attempt to withdraw your money on deposit, and they pay you with an asset (other than cash on hand), they'd have to somehow give you a note - an IOU, where someone owes the bank money. That doesn't work too well.

If you don't think bank runs exist today, you need to just look back 2 months ago, to the Bear Stearns failure.

Re:So when is the bank declaring bankrupcy

[Opportunist]

C'mon, you should know better than that.

Of the 4.5 million people, only about 450k will notice it at all. And I think I'm taking an optimistic guess here.

Of those 450k, only 450 have the money and the guts to actually sue a bank.

And then some federal bullshitmaker (senator, congressman, I'm not firm in those things concerning the US) steps in and proposes a bill that whitewashes them retroactively (to "protect the economy" or some other BS) which passes unanimonously because it's tacked to something like flags for orphans, leaving 450 people without money on top of their privacy loss.

Digital leakage is getting to be more like

[3seas]

digital diarrhea...

So what exactly is homeland security about? Its obviously not about protecting US citizens.

As a government body, shouldn't homeland security be involved in helping to prevent such digital leakage, even if just setting down the rules to follow and pursuing violators of the rules?

Re:Digital leakage is getting to be more like

[Yvanhoe]

There is a very good possibility that these data were stolen, not "lost". What is the black-market value of 4.5 million IDs ?

Re:Digital leakage is getting to be more like

[Vectronic]

Agreed

FTFA:
"he [Blumenthal] said that he is pressing the bank to explain how some backup tapes disappeared while others on the same van arrived intact at the Archive America facility."

It's not a situation where it all got sent to the wrong place, or trashed accidentally, it was (what I would consider) obvious and intentional theft.

However, that doesnt mean that it was intended to be sold as a "bundle" on the Black Market, it could just have easily been some disgruntled worker with no real "plan" other than to fuck with the company, or even just get one individuals information from the 4.5 million (although I would likewise assume the former, Black market)

Re:Digital leakage is getting to be more like

[NotBornYesterday]

Dunno. I haven't shopped any fake IDs or credit cards. By sheer swinging, wild-ass guess, I'd propose the following:

Let's say that one out of 100 accounts gets pilfered lightly - says $100 is mysteriously transfered. That's $4.5 million. Let's say that another 1 out of 100 has their info used to produce fake IDs, and those IDs are sold to illegal immigrants/terrorists/underage college kids/whomever for $500 each. That's $22.5 million.

So, close to $27 million if you only abuse 2% of the victims.

What absolutely blows my mind is that if a bank transfers $4.5 million, they use multiple armed guards driving an armored truck. When they transfer 4.5 million customers' worth of data (worth presumably more than $1 each), they use ... who exactly? Archive America? Does anyone know what kind of security measures these jokers take?

$4.5 million of the bank's money goes missing in a armored car heist, it makes national news immediately, and stays on for weeks. 4.5 million people have their information stolen, and the bank says ,"Meh, 'sno big deal. We'll tell them in a few months."

Re:Stupid

[mrbluze]

Sending sensitive information from a bank to another company without encrypting it is just reckless and stupid.

This is (just) showing up the way business is done everywhere - on the cheap.

On the surface, all companies go to the trouble to look good - glossy ads, well appointed offices, important landmark locations, etc. But often, just like in a restaurant, out the back it's all dim lighting, rusty hinges, paint peeling off walls etc.

Now I'm not saying all companies, but companies of a certain culture. The rest of this comment was going to be total flamebait so I'll leave it there.

really? again?

[knight0wl]

Events like this seem to have become a near-monthly event. I would've thought banks and credit card companies and thier ilk would have learned thier lesson the first time something like this made news and started at least encrypting this stuff. Or at least the second time it happened. Or the third, maybe if we're cutting them a lot of slack. Yes, it's expensive and yes it's hard work, but it'd be less expensive than a potential 4.5 millian lawsuits and less work than the PR mess that they now have to clean up.

The Responsible Thing

[not_surt]

The bank should do the responsible thing and offer every affected customer a new identity.

Re:Stupid

[Gazzonyx]

I've got karma to burn, I'll say it for you. This is the problem with MBAs who only watch the bottom line and "know the price of everything and the value of nothing". (stolen from someone on /. from a couple days ago. It's a great quote) The culture you're talking about is the culture of marketing and management making technical decisions they wouldn't dare have the guts to even try to explain to the average slashdotter. I guarantee somewhere there's an admin trying his best not to scream "I told you so". If there isn't, there should be one out of a job for sheer ineptitude. You don't store or transmit data in plain text, ever, period. Especially when it's actual customer information. For craps sake, I'm a developer and I know that much about administration. No, this was probably a decision made by someone who manages what they don't understand and can't be bothered to learn. Flame on.

Re:really? again?

[Flamora]

Yes, but you see, the encryption means that the bank itself has to do the work. In the case of lawsuits and PR issues, they have PR people and lawyers to deal with that, so the bank doesn't do much more work than lifting a finger and saying "go, mortal, and do thy job" or something.

Re:Amazing how rarely this happened until recently

[Vectronic]

It's always happened to some degree, the major difference is similar to the history of money itself.

It wasnt till recently that millions of peoples records was held on digital/analog media. Most things were still carried out via paper and pen which made the loss of millins of peoples data require dumptrucks.

It wasnt till around 2001 or so that things really became "online". And these things are only going to happen more and more frequently now, because as much scare as there may be when this stuff hits the news, it doesnt overrides peoples inherit laziness "oh a few clicks? fuckin A"...

Most people with a lot to lose (millions/billions of dollars), still do not do transactions via digital media, certainly not in an outgoing direction. Until they are hit, this probably wont change no matter how frequently it happens.

Re:really? again?

[jimicus]

Events like this seem to have become a near-monthly event. I would've thought banks and credit card companies and thier ilk would have learned thier lesson the first time something like this made news and started at least encrypting this stuff. Or at least the second time it happened. Or the third, maybe if we're cutting them a lot of slack. Yes, it's expensive and yes it's hard work, but it'd be less expensive than a potential 4.5 millian lawsuits and less work than the PR mess that they now have to clean up. Maybe they haven't learned because none of these incidents have yet resulted in the "4.5 million lawsuits" you're talking about.

I am one of the people affected

[barzok]

I got a letter on Thursday informing me of the breach. It gave this URL: http://www.bnymellon.com/tapequery/

This page has changed since Thursday. Originally it was only one incident, now it's two. The letter said that I'd get 1 year of credit monitoring at all 3 bureaus, free; when I signed up, I was given (and the page above) two years. The letter said there was no indication that the information had been used, but it also didn't mention what the summary here says - that SSNs and birthdates were on those tapes (I assumed they were).

What really pisses me off isn't that it happened - it's that it took them three fucking months to inform me.

I have 2 accounts with them (for the same employer, which is really stupid). One account requires my SSN, the stock ticker, and a 6-digit PIN. Digits only. Not terribly secure - there's only 10^6 possible PINs, my SSN may be in someone's hands, and there are only a couple thousand stock tickers. The other is a seemingly random ID and a 6-31 digit PIN. My previous PIN was 12 characters. The new one is 31.

I reset both my PINs Thursday night, which took about half an hour - the sites, while not normally speed demons, were obscenely slow that night. I'm hoping it's because people were changing their PINs.

Re:I am one of the people affected

[barzok]

Sorry to be replying to myself, but when I wrote my previous post I wasn't able to get to TFA. Now I can.

TFA has a lot of information which wasn't given to customers in the letter. The tapes were unencrypted? I can believe that. I kind of assumed it, which is a sad state of affairs. There were names, DOBs and SSNs on the tapes? That I can believe, and assumed, but like I posted above, it wasn't made known via the notice that was sent out.

But how the hell can this guy say "that none of the unencrypted data has been accessed or used?" That's impossible for them to know. The tapes are out of their physical control - the people in possession of them now could have skimmed all those records off already, and just haven't used them yet.

The article doesn't mention the $25K of "insurance" that we get by signing up with the free credit monitoring. Except I'm an NY resident, and by NY state law they can't offer such insurance to me. WTF?

So here I sit, having managed to go 30 years with a lone incident of a "guessed" CC number as my only brush with identity theft, and now I'm left to be looking over my shoulder for the next several years thanks to this.

Re:really? again?

[knight0wl]

Yep, you're right. I honestly don't know why they haven't (or at least a class-action suit or something similiar). I'd love it if one of those "IAAL" types could fill me (and others) in on that.
My point was simply that it would seem prudent to plan for worst-case senerios. I would think that profit-seeking entities would someday learn how profitable risk management can be, in the long run.

Yes, I'm also aware "the long run" doesn't seem to be in our current corporate culture's lexicon. Hmm... it's possible I just answered one of my own questions.

When will business listen and stop using SSN?

[gatkinso]

IIRC, the Social Security Administration itself lambasts this practice on the grounds of 1) the SSN was never meant to be a defacto ID number, 2) they explicitly promised it would not be used as such, and 3) it is completely insecure.

Oh well, too late now.

That's fine - just pay reasonable compensation

[AaronLawrence]

Damages for possibly identity theft and access to your bank account? Hm ... lets pick a figure out of the air of (say) the value of any actual losses plus compensation of (say) $5000 ... triple that as punitive ... so all they have to do is pay up 15 billion dollars and they can continue! No problem.

Re:Stupid

[Prune]

Great job citing proper sources *rolleyes*. The quote is from Oscar Wilde and is "The cynic is a man knows the price of everything and the value of nothing." A fucking Google search would have told you that with the first result!

Those backups weren't worth a damn?

[rtfa0987]

"They can't determine what was on the missing tapes"

---

If that is truly the case, then those tapes wouldn't have been worth a damn for restoration if there had been a disaster.

Re:Stupid

[Tycho]

Hypothetically speaking, events like these these shouldn't be unexpected. If the security policies were initially decided on by executives, managers, outside consultants, and sales reps from Microsoft and HP, what do you expect? If the executives just signed off on what he saw and didn't do any research beforehand personally on best security practices using outside resources. If the IT managers were inept, clueless, and had no background in IT and at their last posting in Customer Service and if these managers are only interested in getting promoted and transferred to the another department. If the consultants were airheads and despite claims to the contrary and an even with a expensive presentation had offered no useful information. If the sales reps from Microsoft and HP were just interested in selling an excessive number of expensive Intel-based servers with several $100K subscription-based licences for Windows 2008 Server. If these things were to happen, it would seem to me that this would indicate that there were serious problems with the managerial staff of such a company.

On the other hand, this situation may have been the result of a failure of imagination. If for instance, mailing these tapes became standard policy even though these tapes were never intended to have left the original facility and thus the records on the tape were never encrypted, this would have been a serious breach of the original security policy. The customer data should have been encrypted in every case, regardless of the storage medium used.

Strangely enough, I think that some of the problems that are faced in industrial worker safety are similar to those in computer security and that one might find a few useful concepts in a safety review of a BP refinery fire here:

http://www.bp.com/liveassets/bp_internet/globalbp/globalbp_uk_english/SP/STAGING/local_assets/assets/pdfs/Baker_panel_report.pdf

I think that the concepts of process safety, which involves the safety in the design of the system are important. Also the concept of open communication between employees and management with no retaliation for mentioning a legitimate potential safety issue is also important.

Re:really? again?

[Chapter80]

Actually, the data was encrypted using a complex algorithm called ASC2 or ASC II or something like that. I'm sure the data is safe. No one will be able to decode it. It's gibberish, written in just zeros and ones. If your Social Security Number contains even ONE digit in the range of 2-9, you should be fine.

Sorry for not revealing too many technical details. I'd hate to give a criminal too much to go on.

Re:When will business listen and stop using SSN?

[S.O.B.]

In Canada it is illegal to use a SIN (Social Insurance Number) to identify a person for the purposes of a financial transaction. Employers can't even use it as a way to track employees.

Not that there aren't plenty of other ways of stealing people's identities but at least the government is impeding one of the easiest.

Meh

[Gazzonyx]

Why bother citing when someone will come along and tell you whom it is you're quoting, anyways ;)