Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bank of NY Loses Tapes With 4.5 Million Clients' Data

Posted by Soulskill on from the way-to-go dept.

Lucas123 brings news that Bank of New York Mellon Corp. has admitted they lost a box of unencrypted data storage tapes. The tapes contained personal information for over 4.5 million people. From Computerworld: "The bank informed the Connecticut State Attorney General's Office that the tapes ... were lost in transport by off-site storage firm Archive America on Feb. 27. The missing backup tapes include names, birth dates, Social Security numbers, and other information from customers of BNY Mellon and the People's United Bank in Bridgeport, Conn., according to a statement by Connecticut Attorney General Richard Blumenthal.

7 of 156 comments (clear)

  1. Unencrypted? by cephah · · Score: 5, Interesting

    I thought you had an obligation to encrypt data containing sensitive personal information such as SSNs when transporting them? In Denmark you are required by law to store such data safely, I wonder if it's any different in the US.

    1. Re:Unencrypted? by kungfoolery · · Score: 5, Informative

      I'm actually currently dealing with my company's legal department in regards to shipping data tapes from the EU to the US. Turns out, the EU considers the laws in the US as insufficient when it comes to guarding and protecting individual privacy (apparently, we're on a list of untrusted foreign entities when it comes to privacy protection). I believe there actually are laws in the US that requires encryption of this kind of data; but by no means are the requirements from the EU the same as anywhere else.

    2. Re:Unencrypted? by jimicus · · Score: 5, Informative

      I'm actually currently dealing with my company's legal department in regards to shipping data tapes from the EU to the US. Turns out, the EU considers the laws in the US as insufficient when it comes to guarding and protecting individual privacy (apparently, we're on a list of untrusted foreign entities when it comes to privacy protection). I believe there actually are laws in the US that requires encryption of this kind of data; but by no means are the requirements from the EU the same as anywhere else. Encryption isn't the point.

      The EU laws are more concerned with how you use the data than how you encrypt it. I can't speak for the rest of the EU, but the UK has the Data Protection Act which briefly states:

      1. Data may only be used for the purposes for which it was collected. You can't ask me to fill in a questionnaire for market research purposes and then use my answers to crank up my life insurance premiums.
      2. Data must not be disclosed to others without the subject's consent unless there is a legal obligation to do so. You can't sell my details to someone for marketing purposes unless I've said you can - but if the police come knocking demanding my data, that's OK.
      3. Individuals have a right to access personal data, and may not be charged more than a nominal fee for this, subject to some exceptions. So I can write to you and ask what personal data regarding me that you store, but I can't write to the police and ask if they're carrying out an undercover investigation of me. (Well, I can, but they're not obliged to confirm or deny it).
      4. Personal information may not be kept for longer than necessary.
      5. Personal information may not be transmitted outside the EEA unless the individual has consented or "adequate" protection is in place. (Your company would probably be fine if they signed a contract saying "Regarding all data you send us, we shall store and process it within the law laid down by the EU", but IANAL).

      The data protection act is one of the most misunderstood laws in the UK - it's been used as an excuse to avoid doing anything by all sorts of entities in cases where it's plainly irrelevant. Which is odd because it's one of the few laws which come packaged with a set of plain-English guidelines explaining what it's trying to achieve.
  2. Re:Stupid by mrbluze · · Score: 5, Insightful

    Sending sensitive information from a bank to another company without encrypting it is just reckless and stupid.

    This is (just) showing up the way business is done everywhere - on the cheap.

    On the surface, all companies go to the trouble to look good - glossy ads, well appointed offices, important landmark locations, etc. But often, just like in a restaurant, out the back it's all dim lighting, rusty hinges, paint peeling off walls etc.

    Now I'm not saying all companies, but companies of a certain culture. The rest of this comment was going to be total flamebait so I'll leave it there.

    --
    Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
  3. Re:Stupid by Gazzonyx · · Score: 5, Insightful

    I've got karma to burn, I'll say it for you. This is the problem with MBAs who only watch the bottom line and "know the price of everything and the value of nothing". (stolen from someone on /. from a couple days ago. It's a great quote) The culture you're talking about is the culture of marketing and management making technical decisions they wouldn't dare have the guts to even try to explain to the average slashdotter. I guarantee somewhere there's an admin trying his best not to scream "I told you so". If there isn't, there should be one out of a job for sheer ineptitude. You don't store or transmit data in plain text, ever, period. Especially when it's actual customer information. For craps sake, I'm a developer and I know that much about administration. No, this was probably a decision made by someone who manages what they don't understand and can't be bothered to learn. Flame on.

    --

    If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.

  4. Re:So when is the bank declaring bankrupcy by Angostura · · Score: 5, Insightful

    It has over 100 Billion dollars in assets.


    That's nice for it. The question is how liquid are those assets and how much cash can it actually get its hands on at short notice. As banks in Britain have noticed, assets just ain't worth what they were.
  5. I am one of the people affected by barzok · · Score: 5, Interesting

    I got a letter on Thursday informing me of the breach. It gave this URL: http://www.bnymellon.com/tapequery/

    This page has changed since Thursday. Originally it was only one incident, now it's two. The letter said that I'd get 1 year of credit monitoring at all 3 bureaus, free; when I signed up, I was given (and the page above) two years. The letter said there was no indication that the information had been used, but it also didn't mention what the summary here says - that SSNs and birthdates were on those tapes (I assumed they were).

    What really pisses me off isn't that it happened - it's that it took them three fucking months to inform me.

    I have 2 accounts with them (for the same employer, which is really stupid). One account requires my SSN, the stock ticker, and a 6-digit PIN. Digits only. Not terribly secure - there's only 10^6 possible PINs, my SSN may be in someone's hands, and there are only a couple thousand stock tickers. The other is a seemingly random ID and a 6-31 digit PIN. My previous PIN was 12 characters. The new one is 31.

    I reset both my PINs Thursday night, which took about half an hour - the sites, while not normally speed demons, were obscenely slow that night. I'm hoping it's because people were changing their PINs.