Data Breach Sunday: Bank of New York Mellon Breach: The Governor Is On The Case

May 25, 2008

If you're new here, you may want to subscribe to my RSS feed or get new posts via email. Thanks for visiting!

Normally when a politician starts stirring things up about a current issue I get annoyed because more often than not they are just trying to score political points. However, this time Governor Jodi Rell of Connecticut has my full support.

In mid-May, Bank of New York Mellon notified clients that some of their personal information including name, address, Social Security Number, and date of birth had been lost. The problem? This loss had actually occurred back on February 27th. The impact? Only about 4.5 million customers.

Where’s The Tape?

What we know is that on February 27, BNY Mellon gave 10 backup tapes to Archive Systems Inc for storage. We also know that only 9 of those tapes made it to the facility. What happened to the tape isn’t known.

You would think that a bank the size of BNY Mellon would have strict procedures around data encryption, but… not so much. Incredibly, that tape was not encrypted and therefore the personal information of 4.5 million Americans is out there somewhere.

Not Just BNY Mellon

It doesn’t look like it’s just Mellon data on those tapes. The People’s United Bank of Bridgeport, Webster Bank, and Wachovia also had data on there that BNY Mellon had collected.

Why did BNY Mellon have those other bank’s customers’ information? To offer them investment products of course!

The Governor Gets Involved

The Governor of Connecticut has come out swinging with respect to this data breach. Aside from outrage about the breach itself, Rell is particularly concerned with the lag time between when the tapes were lost and when customers (and the other banks) were notified.

“The disastrous effects of identity theft are virtually instantaneous in today’s computerized world, and the lag time between the theft and the notification only aggravates what is an already outrageous situation,” Governor Rell said. “For a major financial institution such as Bank of New York to lose such a massive amount of customer data is utterly unacceptable. To delay reporting the loss to appropriate authorities and potential victims for more than three months is not only irresponsible but shows a callous disregard for customers.

“These key pieces of personal information – names, birthdates and Social Security numbers – are exactly the pieces of information that identity thieves need most,” the Governor said. “Consumers should have been notified immediately so they could take steps to protect themselves.”

Aside from blustering, the Connecticut government appears to be taking action. They have subpoenaed BNY Mellon, People’s United, Webster Bank, and Wachovia. They have come straight out and said that they are investigating what state laws (if any) have been broken, especially with respect to reporting data breaches in a timely manner.

Poor Response By BNY

The Connecticut Attorney General, Richard Blumenthal, correctly points out that the response to customers by BNY is particularly weak. All they are offering is 1 year of credit monitoring. Credit monitoring?? At the very least they should be offering fraud alert from somewhere like LifeLock or LoudSiren or better yet a credit freeze from TrustedID or something similar. A year of credit monitoring is not going to help the situation.

What’s your opinion of all this? Is this the sort of thing state governments should wade into? Do you think BNY’s response is adequate? Sound off in the comments.

Source: NorwalkPlus.com

Related Posts

Posted in Data Breach Sunday, Identity Theft