According to an article in the on-line version of ComputerWorld, Bank of New York Mellon Corp. transported a box of tapes containing 4.5 million client records containing names, addresses, dates of birth and social security numbers. The data, if you can believe it, was not encrypted.
Who’s to blame?
When the dust settles on this one, I think we’ll see some finger pointing. Sure, the transport company, Archive America, shouldn’t be loosing boxes of tapes. After all, they are an off-site storage company. On the other hand, should any bank be transporting unencrypted tapes? In a word, NO.
And, as is the usually the case in these high profile breaches, the bank took three months before they started notifying those affected customers. I suppose it does take that long to draft a spin program, involve all the corporate lawyers, and get the story straight. And during these three months, is anyone looking in the corporate nooks, crannies, and trash cans for this data?
Of course the bank will offer a free year of credit monitoring. Offer a year? Come on Mellon – you’re a bank, don’t offer it, just do it. Yeah – for all 4.5 million customers.
In the meantime, bank officials are saying “none of the unencrypted data has been accessed or used.” So how do they know this? First: They don’t know where the tapes are so how can they claim they haven’t been accessed? For all they know, I have them here in my living room on my DEC tape drive. Second: How can they say it hasn’t been used? They might be correct if they said it hasn’t been used at their institution, but have they red flagged all three credit bureaus? Apparently not, since they are only offering credit monitoring.
While all this is going on, there’s reports of a “crime wave” of debit card fraud in Central and Southern California. Are they related? No, but that’s for my next post.
Similar Posts:
- Top Fraud Incidents of 2008
- On line credit card fraud is going to soar
- Heartland Data Breach rears its ugly head again
- More on the Heartland Breach
- The Year in Review
