Sunday, June 01, 2008

Bank of Mellon reports a second data breach

Last week, the Bank of Mellon disclosed they had lost unencrypted tapes containing the personal and financial information of several million people about three months ago.

Now it is being revealed that about a month ago, another incident involving a missing (unecrypted) tape occurred. This time, scanned images of checks, along with other assorted sensitive information disappeared. The Check 21 Act, passed in 2004 allows financial institutions to electronically deposit images of checks instead of using the actual paper check, itself.

According to press release on the matter, they are now going to start using encryption. I wonder how many other institutions out there are still not encrypting all of their confidential information?

Ironically, if you read the privacy and security pages on Bank of Mellon's site, they seem to be very pretty savvy about both identity theft and privacy issues.

The first incident occurred on February 27th and the now revealed second incident occurred April 29th. If they knew it happened on April 29th, why wasn't this one reported with the other one? The February 27th incident was reported last week, which was well after April 29th.

Of course, I'm sure that the "official explanation" will be that they didn't know if it was really missing and no one is really sure if the information is being used to commit identity theft.

Here is the low down as reported in Pittsburgh Tribune Review on the April 29th occurrence.:

The most recent incident occurred on April 29 when a backup data-storage tape containing images of scanned checks and other payment documents was lost while being moved from Philadelphia to Pittsburgh, spokesmen for the bank said Friday. It involved data of 47 institutional clients and a yet to be determined number of individual customers.

A ComputerWorld article by Brian Fonseca highlighted concerns that are being investigated by Connecticut Attorney General Richard Blumenthal, who is working with his peers in other States to determine why it took so long to report the matter. AG Blumenthal is also asking some hard questions as to why some tapes disappeared and other ones arrived at the storage facility.

The obvious reason, he might ask this question is that it probably points to an insider being involved (my speculation). If this is the case, it is very likely they had somewhere to get rid of the information, or more specifically, sell it.

His press release on the matter listed a lot of institutions, who may have had customers compromised in these incidents.

One thing I wanted to add is that in the most recent occurrence, they are stating scanned checks were contained on the tape. This would make it pretty easy for criminals to use the information to produce counterfeit checks. In recent years, we've seen checks counterfeited on a massive scale, and sent all over the world via snail mail, or even Federal Express and UPS. A recent joint investigation conducted in several nations revealed that these items were being produced on an industrial scale in certain countries.

Many of these counterfeit checks are passed via "too good to be true scams" on the Internet. There are also organized criminal gangs that pass counterfeit checks, also.

Interestingly enough, the way laws governing counterfeit checks are written, the banks have almost zero liability and pass off the loss to the entity who accepted them.

Since counterfeit checks are normally exact copies of actual checks, this made me wonder if sometimes the source of the information to produce them is coming from all the scanned checks being electronically transferred between businesses and financial institutions? Payment (credit/debit) card is transmitted and stored pretty much the same way, and there is certainly a history of these transactions being targeted for criminal purposes, frequently.

According to their most recent press release, the Bank of Mellon is offering free credit monitoring and identity theft insurance through Experian. This has become standard in the wake of most data breaches, but it doesn't necessarily protect a person from all forms of identity theft.

Some examples of where free credit monitoring doesn't catch identity theft right away are medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and last, but not least, when it is used to commit crimes of other than a financial nature.

Additionally, the ComputerWorld article mentions that at least one class action law suit has been filed as a result of this:

This week, a lawyer representing 40 affected individuals filed a class-action lawsuit against the New York bank in Connecticut Superior Court. Attorney Michael Stratton, who represents the plaintiffs, said he is seeking up to seven years of free credit monitoring and credit insurance for customers, along with unspecified damages.
I found a list of companies that might have had their customers compromised in these data breaches on the Connecticut AG site:

People's United Financial Inc., John Hancock Financial Services, Inc. (acquired by Manulife Financial Corporation), The Walt Disney Company, TD Bank Financial Group, The Bank of New York Mellon Corporation, Hudson United Bancorp (acquired by TD Bank Financial Group), United Parcel Service, Inc., Wachovia Corporation, MetLife, Hudson City Bancorp, Eastman Kodak Company, Burlington Resources (acquired by ConocoPhillips Inc.), Providian Financial (acquired by Washington Mutual, Inc.), Penn Fed Financial (acquired by New York Community Bancorp), ADESA, Inc., Alcatel-Lucent, Odyssey America Reinsurance Corporation, Seacoast Financials Services Corp. (acquired by Sovereign Bancorp), Viewpoint Bank, Diamond Shamrock (acquired by ConocoPhillips Inc.), Sound Federal Bancorp (acquired by Hudson City Bancorp), Big Lots, Inc., Guidant Corporation (acquired by Boston Scientific Corp), New York Community Bancorp and ACE Limited.

Bank of Mellon press release on this matter, which contains information for potential victims, here.

No comments: