Bank of NY Loses Tapes With 4.5 Million Clients' Data

Lucas123 brings news that Bank of New York Mellon Corp. has admitted they lost a box of unencrypted data storage tapes. The tapes contained personal information for over 4.5 million people. From Computerworld: "The bank informed the Connecticut State Attorney General's Office that the tapes ... were lost in transport by off-site storage firm Archive America on Feb. 27. The missing backup tapes include names, birth dates, Social Security numbers, and other information from customers of BNY Mellon and the People's United Bank in Bridgeport, Conn., according to a statement by Connecticut Attorney General Richard Blumenthal.

Re:Unencrypted?

[BiggerIsBetter]

Just make the punishment fit the crime: Release the personal information of the company directors into the wild.

Re:Unencrypted?

[kungfoolery]

I'm actually currently dealing with my company's legal department in regards to shipping data tapes from the EU to the US. Turns out, the EU considers the laws in the US as insufficient when it comes to guarding and protecting individual privacy (apparently, we're on a list of untrusted foreign entities when it comes to privacy protection). I believe there actually are laws in the US that requires encryption of this kind of data; but by no means are the requirements from the EU the same as anywhere else.

Re:Unencrypted?

[jimicus]

I'm actually currently dealing with my company's legal department in regards to shipping data tapes from the EU to the US. Turns out, the EU considers the laws in the US as insufficient when it comes to guarding and protecting individual privacy (apparently, we're on a list of untrusted foreign entities when it comes to privacy protection). I believe there actually are laws in the US that requires encryption of this kind of data; but by no means are the requirements from the EU the same as anywhere else.

Encryption isn't the point.

The EU laws are more concerned with how you use the data than how you encrypt it. I can't speak for the rest of the EU, but the UK has the Data Protection Act which briefly states:

1. Data may only be used for the purposes for which it was collected. You can't ask me to fill in a questionnaire for market research purposes and then use my answers to crank up my life insurance premiums.
2. Data must not be disclosed to others without the subject's consent unless there is a legal obligation to do so. You can't sell my details to someone for marketing purposes unless I've said you can - but if the police come knocking demanding my data, that's OK.
3. Individuals have a right to access personal data, and may not be charged more than a nominal fee for this, subject to some exceptions. So I can write to you and ask what personal data regarding me that you store, but I can't write to the police and ask if they're carrying out an undercover investigation of me. (Well, I can, but they're not obliged to confirm or deny it).
4. Personal information may not be kept for longer than necessary.
5. Personal information may not be transmitted outside the EEA unless the individual has consented or "adequate" protection is in place. (Your company would probably be fine if they signed a contract saying "Regarding all data you send us, we shall store and process it within the law laid down by the EU", but IANAL).

The data protection act is one of the most misunderstood laws in the UK - it's been used as an excuse to avoid doing anything by all sorts of entities in cases where it's plainly irrelevant. Which is odd because it's one of the few laws which come packaged with a set of plain-English guidelines explaining what it's trying to achieve.

When will business listen and stop using SSN?

[gatkinso]

IIRC, the Social Security Administration itself lambasts this practice on the grounds of 1) the SSN was never meant to be a defacto ID number, 2) they explicitly promised it would not be used as such, and 3) it is completely insecure.

Oh well, too late now.

Re:Stupid

[Prune]

Great job citing proper sources *rolleyes*. The quote is from Oscar Wilde and is "The cynic is a man knows the price of everything and the value of nothing." A fucking Google search would have told you that with the first result!

Re:So when is the bank declaring bankrupcy

[Orange Crush]

Disclosure: I work for BNY Mellon, and no, I have nothing to do with any of this. But we're not a traditional retail bank. It's mostly asset management (running mutual funds, portfolios, etc.). Not the kind of thing you can really make a "run" on.

Re:More importantly ..

[jagilbertvt]

Apparently the courier's van had a broken lock on the door. Also, from what I've heard, the tapes were encrypted when they were sent to Mellon, who then created unencrypted backups which were transported to another location.

http://www.peoples.com/online/help/0,,14408,00.html?cm_mmc=Peoples-_-incident-_-hp-_-whatsnew [peoples.com]

Re:So when is the bank declaring bankrupcy

[tompaulco]

The article says that Archive America lost the tapes, so how is this the banks fault? And why does the heading says Bank of NY loses this data, when in fact it was Archive America which lost all this data? My guess is because Bank of NY has money, but Archive America doesn't.

Re:When will business listen and stop using SSN?

[S.O.B.]

In Canada it is illegal to use a SIN (Social Insurance Number) to identify a person for the purposes of a financial transaction. Employers can't even use it as a way to track employees.

Not that there aren't plenty of other ways of stealing people's identities but at least the government is impeding one of the easiest.