Bank of NY Loses Tapes With 4.5 Million Clients' Data

Lucas123 brings news that Bank of New York Mellon Corp. has admitted they lost a box of unencrypted data storage tapes. The tapes contained personal information for over 4.5 million people. From Computerworld: "The bank informed the Connecticut State Attorney General's Office that the tapes ... were lost in transport by off-site storage firm Archive America on Feb. 27. The missing backup tapes include names, birth dates, Social Security numbers, and other information from customers of BNY Mellon and the People's United Bank in Bridgeport, Conn., according to a statement by Connecticut Attorney General Richard Blumenthal.

More importantly ..

[Spacejock]

did they lose the station wagon the tapes were being transported in?

Re:

[Gazzonyx]

No, they lost the intern this time. If we're lucky it'll be the consultant next time! ;)

Re:

[commodoresloat]

Luckily, the tapes were all 8-track tapes so the authorities have said not to worry, nobody will be able to do anything with them.

Re:

[mrbluze]

Luckily, the tapes were all 8-track tapes so the authorities have said not to worry, nobody will be able to do anything with them.

But the white noise sounds fantastic in 8 channel surround sound!

Re:More importantly ..

[jagilbertvt]

Apparently the courier's van had a broken lock on the door. Also, from what I've heard, the tapes were encrypted when they were sent to Mellon, who then created unencrypted backups which were transported to another location.

http://www.peoples.com/online/help/0,,14408,00.html?cm_mmc=Peoples-_-incident-_-hp-_-whatsnew [peoples.com]

Re:

[longacre]

U fale @ teh spelingz.

New Unit

[Wellington Grey]

While it may look bad, it's still only 1/5th of a metric Britain [zdnet.co.uk].

-Grey [silverclipboard.com]

Re:

[dotancohen]

While it may look bad, it's still only 1/5th of a metric Britain [zdnet.co.uk].

How many cows is that? [sensibleunits.com]

Unencrypted?

[cephah]

I thought you had an obligation to encrypt data containing sensitive personal information such as SSNs when transporting them? In Denmark you are required by law to store such data safely, I wonder if it's any different in the US.

Re:Unencrypted?

[kungfoolery]

I'm actually currently dealing with my company's legal department in regards to shipping data tapes from the EU to the US. Turns out, the EU considers the laws in the US as insufficient when it comes to guarding and protecting individual privacy (apparently, we're on a list of untrusted foreign entities when it comes to privacy protection). I believe there actually are laws in the US that requires encryption of this kind of data; but by no means are the requirements from the EU the same as anywhere else.

Re:Unencrypted?

[jimicus]

I'm actually currently dealing with my company's legal department in regards to shipping data tapes from the EU to the US. Turns out, the EU considers the laws in the US as insufficient when it comes to guarding and protecting individual privacy (apparently, we're on a list of untrusted foreign entities when it comes to privacy protection). I believe there actually are laws in the US that requires encryption of this kind of data; but by no means are the requirements from the EU the same as anywhere else.

Encryption isn't the point.

The EU laws are more concerned with how you use the data than how you encrypt it. I can't speak for the rest of the EU, but the UK has the Data Protection Act which briefly states:

1. Data may only be used for the purposes for which it was collected. You can't ask me to fill in a questionnaire for market research purposes and then use my answers to crank up my life insurance premiums.
2. Data must not be disclosed to others without the subject's consent unless there is a legal obligation to do so. You can't sell my details to someone for marketing purposes unless I've said you can - but if the police come knocking demanding my data, that's OK.
3. Individuals have a right to access personal data, and may not be charged more than a nominal fee for this, subject to some exceptions. So I can write to you and ask what personal data regarding me that you store, but I can't write to the police and ask if they're carrying out an undercover investigation of me. (Well, I can, but they're not obliged to confirm or deny it).
4. Personal information may not be kept for longer than necessary.
5. Personal information may not be transmitted outside the EEA unless the individual has consented or "adequate" protection is in place. (Your company would probably be fine if they signed a contract saying "Regarding all data you send us, we shall store and process it within the law laid down by the EU", but IANAL).

The data protection act is one of the most misunderstood laws in the UK - it's been used as an excuse to avoid doing anything by all sorts of entities in cases where it's plainly irrelevant. Which is odd because it's one of the few laws which come packaged with a set of plain-English guidelines explaining what it's trying to achieve.

Re:

[icepick72]

Data must not be disclosed to others without the subject's consent unless there is a legal obligation to do so. You can't sell my details to someone for marketing purposes unless I've said you can - but if the police come knocking demanding my data, that's OK.

Just because the police come asking for the data does not mean it's legal or that you're under obligation to give it. You would definately want to see some legal paperwork first.

Re:

[hal9000(jr)]

You would think there were be laws requiring encrypted storage of PII, but even HIPAA, probably the more proscriptive gov't regulation (though woefully inadequate), doens't require it. The language is much more general requiring protections, of which encryption could be one factor.

Here's the deal, US corporations will do the absolute least to spend money on protecting data. The fines are low enough to simply not matter and there is no indication that their business suffers much of a hit.

The only way

Re:

[Anonymous Coward]

Turns out, the EU considers the laws in the US as insufficient when it comes to guarding and protecting individual privacy (apparently, we're on a list of untrusted foreign entities when it comes to privacy protection)...

For one thing, the EU doesn't consider ROT-26 to be twice as effective as ROT-13.

Re:

[Any Web Loco]

Few easy ways to do this. 1) if the receiving organistaion is Safe Harbor (and has decent data security) then you're good. 2) put the EC Model Contracts (google them) in place between your respective organistations.3) if the shipment is internal, use Binding Corporate Rules (again, Google these).

Re:

[Beryllium Sphere(tm)]

There's been some movement in that direction but it's not complete or comprehensive.

Under HIPAA, encryption is not required but is "addressable", which means you've got to at least do something just as good and document how it's at least as good and why you're using it instead.

Many breach laws exempt you from disclosure requirements if you stored the data encrypted.

The Payment Card Industry's private sector regulations for credit card data require it to be stored in some kind of obscured form, with crypto b

Re:Unencrypted?

[BiggerIsBetter]

Just make the punishment fit the crime: Release the personal information of the company directors into the wild.

Re:

[Anonymous Coward]

They already did.
Don't you think they use their own bank?

CAPTCHA "Contempt" is somehow appropriate.

Re:Unencrypted?

[mrbluze]

Don't you think they use their own bank?

What and get exposed for tax evasion when they get audited?

Re:

[Opportunist]

I'd have a better one. Run on the company's expense spots on national TV explaining why the loss of private information is bad for you and which company lost your private info.

Releasing the manager's info doesn't hurt the company, so where's the punishment and the incentive to guard that data more carefully? This certainly would.

Too harsh? Can't ensure that data you collected won't get stolen? Then don't collect it.

God Bless America

[Grimbleton]

Can we please go more than a few days without this happening yet again? Thanks.

So when is the bank declaring bankrupcy

[Anonymous Coward]

Well, once 4.5 million people have sued them for breaching their privacy through negligence there really isn't much point staying open is there. Or we could have some fun and teach them a lesson the old fashioned way, run on the bank anyone?

Re:So when is the bank declaring bankrupcy

[Hankapobe]

Well, once 4.5 million people have sued them for breaching their privacy through negligence there really isn't much point staying open is there. Or we could have some fun and teach them a lesson the old fashioned way, run on the bank anyone?

It wouldn't work. The Fed and possibly Congress themselves would bail the banks ass out to "protect our financial stability" or some other nonsense.

When you're a big corporate entity in America, you don't have to worry about such trivial things that would put the little guy without the Government connections out of business.

Re:So when is the bank declaring bankrupcy

[Vectronic]

http://en.wikipedia.org/wiki/Bank_run [wikipedia.org]

or skip to:
http://en.wikipedia.org/wiki/Bank_run#History [wikipedia.org]

If 4.5 million people is only a fraction of the data the bank had (assuming all data they have is equal to the amount of people they cater to) then if say 20,000,000 people withdrew their money, they'd be fucked, even if they only withdrew $200

Especially considering the decline of the USD, granted, it probably wouldnt lead to a major event like the 'Great Depression' (although its possible) but it would kill that branch, break some bird eggs, make an omelet, etc.

If the "Government" bailed them out (which would technically be the bank giving the government money to bail the bank out) the USD would plummet even further to probably mere tens of pennies.

Re:So when is the bank declaring bankrupcy

[Hankapobe]

I'm aware of bank runs and what they did in the past in the US. Those days are gone. It would have no effect - even on that particular branch. The Bank of New York is a monster mega bank. It has over 100 Billion dollars in assets. This isn't some local yocal bank that Jimmy Stewart runs. And even then, with FDIC insurance, and the current rules for cash reserves, it won't happen. Regulations have been placed here in the US to prevent such a thing happening.

Re:

[Grimbleton]

Yeah, Jimmy Stewart's bank is here in Indiana, PA, if anywhere.

Re:So when is the bank declaring bankrupcy

[Angostura]

It has over 100 Billion dollars in assets.

That's nice for it. The question is how liquid are those assets and how much cash can it actually get its hands on at short notice. As banks in Britain have noticed, assets just ain't worth what they were.

Re:So when is the bank declaring bankrupcy

[SpinyNorman]

US bank assets arn't any better. Bear Stearns had 3.5 x the assets of Bank of NY (350B vs 100B), and that did not stop them from all but disappearing literally overnight before the Fed stepped in to bail out the Bear stockholders with taxpayers money.

It's not just a matter of asset liquidity, but also of quality and mark-to-market value. Right now the issue is of toxic mortage securities that may be on the books at face value but in reality are worth who knows what. Thanks to the repeal of the Glas-Seagal act, there's nothing stopping commercial banks like Bank of NY from making the same stupid decisions as investment banks like Bear Sterns, and who wants to bet that the commercial banks know the markets any better than the investment banks (I'd have assumed the opposite).

Two different things.

[Hankapobe]

You folks are talking about the traders and how they're managing the bank's capital.

This thread was about a run on the bank by the depositors. Two completely different things and I stand by original statement.

Re:

[SpinyNorman]

The two things are highly related - a run on the bank is only an issue (and is only likely to happen in the first place) if the bank doesn't have sufficient liquid assets to meet the demand. e.g. A bank whose assets were in government bonds would not have an issue selling them if necessary to meet withdrawals, but one who has to dump highly illiquid securities (e.g. low quality mortage derivatives) into a falling market is not going to be so lucky.

Re:

[Hankapobe]

I agree.

At risk of sounding like someone who's going to turn this thread into an endless tar baby thing....

A bunch of folks pulling out a few thousand at most will not have the effect of a trader losing billions at one shot, if any. That's my point, basically. Otherwise, I'm right with you.

And I promise to stop posting to this thread :) - and I'll concede, that more than likely, I'll read something in the Economist that'll back you up completely (American Laws and everything) and I'll feel like a complete

Re:

[Vectronic]

That may be, but what are the assets? and where does the money come from? Especially if those people who withdrew their money, either keep it, or convert it.

Inflation is the only resolution, well, I suppose if worse came to hell, The Department Of The Treasury, could simply say "alright, that money is no longer legal tender anyways" and switch to something else.

As a side note:
"The company [BNY] has annual revenues of about $13 billion, and pro-forma market capitalization of about $50 billion. ...
It also ser

Re:

[rohan972]

So if those 20 Million withdrew $3150 each (or on average) they wouldnt make anything that year.

The problem with this plan is than most of their customers are net borrowers. Taking their business elsewhere would mean paying that money to the bank, not withdrawing it. Sorry.

Re:

[SpinyNorman]

Regulations were put in place... and have since been undone. The Glass-Seagal act was repealed in 1999.

Re:

[Chapter80]

It has over 100 Billion dollars in assets.

Keep in mind that depository accounts at a bank are considered the bank's _liabilities_. A bank's outbound loans are their assets.

So if you go in and attempt to withdraw your money on deposit, and they pay you with an asset (other than cash on hand), they'd have to somehow give you a note - an IOU, where someone owes the bank money. That doesn't work too well.

If you don't think bank runs exist today, you need to just look back 2 months ago, to the Bear Stearns failure. [wsj.com]

Re:

[Vectronic]

Which is what intelligent people do. At least a signifigant portion of their money, and the really smart, put it into things like jewelry, which no matter where, what, or who you can always get something in return for it.

If shit hits the fan, what are you going to do with your little piece of plastic? Well, I suppose you could maybe chop your food, wait... what food?

Re:

[Opportunist]

Jewelry is maybe the worst asset you can have. A sizable portion of its value is in the work invested to craft the ring or necklace, and in case of an emergency, you are likely to not get that value back but only the raw material value, which is usually a fraction of its cost.

If you want to store your money at home, buy precious metals.

Re:So when is the bank declaring bankrupcy

[Orange Crush]

Disclosure: I work for BNY Mellon, and no, I have nothing to do with any of this. But we're not a traditional retail bank. It's mostly asset management (running mutual funds, portfolios, etc.). Not the kind of thing you can really make a "run" on.

Re:

[Chapter80]

the USD would plummet even further to probably mere tens of pennies.

Isn't that true now? The USD is worth ten tens of pennies.

:-) Just thought that wording was interesting!

Re:

[Opportunist]

I don't know about the US, but some countries (like mine) made laws that should prevent something like this from happening.

Here, 9% of a banks assets have to be "immediately liquide". With "immediate" meaning a few hours to a few days. Technically this means that banks have accounts with each other, holding those precious 9% in daily due accounts.

So it is in theory possible to make this happen again, but you'd have to run ALL the banks, at once. This is fairly unlikely. People with money (because, well, who

Re:

[ahabswhale]

I believe there's a similar law in the US. However, the main reason that there will never be a bank run is that, in the US, the first $100,000 of each account is insured by FDIC (i.e, the government). So it really doesn't matter if the bank completely folds.

Re:

[tompaulco]

The article says that Archive America lost the tapes, so how is this the banks fault? And why does the heading says Bank of NY loses this data, when in fact it was Archive America which lost all this data? My guess is because Bank of NY has money, but Archive America doesn't.

Re:

[timmyf2371]

The Bank is responsible for the safe handling of the data. Sure, they can subcontract aspects of it but ultimately the bank's customers have entrusted their data to the bank and not the third party archiving company.

Re:

[Minwee]

If a set of backup tapes belonging to the Bank of New York fell into the hands of Archive America without BNY's knowledge or approval, then there's something even more horribly wrong than we first imagined.

If I borrow your car from you, then hand the keys over to some random drunk guy I meet in a bar, would you still say it's my fault when your car gets wrapped around a tree?

Re:

[tompaulco]

If I borrow your car from you, then hand the keys over to some random drunk guy I meet in a bar, would you still say it's my fault when your car gets wrapped around a tree?
Frankly, I would sue you, the drunk guy, and just to be sure, the tree.
One presumes, though that BoNY did proper due diligence in researching their archiving company, and a slipup like this from the archiving company is completely unexpected. But BoNY is still to blame for not encrypting their data, and Archive America is to blame for

Re:

[Minwee]

You know what they say about presuming... It makes a pre out of sue and me.

Or something like that.

Personally, I blame Canada.

Re:

[Opportunist]

C'mon, you should know better than that.

Of the 4.5 million people, only about 450k will notice it at all. And I think I'm taking an optimistic guess here.

Of those 450k, only 450 have the money and the guts to actually sue a bank.

And then some federal bullshitmaker (senator, congressman, I'm not firm in those things concerning the US) steps in and proposes a bill that whitewashes them retroactively (to "protect the economy" or some other BS) which passes unanimonously because it's tacked to something like fl

Stupid

[MortenMW]

Sending sensitive information from a bank to another company without encrypting it is just reckless and stupid.

Re:Stupid

[mrbluze]

Sending sensitive information from a bank to another company without encrypting it is just reckless and stupid.

This is (just) showing up the way business is done everywhere - on the cheap.

On the surface, all companies go to the trouble to look good - glossy ads, well appointed offices, important landmark locations, etc. But often, just like in a restaurant, out the back it's all dim lighting, rusty hinges, paint peeling off walls etc.

Now I'm not saying all companies, but companies of a certain culture. The rest of this comment was going to be total flamebait so I'll leave it there.

Re:Stupid

[Gazzonyx]

I've got karma to burn, I'll say it for you. This is the problem with MBAs who only watch the bottom line and "know the price of everything and the value of nothing". (stolen from someone on /. from a couple days ago. It's a great quote) The culture you're talking about is the culture of marketing and management making technical decisions they wouldn't dare have the guts to even try to explain to the average slashdotter. I guarantee somewhere there's an admin trying his best not to scream "I told you so". If there isn't, there should be one out of a job for sheer ineptitude. You don't store or transmit data in plain text, ever, period. Especially when it's actual customer information. For craps sake, I'm a developer and I know that much about administration. No, this was probably a decision made by someone who manages what they don't understand and can't be bothered to learn. Flame on.

Re:Stupid

[Prune]

Great job citing proper sources *rolleyes*. The quote is from Oscar Wilde and is "The cynic is a man knows the price of everything and the value of nothing." A fucking Google search would have told you that with the first result!

Meh

[Gazzonyx]

Why bother citing when someone will come along and tell you whom it is you're quoting, anyways ;)

Re:

[Tycho]

Hypothetically speaking, events like these these shouldn't be unexpected. If the security policies were initially decided on by executives, managers, outside consultants, and sales reps from Microsoft and HP, what do you expect? If the executives just signed off on what he saw and didn't do any research beforehand personally on best security practices using outside resources. If the IT managers were inept, clueless, and had no background in IT and at their last posting in Customer Service and if these ma

Re:

[davie]

No, this was probably a decision made by someone who manages what they don't understand and can't be bothered to learn.

I think you just described most of the people in management in American corporations. I hope the number is better elsewhere, but I doubt it. Until we stop chug-a-lugging the "stupid people can manage anything without knowing anything about it" Kool-Aid we're going to keep suffering the same failures. How long can America survive when the smart people stay on the sidelines building wealth

Re:

[Gazzonyx]

While I understand and sympathize with what you're saying, I counter with this; If they thought that the cost of encrypting the backups was a lot, they should have realized that the price of not encrypting the backups would be much, much more. And, to boot, they'll have to (if they'd like to stay in business) do it now regardless, without having time to leisurely consider the price point and pros and cons of many systems. They've just paid double (if not more so) to avoid the cost of half.

Re:

[Gazzonyx]

This is completely accurate, in every respect. I agree completely.

Re:Trying to find a cube I would want to call home

[Gazzonyx]

Great post, man! As to your question; I'm in college and doing an internship at a small (~20 employees) local company as their 'tech guy', although my major is software development. It's great because while I only make $11/hour, I've gained knowledge and experience in almost every imaginable field.

Our warehouse manager has a degree (or was just a few credits shy of it) in graphical design, and has just decided to go back and work on software development after we've talked about the lack of people who h

Re:

[IsThisNickTaken]

Once they decide to encrypt the information, what are the chances of the passphrase written on a Post-it on the tape?

Re:

[Gazzonyx]

If not, just flip over some keyboards until you find it :)

Digital leakage is getting to be more like

[3seas]

digital diarrhea...

So what exactly is homeland security about? Its obviously not about protecting US citizens.

As a government body, shouldn't homeland security be involved in helping to prevent such digital leakage, even if just setting down the rules to follow and pursuing violators of the rules?

Re:

[Yvanhoe]

There is a very good possibility that these data were stolen, not "lost". What is the black-market value of 4.5 million IDs ?

Re:Digital leakage is getting to be more like

[Vectronic]

Agreed

FTFA:
"he [Blumenthal] said that he is pressing the bank to explain how some backup tapes disappeared while others on the same van arrived intact at the Archive America facility."

It's not a situation where it all got sent to the wrong place, or trashed accidentally, it was (what I would consider) obvious and intentional theft.

However, that doesnt mean that it was intended to be sold as a "bundle" on the Black Market, it could just have easily been some disgruntled worker with no real "plan" other than to fuck with the company, or even just get one individuals information from the 4.5 million (although I would likewise assume the former, Black market)

Re:Digital leakage is getting to be more like

[NotBornYesterday]

Dunno. I haven't shopped any fake IDs or credit cards. By sheer swinging, wild-ass guess, I'd propose the following:

Let's say that one out of 100 accounts gets pilfered lightly - says $100 is mysteriously transfered. That's $4.5 million. Let's say that another 1 out of 100 has their info used to produce fake IDs, and those IDs are sold to illegal immigrants/terrorists/underage college kids/whomever for $500 each. That's $22.5 million.

So, close to $27 million if you only abuse 2% of the victims.

What absolutely blows my mind is that if a bank transfers $4.5 million, they use multiple armed guards driving an armored truck. When they transfer 4.5 million customers' worth of data (worth presumably more than $1 each), they use ... who exactly? Archive America? Does anyone know what kind of security measures these jokers take?

$4.5 million of the bank's money goes missing in a armored car heist, it makes national news immediately, and stays on for weeks. 4.5 million people have their information stolen, and the bank says ,"Meh, 'sno big deal. We'll tell them in a few months."

Re:

[Gazzonyx]

[...]
Archive America? Does anyone know what kind of security measures these jokers take?
[...]

They've got a guy named Vinny who rides shotgun during transfers. And, you know, accidents happen and all that. Sometimes people fall down a flight of steps... twice... on to a tire iron.

Re:

[Vegeta99]

It blows your mind that they protect cash but not your identity?

If someone steals that $4.5m, they're out $4.5 mil and STILL own their marks^Wcustomers money. If someone steals 4.5M identities, chances are, they actually MAKE money in the end 'cuz the bastards aren't gonna take your side if your identity gets stolen and you can't get a car loan anywhere under 10% interest!

Re:

[NotBornYesterday]

<tinfoil hat>
<paranoia>
<humor>

Dear Mr 3seas:

Thank you for your interesting suggestion. While it is true that we here at the DHS have done a marvelous job leveraging fear to create a humungous, overprotective nanny institution, we have not yet been entrusted with protecting the private banking details of everyday Americans. Unless you can provide some information that links this event to terrorism, (eg, the comprimised accounts are filled with terrorist funds, terrorists stole the tapes,

Always...

[owlnation]

It's important to remember things such as this when the usual brainwashed-by-Fox conservatives say stuff like: "if you've nothing to hide, they why are you worried about privacy".

Re:

[jimicus]

It's important to remember things such as this when the usual brainwashed-by-Fox conservatives say stuff like: "if you've nothing to hide, they why are you worried about privacy".

Things such as this are always a lousy counter-argument to that.

I can thing of plenty of other things to say. Like "What are your bank details?"

"How do you feel about your mother in law?" (ask when their spouse is within earshot)

"How much do you spend on golf clubs?" (again, ask when their spouse is within earshot)

Though to be fair, IME most people of the "nothing to hide" mentality are already so far down that road that they're way beyond reason.

really? again?

[knight0wl]

Events like this seem to have become a near-monthly event. I would've thought banks and credit card companies and thier ilk would have learned thier lesson the first time something like this made news and started at least encrypting this stuff. Or at least the second time it happened. Or the third, maybe if we're cutting them a lot of slack. Yes, it's expensive and yes it's hard work, but it'd be less expensive than a potential 4.5 millian lawsuits and less work than the PR mess that they now have to clean up.

Re:

[Flamora]

Yes, but you see, the encryption means that the bank itself has to do the work. In the case of lawsuits and PR issues, they have PR people and lawyers to deal with that, so the bank doesn't do much more work than lifting a finger and saying "go, mortal, and do thy job" or something.

Re:

[jimicus]

Events like this seem to have become a near-monthly event. I would've thought banks and credit card companies and thier ilk would have learned thier lesson the first time something like this made news and started at least encrypting this stuff. Or at least the second time it happened. Or the third, maybe if we're cutting them a lot of slack. Yes, it's expensive and yes it's hard work, but it'd be less expensive than a potential 4.5 millian lawsuits and less work than the PR mess that they now have to clean up.

Maybe they haven't learned because none of these incidents have yet resulted in the "4.5 million lawsuits" you're talking about.

Re:

[knight0wl]

Yep, you're right. I honestly don't know why they haven't (or at least a class-action suit or something similiar). I'd love it if one of those "IAAL" types could fill me (and others) in on that.
My point was simply that it would seem prudent to plan for worst-case senerios. I would think that profit-seeking entities would someday learn how profitable risk management can be, in the long run.

Yes, I'm also aware "the long run" doesn't seem to be in our current corporate culture's lexicon. Hmm... it's possib

Re:

[Chapter80]

Actually, the data was encrypted using a complex algorithm called ASC2 or ASC II or something like that. I'm sure the data is safe. No one will be able to decode it. It's gibberish, written in just zeros and ones. If your Social Security Number contains even ONE digit in the range of 2-9, you should be fine.

Sorry for not revealing too many technical details. I'd hate to give a criminal too much to go on.

The Responsible Thing

[not_surt]

The bank should do the responsible thing and offer every affected customer a new identity.

Amazing how rarely this happened until recently ..

[Anonymous Coward]

Or more likely, it happened all the time, and the organisations in question were given carte blanche to cover it up. Now that there's been plenty of these in the news, everybody is frantically owning up to their sins before legislation is passed that adequately punishes their neglect.

Re:Amazing how rarely this happened until recently

[Vectronic]

It's always happened to some degree, the major difference is similar to the history of money itself.

It wasnt till recently that millions of peoples records was held on digital/analog media. Most things were still carried out via paper and pen which made the loss of millins of peoples data require dumptrucks.

It wasnt till around 2001 or so that things really became "online". And these things are only going to happen more and more frequently now, because as much scare as there may be when this stuff hits the news, it doesnt overrides peoples inherit laziness "oh a few clicks? fuckin A"...

Most people with a lot to lose (millions/billions of dollars), still do not do transactions via digital media, certainly not in an outgoing direction. Until they are hit, this probably wont change no matter how frequently it happens.

Somewhere in Archive America's... archive

[192939495969798999]

(Enter guy carrying way-too-full box of tapes)
la la la...
trip...CRASH!!!!

uh-oh, spageddios!

(Back at the bank of NY)
wah wah wah waaaaaah.

I am one of the people affected

[barzok]

I got a letter on Thursday informing me of the breach. It gave this URL: http://www.bnymellon.com/tapequery/ [bnymellon.com]

This page has changed since Thursday. Originally it was only one incident, now it's two. The letter said that I'd get 1 year of credit monitoring at all 3 bureaus, free; when I signed up, I was given (and the page above) two years. The letter said there was no indication that the information had been used, but it also didn't mention what the summary here says - that SSNs and birthdates were on those tapes (I assumed they were).

What really pisses me off isn't that it happened - it's that it took them three fucking months to inform me.

I have 2 accounts with them (for the same employer, which is really stupid). One account requires my SSN, the stock ticker, and a 6-digit PIN. Digits only. Not terribly secure - there's only 10^6 possible PINs, my SSN may be in someone's hands, and there are only a couple thousand stock tickers. The other is a seemingly random ID and a 6-31 digit PIN. My previous PIN was 12 characters. The new one is 31.

I reset both my PINs Thursday night, which took about half an hour - the sites, while not normally speed demons, were obscenely slow that night. I'm hoping it's because people were changing their PINs.

Re:I am one of the people affected

[barzok]

Sorry to be replying to myself, but when I wrote my previous post I wasn't able to get to TFA. Now I can.

TFA has a lot of information which wasn't given to customers in the letter. The tapes were unencrypted? I can believe that. I kind of assumed it, which is a sad state of affairs. There were names, DOBs and SSNs on the tapes? That I can believe, and assumed, but like I posted above, it wasn't made known via the notice that was sent out.

But how the hell can this guy say "that none of the unencrypted data has been accessed or used?" That's impossible for them to know. The tapes are out of their physical control - the people in possession of them now could have skimmed all those records off already, and just haven't used them yet.

The article doesn't mention the $25K of "insurance" that we get by signing up with the free credit monitoring. Except I'm an NY resident, and by NY state law they can't offer such insurance to me. WTF?

So here I sit, having managed to go 30 years with a lone incident of a "guessed" CC number as my only brush with identity theft, and now I'm left to be looking over my shoulder for the next several years thanks to this.

When will business listen and stop using SSN?

[gatkinso]

IIRC, the Social Security Administration itself lambasts this practice on the grounds of 1) the SSN was never meant to be a defacto ID number, 2) they explicitly promised it would not be used as such, and 3) it is completely insecure.

Oh well, too late now.

Re:

[S.O.B.]

In Canada it is illegal to use a SIN (Social Insurance Number) to identify a person for the purposes of a financial transaction. Employers can't even use it as a way to track employees.

Not that there aren't plenty of other ways of stealing people's identities but at least the government is impeding one of the easiest.

Re:

[barzok]

But the bank still needs to have your SSN for tax-reporting purposes, and most of the accounts in question have tax implications (interest payments, capital gains, etc.).

So even if they weren't using your SSN for your ID number (which, as I noted in my earlier post, they do sometimes) they'd still have your SSN in the data that was compromised.

Re:

[AK Marc]

My thought is that the whole thing is broken. It isn't that the SSA is banning anyone from using your SSN. It is required for jobs, most financial transactions, and all that. But most everyone that does financial transactions uses SSN as a major portion of their security. SSN plus DOB and you can steal someone's identity with ease. So the "fix" is not to try to make SSN secure, but make it illegal to put anything on someone's credit record without their permission. If that were done, then everyone wou

Re:

[barzok]

It would also make credit records useless, because people would refuse to allow anything negative - true or not - to be put onto their records.

Re:

[AK Marc]

You get a credit account. You give them permission to put records on your credit report. They leave good or bad, as you have already given them permission. Or you refuse to give them permission to report, and they deny you the credit account. I see no problem with it.

Re:

[sasdrtx]

The Socialist Security number was originally promised not to be used as an identification number. That went out decades ago. The federal government has for a long time required the SSN as your taxpayer ID, and requires it be recorded for all financial dealings. At some time they started requiring it be recorded by states to get a driver's license. It's required to get a passport.

Basically, it's your serial number, and its purpose is to allow the government to more easily control every aspect of your lif

That's fine - just pay reasonable compensation

[AaronLawrence]

Damages for possibly identity theft and access to your bank account? Hm ... lets pick a figure out of the air of (say) the value of any actual losses plus compensation of (say) $5000 ... triple that as punitive ... so all they have to do is pay up 15 billion dollars and they can continue! No problem.

Transport ONLY Encrypted Media

[Doc Ruby]

Banks never transport the life savings of 4.5 million people without an armored car. There's probably even a lot of laws that prohibit such blatantly reckless behavior, to say nothing of their insurance coverage depending on following those rules. And if they do "lost" that life savings in transit, without an armored car, the bank has to replace it at the bank's cost, even if that drives the bank out of business.

Of course these people's life data is no different: the bank is responsible for protecting it. S

Its Inevitable ...

[LaughingCoder]

People will always make mistakes. They'll be careless and "forget" to encrypt. Or they'll put a post-it with the decryption key on the media. Or they'll disclose decryption information via some other easily intercepted channel (social engineering). Plus, consider the ever advancing capabilities of brute-force decryption technologies. Add to that malicious actions where people actively try to defeat security measures. 3 million IDs released today. 2.5 million next month. 12 million 6 months from now. You can

Re:

[ratboy666]

No, it isn't

"in-line" encryption appliances. Tape specific devices, etc.

I'll let you in on HOW they work -- each tape is labeled and barcoded. The barcode/label is scanned, automatically by the tape device. This causes a key to be generated and stored on a key server ("security appliance"). The key is associated with the label. The key is used by hardware to encrypt the data (using AES-256 or better).

The security appliance is FIPS-140 B certified (tamper evident). Also, the key can be centrally destroyed, r

Re:

[LaughingCoder]

You missed my point. Once an identity is leaked it's essentially public. You are focussing merely on media-based losses. There are lots of ways IDs get compromised ... password cracking, social engineering, human error, malice ... and once an ID is compromised it stays compromised. Clearly, eventually, this type of demographic information (SSNs, birthdates, etc) will become less and less private. Sure, with strong encryption and security procedures, and stringent privacy laws we can stem the flow, but as I

WHY unencrypted? W

[dpbsmith]

We get story after story, month after month, about organizations like the Bank of New York or Los Alamos National Laboratories or the British Ministry of Defence losing tapes and disk drives and always, always, always the data is said to be unencrypted.

WHY don't all those centralized-configuration-managing IT departments check the FileVault or the BitLocker checkbox on every laptop that comes in the door?

That fancy automated remote configuration-management software keeps everyone's internal purchase-requisi

Re:

[compro01]

1. They're not required by law to encrypt stuff.

2. Encryption costs money, if not for the software, then in process overhead, training, etc.

3. There's no compelling reason (e.g. massive fines) to do so.

Forged tape records?

[flyingfsck]

I wonder how many of these 'lost tapes' are Tape Trolls forging the records and entering tapes as sent to storage, while they were never done in the first place, due to sleeping on the job...

Re:

[Gazzonyx]

Nah, they'd probably just send in blanks on old reels and blame the age of the medium if they had to pull down their backups. That'd probably be a somewhat safe calculated risk if one had no scruples.

"Lost In Transit" my lily white ... ummmm ...

[Jane Q. Public]

Yeah, right. "Lost". Sure.

Data tapes, which are an archive firm's bread-and-butter, do not just "go missing". It just doesn't happen, folks. This data was stolen, sure as I am sitting here.

This archive firm should be held accountable, and so should the bank. I mean BOTH held FULLY accountable, if any of these people are ripped off. Heck, even if each of them is only held 50% accountable, I will be satisfied... as long as there are severe punitive damages as well as actual damages.

I disagree.

[Jane Q. Public]

The bank in this case is "guilty" -- and therefore responsible for -- transporting data on the public streets in plaintext. As others have already mentioned in this thread several times, that is irresponsible... perhaps, quite literally, criminally irresponsible.

But even if it turns out that is was not currently a criminal act, it was certainly an act that was grossly negligent, and they should be held accountable for that.

I can agree on that...

[Jane Q. Public]

as I mentioned, it may not be (probably isn't) illegal. Nevertheless, I still feel it to be grossly negligent.

Those backups weren't worth a damn?

[rtfa0987]

"They can't determine what was on the missing tapes"

---

If that is truly the case, then those tapes wouldn't have been worth a damn for restoration if there had been a disaster.

Re:

[Gazzonyx]

Dude. Not even funny. I've never seriously considered this idea and when I read it and it sank in... well, I felt a little sick to my stomach. How would/could anyone/any bank recover from that? You know once it's out there, it can't go away...