<%image(20080530-000625_37.jpg|320|240|Indy likes lost backup tapes!)%>
Amazing that security breaches like the one I am about to tell you about are becoming more common…so common that the mainstream media like CNN doesn’t even report it anymore. If you haven’t read about this pretty significant security breach yet…let me briefly tell you about it…
Bank of New York (BNY) Mellon and People’s United Bank of Bridgeport, CT may have Social Security numbers and bank account information lost when unencrypted backup tapes went “missing” from BNY Mellon. No big deal right? Only 4.5 million customers affected. From the Reuters article:
“…on February 27, Bank of New York Mellon was transferring back-up tapes with data, including names, addresses, birth dates and Social Security numbers, when it lost a box with six to 10 unencrypted tapes….an archiving vendor lost the tapes from its Shareowner Services unit, but there was no evidence any data had been inappropriately accessed or used.”sic
Basically People’s hired BNY Mellon Shareowner Services in 2007 to tabulate votes and process stock orders during its conversion from a mutual bank, which is owned by depositors, to one that is fully publicly traded.
Moving on…nothing to see here right?
The problem is that this data was not BNY Mellon’s customer data but the customer data from People’s United Bank, some Wachovia employees and some 64,000 MetLife shareholders…
“People’s United claims this was a BNY Mellon security lapse, as People’s United transmitted encrypted information to BNY Mellon who in turn created the unencrypted backup tape(s) that was lost.”
Good for People’s Bank for encrypting the data in the first place…but the problem lies with the vendor(s). It seems that more and more financial institutions are letting other financial institutions and other vendors process transactions and convert information for them. Trusting others with your sensitive data is not always the best idea (even though thats how business gets done these days), however, BNY Mellon should have encrypted these backup tapes in the first place! What about the vendor (Archive Systems Inc.) who actually lost the box of tapes? I would think that they are to blame as well. Sounds like a lot of vendor management issues here from many angles.
I would think that a large archive vendor like this would have some kind of policy stating some form of compensation for losing a box of tapes in transit. Almost how armored truck carriers transfer money from a bank branch to a financial processing center…if the armored car was compromised in transit and the bank lost all the money inside the car, it’s not the bank’s fault…thus the armored car carrier is responsible for the loss and would have to compensate the bank.
Looks like 4.5 million customers will get one year of crappy credit monitoring service as usual because of poorly managed vendor relationships. Nice.