Bank of New York Mellon Investigated for Lost Data Tape

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

An unencrypted backup tape is missing from the Bank of New York Mellon, potentially exposing information on 4.5 million customers of that bank and of People's United Bank of Bridgeport, CT.

Connecticut Attorney General Richard Blumenthal announced last week his office is investigating the Feb. 27 incident in which Bank of New York Mellon gave an unencrypted backup tape to a storage firm, Archive Systems, Inc., for transportation to a storage facility. When the storage company vehicle arrived at the storage facility, the tape was missing. The other nine tapes reached the facility safely.

The missing tape contains social security numbers and bank account information on 4.5 million customers - including several hundred thousand depositors and investors of People's United Bank, which had given Bank of New York Mellon the information so it could offer those consumers an investment opportunity.

In a letter last week to Bank of New York Mellon, Blumenthal demanded the bank provide consumers with credit monitoring and other identity theft protections, as well as a full account of how the loss occurred and other information. The banks have cooperated fully thus far with Blumenthal's office.

"I am alarmed and deeply concerned by a recent and serious data breach at The Bank of New York Mellon involving the loss of computer backup tapes containing sensitive information of some 4.5 million consumers, including People's United Bank account holders and shareowners," Blumenthal says in his letter. "Several hundred thousand Connecticut citizens may be affected, and possibly more, by this loss of highly significant personal information."

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

People's United Bank informed Blumenthal's office of the breach last week, shortly after New York Bank of Mellon informed the institution.

The Bank of New York Mellon's spokesperson Ron Sommer says the bank acknowledges that it has received a subpoena from Connecticut's Commissioner of Consumer Protection, requesting information in connection with the BNY Mellon Shareowner Services' data backup storage tapes. "We're engaged with and cooperating fully with the Commissioner's office, and also with the office of Connecticut's Attorney General," Sommer says. "At this point, we can't comment on specifics of those interactions."

Sommer says initially there were a smaller number of customers notified in March, shortly after the tape went missing. "We notified the clients, and while we carried out that notification, we brought in a forensics expert, and with their help we went back into the database and did a second pass," he says. "With the nature of second passes, in that it was more difficult and more time consuming to access data, it was the results of that second pass that are triggering these notifications."

Notification letters from the bank to the affected customers were sent on May 22. Sommer says and the bank is hiring more customer service representatives and training them to handle the influx of calls from concerned customers. "There isn't much point in sending out a notification letter if we don't have the staff in place to respond to the calls in an appropriate way," he says.

The representatives are receiving extensive training to handle the kinds of questions customer will ask, including the typical questions about free credit monitoring. "We want to make sure that their questions are answered clearly and in an expeditious manner," Sommer says. "Even while we're offering this credit protection as a precaution, the last thing that customer needs is a hassle about it when they call."

Reaction to Bank's Reaction
Reaction from privacy and information security experts in the financial services industry shows Bank of New York Mellon has much work to do to recover from this event. "I'm somewhat surprised, given the recent events (e.g. Citibank, State of Ohio, JC Penney and other public cases) that the bank didn't foresee this as a possible problem," says Ken Stasiak, president and CEO of SecureState, an information security assessment firm based in Cleveland, Ohio. Encrypting tapes is a fundamental practice for all banks that somebody probably just forgot about, he adds. "This has unfortunately been somewhat of a trend when companies outsource portions of their security and business," Stasiak says. "In this instance, it seems they thought physical security would be an appropriate control, which when broken down left the tape exposed."