Bank of New York Mellon Investigated for Lost Data Tape4.5 Million Customers Potentially Exposed
Connecticut Attorney General Richard Blumenthal announced last week his office is investigating the Feb. 27 incident in which Bank of New York Mellon gave an unencrypted backup tape to a storage firm, Archive Systems, Inc., for transportation to a storage facility. When the storage company vehicle arrived at the storage facility, the tape was missing. The other nine tapes reached the facility safely.
The missing tape contains social security numbers and bank account information on 4.5 million customers - including several hundred thousand depositors and investors of People's United Bank, which had given Bank of New York Mellon the information so it could offer those consumers an investment opportunity.
In a letter last week to Bank of New York Mellon, Blumenthal demanded the bank provide consumers with credit monitoring and other identity theft protections, as well as a full account of how the loss occurred and other information. The banks have cooperated fully thus far with Blumenthal's office.
"I am alarmed and deeply concerned by a recent and serious data breach at The Bank of New York Mellon involving the loss of computer backup tapes containing sensitive information of some 4.5 million consumers, including People's United Bank account holders and shareowners," Blumenthal says in his letter. "Several hundred thousand Connecticut citizens may be affected, and possibly more, by this loss of highly significant personal information."
People's United Bank informed Blumenthal's office of the breach last week, shortly after New York Bank of Mellon informed the institution.
The Bank of New York Mellon's spokesperson Ron Sommer says the bank acknowledges that it has received a subpoena from Connecticut's Commissioner of Consumer Protection, requesting information in connection with the BNY Mellon Shareowner Services' data backup storage tapes. "We're engaged with and cooperating fully with the Commissioner's office, and also with the office of Connecticut's Attorney General," Sommer says. "At this point, we can't comment on specifics of those interactions."
Sommer says initially there were a smaller number of customers notified in March, shortly after the tape went missing. "We notified the clients, and while we carried out that notification, we brought in a forensics expert, and with their help we went back into the database and did a second pass," he says. "With the nature of second passes, in that it was more difficult and more time consuming to access data, it was the results of that second pass that are triggering these notifications."
Notification letters from the bank to the affected customers were sent on May 22. Sommer says and the bank is hiring more customer service representatives and training them to handle the influx of calls from concerned customers. "There isn't much point in sending out a notification letter if we don't have the staff in place to respond to the calls in an appropriate way," he says.
The representatives are receiving extensive training to handle the kinds of questions customer will ask, including the typical questions about free credit monitoring. "We want to make sure that their questions are answered clearly and in an expeditious manner," Sommer says. "Even while we're offering this credit protection as a precaution, the last thing that customer needs is a hassle about it when they call."
Reaction to Bank's Reaction
Reaction from privacy and information security experts in the financial services industry shows Bank of New York Mellon has much work to do to recover from this event. "I'm somewhat surprised, given the recent events (e.g. Citibank, State of Ohio, JC Penney and other public cases) that the bank didn't foresee this as a possible problem," says Ken Stasiak, president and CEO of SecureState, an information security assessment firm based in Cleveland, Ohio. Encrypting tapes is a fundamental practice for all banks that somebody probably just forgot about, he adds. "This has unfortunately been somewhat of a trend when companies outsource portions of their security and business," Stasiak says. "In this instance, it seems they thought physical security would be an appropriate control, which when broken down left the tape exposed."
Information security and privacy expert Rebecca Herold says it is disappointing to see such a large institution not taking due care actions to protect personally identifiable information (PII), but she really is not that surprised. "From what I have seen, there are still very few organizations that are encrypting their backup tapes," Herold says. "Plus, while also disappointed with the Bank of New York Mellon's response, I am also not surprised; I think most organizations today would also react in the same way."
Over the past couple of years when speaking with numerous CISOs, CIOs, CPOs and CEOs, Herold says she has found that most still overwhelmingly do not consider the risk to PII of this type of situation that great because they do not believe that the "average" person would have the equipment necessary to actually read the backup media, often on tapes that require special equipment. "Thus, they do not invest in the technology necessary to encrypt backup data on these types of media," she says.
Unless they know the tape was purposefully stolen, banking executives believe it is more likely the tape was just "lost." Herold says they point to numerous reported incidents where this was the case, such as the case a couple of years ago when an ABN AMRO backup tape of mortgage customer info was "lost" and then they notified all customers, but then they found the tape a few days after their notification. It had simply been misplaced by one of the employees from the location where it should have been stored.
"Both of these are certainly possibilities. However, whenever PII is involved that can hurt your customers in many ways...trash their credit reports, result in identity theft, or even physical crimes resulting from criminals having home addresses," Herold says. "Organizations who are entrusted with customer PII should take responsibility for their incidents and err on the side of being overly cautious."
The full cost to the Bank of New York Mellon from this missing tape won't be able to be measured fully for some time, and according to Larry Ponemon, president of the Ponemon Institute, the bank may see an unusually high "abnormal churn" rate because of this event. The average cost of a data breach for a financial institution is much higher than other companies, where a data breach can be measured to cost $197 per customer record to recover.
Abnormal churn refers to the turnover of customers that leave an institution, Ponemon notes. When a person finds out a data breach has happened at their bank, they don't necessarily leave immediately. "This is especially true if the bank has their home mortgage, car loans, credit cards or other services," Ponemon says. "But what they stop doing is online banking first. They're wondering is it safe to bank online at this bank?" This move is costly to bank, and means it has to spend additional money on the customer's account. Slowly, over a period of time the customer changes their accounts over to another bank. "So the abnormal churn is hidden; the bank can't spot it immediately. It's not as if someone stops shopping at your store," he says.
He also sees rates of compliance in tape encryption as very low. "It's not just in the banking industry, but across the board. Less than 12-15% of backups are encrypted," he says. This doesn't mean that they're insecure, "there are certain things that can be done to tape back ups that can prevent the average person from gaining access to the information contained on the tape."
That the missing tape is from a bank is the crucial point that customers will focus on. Ponemon concludes, "Banking organizations are held to a higher standard by consumers. When there is a breach of trust like this, consumers will ask themselves, 'Why am I banking with you? If you can't manage to protect a tape, how can I trust you to protect my money?'"
The bank's spokesperson Sommer notes "We have no evidence suggesting that any of the data has been inappropriately accessed or used." The bank is monitoring shareowner account activity and "to date have seen no indication of data misuse."