Sometimes you come across a news item that makes you wonder if you entered a wormhole and was thrown back in time. The world’s largest custodial bank and one of the 10 largest asset managers, The Bank of New York Mellon (BNY Mellon), on February 27, 2008 was transferring computer tapes from the Shareowner Services division to a secure storage facility in Jersey City, NJ. BNY Mellon Shareowner Services is a stock transfer agent and stock plan administrator for public companies. The offsite storage firm Archive America was handling the transfer. Ten boxes of unencrypted backup tapes were placed in the truck, but only nine boxes made it to the destination. How could a box of tapes disappear? It is reported that the lock on the back of the truck was busted and the vehicle was left unattended several times. BNY Mellon representatives stated the tape contained at minimum names, addresses, Social Security numbers, and possibly bank accounts and balances.
Interesting side note, on March 17th, thieves broke into another Archive America van and stole six backup tapes from the university Miami medical school. Computerworld reported that the medical records were part of the Miami Project to Cure Paralysis at the University of Miami. The lost tape contained addresses, Social Security numbers and health information on all two million patients since 1999. For reasons unexplained, Archive America did not report the incident for 48 hours. Then the university took an additional month to report the data breach.
On April 29th, BNY Mellon Working Capital Solutions attempted to send a tape by a national courier from Philadelphia to Pittsburgh. The tape never arrived. BNY Mellon Working Capital Solutions services include processing payments on behalf of its institutional clients, such as mutual funds or pension funds. Bank officials stated the tape “consisted of images of scanned checks and other documents relating to payments made to BNY Mellon’s institutional clients. Most of the checks were in connection with commercial or other business-to-business payments, though some involved payments from consumers.” By May 16th, all parties were notified. The data loss involved 47 institutional clients.
BNY Mellon initially identified approximately 270,000 individuals at 409 institutions as being affected by the first incident. Company officials reported notifications were completed by early April. Continuing forensic investigation later identified an additional four million individuals and an additional 293 institutions. Those folks were notified towards the end of May. At that time, Ron Sommer, BNY Mellon spokesman, explained, “We’d like to provide people with a more current characterization [of what happened], but we are not yet in a position to make that available. Our intention is to make it available as soon as we can.”
The bank reports that since May, after two incidents of data loss, it has instituted new stringent standards for the transport of confidential data and is initiating a company wide training program on data security for all employees. Brian Rogan, the bank’s chief risk officer, stated, “We are actively engaged in a top-to-bottom review of our security policies and procedures _ including retaining a leading independent consultant to conduct an objective analysis of our current practices _ and we are taking the steps necessary to ensure we have industry-leading security measures in place across all of our businesses.”
A few days ago (6 months after the first data loss), BNY Mellon confirmed the number of people affected now appear to be 12.5 million. Currently, this is the largest reported U.S. data breach for 2008. To deal with the situation, BNY Mellon is offering 24 months of free credit monitoring by Experian through the Triple Alert program, as well as $25,000 fraud protection insurance. George Jenkins, over on the I’ve Been Mugged blog site, has done a review of the services along with how the breach personally affected his family. For any of the 12.5 million people affected, George’s posts will be of great interest. Connecticut governor Jodi Rell feels that, “It is simply outrageous that this mountain of information was not better protected, and it is equally outrageous that we are hearing about a possible six million additional individuals and businesses six months later.” Good, it is not just me.