Interesting People mailing list archives
Baggage handlers steal Bank of America tapes with data on 1.2M Federal employees
From: David Farber <dave () farber net>
Date: Sat, 26 Feb 2005 08:26:50 -0500
------ Forwarded Message From: Richard Wiggins <richard.wiggins () gmail com> Reply-To: Richard Wiggins <richard.wiggins () gmail com> Date: Sat, 26 Feb 2005 07:08:34 -0500 To: David Farber <dave () farber net> Subject: Baggage handlers steal Bank of America tapes with data on 1.2M Federal employees Dave, Bank of America says data tapes with personal info on 1.2 million Federal employees were stolen, including data such as SSNs. Every time an incident like this occurs, I wonder why the data isn't encrypted. /rich Posted on Sat, Feb. 26, 2005 BofA says tapes with customer data lost Bank notifies 1.2 million federal workers, including U.S. senators RICK ROTHACKER AND ANDREW SHAIN Staff Writers Bank of America Corp. said Friday that it has lost computer data tapes holding customer information, including Social Security numbers, for 1.2 million federal employees. Bank officials said they believe the data has not been stolen because no misuse of the charge-card accounts has been discovered. The customers are federal employees nationwide, including U.S. senators, who use the cards for travel, procurement and other expenses. The tapes went missing in December while being shipped to a backup data facility, the Charlotte-based company said. U.S. Sen. Charles Schumer, D-N.Y., said he was told by investigators the tapes were "likely stolen" by baggage handlers from the cargo hold of a commercial plane, according to a statement reported by wire services. The nation's largest consumer bank said it is working with federal authorities to find what it said was just a few tapes. "We don't believe there has been any unusual customer activity and continue to monitor the situation," Barbara Desoer, Bank of America's technology, service and fulfillment executive, said in an interview. "We do deeply regret any inconvenience this has caused the customer." The missing tapes come as privacy experts and law enforcement officials increasingly worry about the threat of identity theft in the digital age. Just this week, Georgia-based data warehouser ChoicePoint Inc. suffered a breach of company records affecting 140,000 Americans. Data controls Schumer is among several politicians who have stepped up calls for tighter controls of personal information stored by databank companies."Whether it is identity theft, terrorism or other theft, in this new complicated world baggage handlers should have background checks and more care should be taken for who is hired for these increasingly sensitive positions," he said. Avivah Litan, an analyst with the research firm Yankee Group, who studies identity theft issues, said losing the tapes was "a huge deal." "People use banks because they trust them and when that trust starts breaking down, everyone is hurt," she said. Other federal agencies that use Bank of America's cards include the Department of Defense, the Department of Justice, the Government Accountability Office and the Federal Deposit Insurance Corp. Letters to customers The company said it began sending letters to affected customers on Friday as soon as it received permission from federal authorities to disclose the security breach. The company has 33 million total customers nationwide. The concern with identity theft is that criminals can use stolen information to make unauthorized purchases or to open up new credit card or other accounts. Bank of America customers affected by the lost tapes will have the option of canceling their cards, but cannot be certain their customer data hasn't fallen into the wrong hands. Bank of America's two-month wait to tell customers about the missing information breach hurt cardholders, some ID theft experts said. "The most responsible thing they could have done was notify customers right away and tell them how to protect themselves," said Judith Collins, a Michigan State University criminal justice professor and author of "Preventing Identity Theft in Your Business." "It's a crime in of itself that these folks were not notified immediately." Secret Service spokesman Tom Mazur confirmed the agency is investigating the missing tapes, but declined to comment further because the case is ongoing. Litan said two months is plenty of time for ID thieves to use the type of information contained in the missing tapes. Bank of America can watch for fraudulent activity on their accounts, but not if the information is used elsewhere, she added. "The damage has been done," Litan said. "If they have your Social Security number, they could create false driver's licenses and passports and attach someone else's name to it and you wouldn't find out for years." N.C. Attorney General Roy Cooper is talking with lawmakers about creating a law that requires businesses to inform customers of information breaches, his spokeswoman said. California is the only state to have a similar law, though law enforcement authorities can restrict the release of information. Other ID theft experts said law enforcement needs time to catch possible thieves. "If federal authorities were asking (Bank of America) to sit on it, that's a reasonable request," said Linda Foley, who heads the Identity Theft Resource Center in San Diego. "This is all a balancing act between getting the crooks and helping consumers." Bank of America would not disclose where the tapes were being shipped, but the company confirmed it was in the United States. Earlier this month, Bank of America said it was expanding operations in India, where workers will have access to some customer information. The company has stressed the stringent security guidelines it has in place worldwide. Bank of America would not say how the tapes were shipped, but said it is not unusual to transport data to remote backup facilities in case of natural disaster or other threats to a primary data center, Desoer said. Special equipment, software and computer know-how are needed to access the data on the tapes, she said. "We believe it would be very difficult to access the data," bank spokeswoman Alex Trower said. The data varied by customer but in some cases included name, address, account number and Social Security number. Precautions, risks It's not uncommon for banks to physically move data between locations, although they increasingly favor transmitting information electronically with secure networks, said George Tubin, senior analyst with TowerGroup, a financial services research and consulting firm."Data protection is taken very seriously at financial institutions," he said. "But at the end of the day, there is a lot of processes and technology and a lot of human intervention. And whenever there is some human element, there is risk." He said computer data can be stored using various methods, from reel-to-reel tapes to small cartridges. It's not unheard of for a tape to be misplaced, but usually it turns up, he said. "Stuff like this happens, but typically it's internally," he said. "Someone may walk down the hall and stop by an office and leave it on the corner of a desk." Banks also have lost customer information in other ways in the past, he noted. Couriers picking up checks at branches have had them fly out the window of their car. Planes carrying checks have crashed, spilling their contents. The U.S. General Services Administration handles the contract with Bank of America and four other banks that operate the government's charge and procurement cards. The agency is working with the bank to notify agencies and card holders of the situation, GSA spokeswoman Mary Alice Johnson said. "The bank has behaved very professionally and shown concern for the agencies and the card holders," Johnson said. Bank of America's contract with the GSA expires in November, but is eligible for renewal, she said. The Agencies Some of the agencies with cardholders served by Bank of America: U.S. Senate Consumer Product Safety Commission Departments of Agriculture, Defense, Energy Army, Navy, Air Force Environmental Protection Agency Equal Employment Opportunity Commission NASA Affected customers can call (800) 493-8444 for more information. Cardholders will not be held liable for any unauthorized use. They also can request a free credit check and a 90-day "fraud alert" service to protect their accounts, bank officials said. ------ End of Forwarded Message ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Baggage handlers steal Bank of America tapes with data on 1.2M Federal employees David Farber (Feb 26)