Baggage handlers steal Bank of America tapes with data on 1.2M Federal employees

[David Farber <dave () farber net>]

------ Forwarded Message
From: Richard Wiggins <richard.wiggins () gmail com>
Reply-To: Richard Wiggins <richard.wiggins () gmail com>
Date: Sat, 26 Feb 2005 07:08:34 -0500
To: David Farber <dave () farber net>
Subject: Baggage handlers steal Bank of America tapes with data on 1.2M
Federal employees

Dave,

Bank of America says data tapes with personal info on 1.2 million
Federal employees were stolen, including data such as SSNs.   Every
time an incident like this occurs, I wonder why the data isn't
encrypted.

/rich

Posted on Sat, Feb. 26, 2005
  
BofA says tapes with customer data lost

Bank notifies 1.2 million federal workers, including U.S. senators

RICK ROTHACKER AND ANDREW SHAIN

Staff Writers

Bank of America Corp. said Friday that it has lost computer data tapes
holding customer information, including Social Security numbers, for
1.2 million federal employees.

Bank officials said they believe the data has not been stolen because
no misuse of the charge-card accounts has been discovered. The
customers are federal employees nationwide, including U.S. senators,
who use the cards for travel, procurement and other expenses.

The tapes went missing in December while being shipped to a backup
data facility, the Charlotte-based company said.

U.S. Sen. Charles Schumer, D-N.Y., said he was told by investigators
the tapes were "likely stolen" by baggage handlers from the cargo hold
of a commercial plane, according to a statement reported by wire
services.

The nation's largest consumer bank said it is working with federal
authorities to find what it said was just a few tapes.

"We don't believe there has been any unusual customer activity and
continue to monitor the situation," Barbara Desoer, Bank of America's
technology, service and fulfillment executive, said in an interview.
"We do deeply regret any inconvenience this has caused the customer."

The missing tapes come as privacy experts and law enforcement
officials increasingly worry about the threat of identity theft in the
digital age. Just this week, Georgia-based data warehouser ChoicePoint
Inc. suffered a breach of company records affecting 140,000 Americans.

Data controls

Schumer is among several politicians who have stepped up calls for
tighter controls of personal information stored by databank
companies."Whether it is identity theft, terrorism or other theft, in
this new complicated world baggage handlers should have background
checks and more care should be taken for who is hired for these
increasingly sensitive positions," he said.

Avivah Litan, an analyst with the research firm Yankee Group, who
studies identity theft issues, said losing the tapes was "a huge
deal."

"People use banks because they trust them and when that trust starts
breaking down, everyone is hurt," she said.

Other federal agencies that use Bank of America's cards include the
Department of Defense, the Department of Justice, the Government
Accountability Office and the Federal Deposit Insurance Corp.

Letters to customers

The company said it began sending letters to affected customers on
Friday as soon as it received permission from federal authorities to
disclose the security breach. The company has 33 million total
customers nationwide.

The concern with identity theft is that criminals can use stolen
information to make unauthorized purchases or to open up new credit
card or other accounts. Bank of America customers affected by the lost
tapes will have the option of canceling their cards, but cannot be
certain their customer data hasn't fallen into the wrong hands.

Bank of America's two-month wait to tell customers about the missing
information breach hurt cardholders, some ID theft experts said.

"The most responsible thing they could have done was notify customers
right away and tell them how to protect themselves," said Judith
Collins, a Michigan State University criminal justice professor and
author of "Preventing Identity Theft in Your Business." "It's a crime
in of itself that these folks were not notified immediately."

Secret Service spokesman Tom Mazur confirmed the agency is
investigating the missing tapes, but declined to comment further
because the case is ongoing.

Litan said two months is plenty of time for ID thieves to use the type
of information contained in the missing tapes. Bank of America can
watch for fraudulent activity on their accounts, but not if the
information is used elsewhere, she added.

"The damage has been done," Litan said. "If they have your Social
Security number, they could create false driver's licenses and
passports and attach someone else's name to it and you wouldn't find
out for years."

N.C. Attorney General Roy Cooper is talking with lawmakers about
creating a law that requires businesses to inform customers of
information breaches, his spokeswoman said. California is the only
state to have a similar law, though law enforcement authorities can
restrict the release of information.

Other ID theft experts said law enforcement needs time to catch
possible thieves.

"If federal authorities were asking (Bank of America) to sit on it,
that's a reasonable request," said Linda Foley, who heads the Identity
Theft Resource Center in San Diego. "This is all a balancing act
between getting the crooks and helping consumers."

Bank of America would not disclose where the tapes were being shipped,
but the company confirmed it was in the United States. Earlier this
month, Bank of America said it was expanding operations in India,
where workers will have access to some customer information. The
company has stressed the stringent security guidelines it has in place
worldwide.

Bank of America would not say how the tapes were shipped, but said it
is not unusual to transport data to remote backup facilities in case
of natural disaster or other threats to a primary data center, Desoer
said. Special equipment, software and computer know-how are needed to
access the data on the tapes, she said.

"We believe it would be very difficult to access the data," bank
spokeswoman Alex Trower said.

The data varied by customer but in some cases included name, address,
account number and Social Security number.

Precautions, risks

It's not uncommon for banks to physically move data between locations,
although they increasingly favor transmitting information
electronically with secure networks, said George Tubin, senior analyst
with TowerGroup, a financial services research and consulting
firm."Data protection is taken very seriously at financial
institutions," he said. "But at the end of the day, there is a lot of
processes and technology and a lot of human intervention. And whenever
there is some human element, there is risk."

He said computer data can be stored using various methods, from
reel-to-reel tapes to small cartridges. It's not unheard of for a tape
to be misplaced, but usually it turns up, he said.

"Stuff like this happens, but typically it's internally," he said.
"Someone may walk down the hall and stop by an office and leave it on
the corner of a desk."

Banks also have lost customer information in other ways in the past,
he noted. Couriers picking up checks at branches have had them fly out
the window of their car. Planes carrying checks have crashed, spilling
their contents.

The U.S. General Services Administration handles the contract with
Bank of America and four other banks that operate the government's
charge and procurement cards. The agency is working with the bank to
notify agencies and card holders of the situation, GSA spokeswoman
Mary Alice Johnson said.

"The bank has behaved very professionally and shown concern for the
agencies and the card holders," Johnson said.

Bank of America's contract with the GSA expires in November, but is
eligible for renewal, she said.

The Agencies

Some of the agencies with cardholders served by Bank of America:

€ U.S. Senate

€ Consumer Product Safety Commission

€ Departments of Agriculture, Defense, Energy

€ Army, Navy, Air Force

€ Environmental Protection Agency

€ Equal Employment Opportunity Commission

€ NASA

Affected customers can call (800) 493-8444 for more information.
Cardholders will not be held liable for any unauthorized use. They
also can request a free credit check and a 90-day "fraud alert"
service to protect their accounts, bank officials said.

------ End of Forwarded Message


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/