Bank Of America Loses 1.2 Million Customer Records

Christopher Reimer writes "C|Net is reporting that Bank of America lost 1.2 million customer records when some backup tapes went missing while being shipped to a backup center. The lost records mainly effect U.S. government employees involved in the SmartPay program. From the article: 'The acknowledgment comes as several other cases of businesses losing consumer information have come to light.'"

heh

[aendeuryu (844048)]

SmartPay program

Doesn't sound so smart right now...

Indeed.

[game kid (805301)]

Especially from a company that prided itself in TV ads as one that "engineer[s] our own software" because "one error in a billion" in their checking was one too many.

Well, I guess they have at most 999,999,999 more transactions until we know that they've blown their *ahem*commitment to their consumers--unless you count each person affected as an error here, in which case we can probably sue them for false advertising. Or at least utter stupidity.

That said, I bet someone mixed those backup tapes in the

Well..

[kunwon1 (795332)]

As a US Government employee (US Air Force to be precise) I can tell you that Bank of America is regarded by most of us (us = gov't employees) as a faceless entity that cares nothing for customer service. I doubt this will come as much of a surprise to those of us who have been required by our occupation to associate with them for some time. Maybe now the powers that be will get their collective head out and pick a new bank.

Re:Well..

[smitty_one_each (243267)]

I thought they were really kinda smart, cutting the deal to force all US Gubmint people to use their cards for travel.
My question is, why the conflict of interest, requiring all employees to use a single credit card provider?
Why cannot this bogus thinking be applied such that everyone has to use the same bank, in addition to credit card provider?
In defense of the policy, you get that swell logo that tells the airline or hotel to give you the government rate. Whoopee. Why can't other credentials suffice

Re:Well..

[mordors9 (665662)]

And hopefully there are people included in the problem high enough up on the food chain to make some actual legislative changes.

Re:Well..

[mboverload (657893)]

I wish all the senators personal info was stolen by theives and logged and posted to the net by spyware companies.

Then they might just get a freakin clue.

Re:Well..

[ScrewMaster (602015)]

Yes, and they would most certainly take steps to protect themselves. What that would do for the rest of us is anyone's guess.

Re:Well..

[heybo (667563)]

You are right BoA IS a faceless entity that cares nothing about their customers and only their profits. I live in Atlanta (their corp offices are here) I have been screwed out of my own money my them, and have heard 1,000s of stories that are the same. This has been happening with this bank for over 20 years that I know of. Still people continue to use them.

I will not use them in any form. I will drive 10 miles out of the way to NOT use even their ATM machines. (No they ain't even getting my $1.50 for a transaction.

BoA and getting screwed....

[King_TJ (85913)]

I, too, haven't heard much good about Bank of America, so I've avoided them. Unfortunately, my experience is, most of the banks that are large enough to offer "conveniences" like ATM machines in multiple places in town will screw you over.

I view my banks as necessary evils, and little more. I have my primary checking account with U.S. Bank right now, and for a while, thought they were going to be "above average". They offer free, unlimited online billpay, for example - while many others want to charge

Re:Well..

[kunwon1 (795332)]

The air force has smaller credit unions and banks on base, but for things like government travel cards and purchase cards, we are not given an option as to which financial institution to use. Further, we are -required- in many cases to have and use these cards... lose-lose situation.

Re:Well..

[WebCrapper (667046)]

Well, see - there are problems with that. I'm currently in Germany and the only "American" bank that I can use is Community Bank [dodcommunitybank.com] aka: Bank of America... Makes me feel GREAT. The past 2 security stories listed in the last week have skirted around me, but its starting to creep up on me. Time to start using the "under the bed" savings method.

Re:Well..

[TheLink (130905)]

Well there was a guy who used the "bed" method, and the termites ate his money.

So?

[BibelBiber (557179)]

I wonder who got all the data now. Losing stuff is bad but finding stuff in the wrong hands is much worse.

Well...

[JavaMoose (832619)]

This is really getting out of hand. For every case like this we hear about, I wonder if there are a few that get swept under the rug?

Now, I generally frown on lawsuits, but this is one type of case where it works. The people on these lists need to start filing class action lawsuits against these companies. Large corporations only feel something when they lose money, maybe it would send the message that you will be held accountable if you do not take security seriously.

As we all know, nothing is as valuable as our information.

Re:Well...

[reallocate (142797)]

This is really getting out of hand. For every case like this we hear about, I wonder if there are a few that get swept under the rug?

You're hearing about this because of the flap about CheckPoint, and you heard about CheckPoint because of the current flap about identity theft.

If not for those circumstances, these stories would very likely have been reported in the business press, but otherwise below the general public's radar.

So, you have no reason to assume that the first appearance of an event on TV or in Slashdot means it never happened before.

BofA ought, of course, be held responsible for their behavior. I don't know if these cardholders can sue, since the card's were issued to them in conjunction with their federal employment. And, unless they are able to document loss as a result of the loss, I'm not sure what grounds they'd have for a suit.

That said, BofA just dug itself a big hole for the next contract recompete. Their accountablity may come in the form of losing that recompete. (Don't imagine, though, that a contract of that size will be given to some local mom-and-pop bank.)

Re:Well...

[TopShelf (92521)]

Remember also that you heard about Checkpoint because California law requires that companies inform customers whose data has been comprimised. If this had happened just about anywhere else, it could easily have been swept under the rug.

Re:Well...

[rpozz (249652)]

I'm not a lawyer, but in the UK, the Data Protection Act states that a company must make sure that personal data is kept secure. Is it the same in the US?

Re:Well...

[bombadillo (706765)]

I used to work in the UK and am a little familiar with the Data Protection Act. We could not access the system from outside of the UK since the systems contained information regarding UK tax data. It's very different over here. I was surprised to find out that large US tax firms send their work over seas to get processed. I don't believe that we have a Data Protection Act which is as robust as the UK.

Re:Well...

[wfberg (24378)]

The way it works with the Data Protection Act is that the information has to stay within the EU, or certain states with which the EU has a "safe harbor" agreement. Those are countries that promise to be good. So your data gets shipped to the US, and then Faceless Corporation X just breaks their promise and ships all the work and data right back to India.

Sad but true.

Re:Well...

[bombadillo (706765)]

You are absolutely correct about law suits needing to be filed. My wife and I work for two large corporations. I am talking name brands that everyone knows. I was talking to her about a project that I was working on and how the users info is sorted in the Database by credit card number. There are a few things wrong with this. From a non-security stand point people have more than one credit card. So you would have plenty of duplicates. From a security standpoint there were loads of problems. Such as the data would be FTP'd from the mainframes to the unix midrange servers. So all of that data would be distributed about the enterprise. Makes absoutetley no sense. Especially since there was no reason for the application I was working on to know a credit card number. The only data needed was name and products bought. When talking with my wife about how bad it was she told me that it was the same way in her company. I can only think that these companies built there systems a long time ago and no one has taken on the ambitious project of updating their procedures. From a career standpoint I can't blame them. There is not a big demand to secure these systems better. It would be a huge effort with little reward. If things didn't work your career would be over.

If law suits start being filed there will be a sudden demand to get these systems more secure. It's always annoyed me that financial companies have charged us for their "credit protection" services. I have always felt that if my ID was stolen it would most likely be the fault of a financial institution and not me.

Encryption?

[lachlan76 (770870)]

But aren't the backups encrypted? Right?

Re:Encryption?

[by Anonymous Coward]

No, they'll be straight DB dumps onto tape. If you think that's crazy, work out how much data you'd need to encrypt every night during a backup run, and then work out how much time you have to complete a full backup run. That's why no one encrypts the data when they back it up.

Re:Encryption?

[EvilTwinSkippy (112490)]

Yeah, and backups are also barcoded and hand-tranported by courier to and offsite storage/security vault.

Re:Encryption?

[Motherfucking Shit (636021)]

Yeah, and backups are also barcoded and hand-tranported by courier to and offsite storage/security vault.

Actually they may well be barcoded, they damn sure ought to be encrypted, and they are indeed hand-transported by courier to the backup location. In fact, several of the articles that I read had BOFA blaming ramp workers for stealing the tapes at some stage. IMO that's a cop-out, any ramp agent is going to be hard pressed to leave an airport with something he didn't bring in.

Bank record transportation is (or at least was, before Check21 went into effect) a major and rather vertical industry. The general chain of command is that a courier service picks up "the goods" (cancelled checks, backup tapes, whatever) from a bank, takes the cargo to the nearest airport, and drops it off in one manner or another. Depending on the bank and the courier, the goods are either dropped at the airport Post Office or taken to an airline's cargo input on the ramp.

From there, the obvious happens. Either the items are transported via USPS to their destination, or they fly as commercial cargo and wind up at the destination airport, where another series of couriers collects and delivers it to the receiving location. The article that I saw claimed that BOFA declined to describe how the process works. Well, this is how the process works.

The thing is, bank records are not exactly labeled "PERSONAL FINANCIAL RECORD BACKUPS, TOTALLY SECRET, PLEASE BE CAREFUL." The people who are working as couriers for banks know what they're picking up, but they also know that they're constantly under scrutiny. Once this stuff hits the ramp, it's just cargo as far as airline employees are concerned. It gets on a plane, flies to a destination, and things reverse; ramp agents unload random cargo as far as they know, and then some courier who knows damn well that he's being watched takes it to the receiving bank.

From all accounts, BOFA seems to be blaming ramp agents. I call bullshit. For one thing, nobody goes on or off a ramp without some sort of security check; I should know, I'm on the ramp almost every day. And most of the "secure" cargo flowing through a given ramp is unmarked and can't readily be recognized. The only time you pick up on something "special" is when Customs imounds a shipment.

As far as the explanations I've heard, I say BOFA are full of shit. This wasn't a ramp worker nabbing a case of backup tapes - he'd never have gotten off the ramp. This is negligence one way or another.

I wonder how long ago they found out about this?

[bigtallmofo (695287)]

You may recall the recent Choicepoint security breach [slashdot.org]. Apparently there's profit to be made in between finding out about a security breach and actually announcing it!

ChoicePoint execs sold shares before theft news

ChoicePoint Inc.'s top two executives made a combined $16.6 million in profit from selling company shares in the months after the data warehouser learned that people's personal information may have been compromised and before the breach was made public, regulatory filings show. ChoicePoint's stock has dropped about 10 percent since last week when the company announced that criminals had duped it into allowing them access to its massive database. Alpharetta, Ga.-based ChoicePoint says the stock trading was pre-arranged under a plan approved by the company's board. Corporate governance experts say the pattern and timing of the trading by chief executive Derek Smith and president Douglas Curling raises questions. Smith and Curling did not respond to repeated requests through a spokesman for comment Friday.

Full Story: Twincities.com (Subscription Requred - use bugmenot.com) [twincities.com]

Big Brother's Little Helper?

[handy_vandal (606174)]

ChoicePoint Inc.'s top two executives made a combined $16.6 million in profit from selling company shares in the months after the data warehouser learned that people's personal information may have been compromised and before the breach was made public, regulatory filings show. ... ChoicePoint says the stock trading was pre-arranged under a plan approved by the company's board.

One might easily assume that the executives are profiteering swine, and that the company's board members are colluding at the trough.

Furthermore, ChoicePoint has a ... questionable history:

Consider what happened in Florida leading up to the 2000 presidential election. In 1998, the state hired a company called

Database Technologies [google.com] to scrub its voter rolls of ineligible voters. The scrub list was mandated by Florida legislators after a voting fraud investigation revealed dead people had cast ballots in the 1997 Miami mayoral election.

DBT combed through Florida's rolls and handed over the "ineligible" list to elections officials in May 2000 -- within days of the company's merger with ChoicePoint [google.com].

The problem was that DBT'S list purged the voter rolls not just of felons, who are disqualified from voting in Florida, but of eligible voters whose names resembled those of the felons.

While Florida and DBT failed to check a number of criteria that could have distinguished the actual felons from the non-felons, one criterion that DBT did bother cross-referencing was race. BBC reporter Greg Palast [google.com] and a handful of US journalists reported that the majority of the felons on the list were black, so thousands of legitimate black voters with the same names as black felons were struck from the rolls. Because Florida blacks vote heavily Democratic, a disproportionate number of votes for Al Gore were thrown out.

According to analyses by news organizations, somewhere between 8,000 and 22,000 qualified votes went uncounted. Whatever the number, it towers over 537 -- the margin by which George W. Bush won Florida, and therefore the national election.

The most jarring part, according to Palast, who broke the story, was that DBT knew the list was flawed -- because a Florida official told DBT, in a 1999 e-mail, "Obviously, we want to capture more names that possibly aren't matches and let the county supervisors make a final determination." Palast says the fact that the company would even hand over known mistakes shows that it doesn't always do its best -- contrary to its corporate mantra -- to protect the government against itself.

Source [creativeloafing.com]

With companies like that, who needs Big Brother? -kgj

This has been coming for a _long_ time...

[ites (600337)]

When businesses started collecting huge amounts of detailed via through the web in the mid 1990's, it was clear where we were heading:

1. unlimited storage capacity meant complex and detailed records could be kept on every person.

2. guaranteed incompetence meant these records would be abused, lost, exposed and manipulated.

I don't see either of these trends changing.

Applies to both commercial and governmental databases. Chaos, mess, confusion, abuse, on a huge and ever-increasing scale.

Welcome to the 21st century. You can opt out by unchecking the "Connect to the Internet" box about 10 years ago...

Not an Internet Issue

[reallocate (142797)]

These were data tapes. Been in use long before the Internet, and, almost certainly, have been going missing long before the Internet. Could just as well have happened with old fashioned ledgers in 1910.

For all we know, they were stolen out of the back of some truck and lifted by the overnight cleaning crew.

One more thing...

[kunwon1 (795332)]

GSA Smartpay is a program through which gov't employees are issued what is essentially a company credit card, but the US Gov't is the company. They're used for official purchases, for gas cards for government owned vehicles, etcetera.

The following website explains it in governmentese:
http://www.gsa.gov/Portal/gsa/ep/channelView.do?pa geTypeId=8199&channelPage=%2Fep%2Fchannel%2FgsaOve rview.jsp&channelId=-13497 [gsa.gov]

For want of a nail...

[rah1420 (234198)]

... the kingdom was lost.

I wonder how many of these customer data compromises ultimately are going to be chalked up to good old fashioned human error?

Yeah, I know, ultimately all of them until computers write their own programs (and that's the day that I unplug and head for .mt.us).

I mean stupid stuff, like a clerk misfiling a tape, or someone leaving a door unlocked, or something "non-computerish." Doesn't mollify the millions of people whose data are now at risk, I know.

You can't just throw automatio

Spooky Business

[handy_vandal (606174)]

According to Time.com ...

The U.S. official said a large percentage of the accounts are for the Pentagon but that some 40 federal agencies and other entities are affected. Some of the tapes related to non-federal card-holders, the official added. Trower would not comment on which agencies are affected, referring questions to the General Services Administration. A GSA spokesperson had no immediate response to an inquiry about the matter, including whether any of the Pentagon's billions of dollars in secret "black" programs could be affected. Pentagon spokesman Bryan Whitman said the data loss includes files on 900,000 of the Pentagon's three million or so military and civilian workers. "It is a significant number of the Department's employees," he said, declining to say whether it affected any who are working undercover.

Source [time.com]

Spooky business. One wonders ... were these records stolen by domestic agents? Foreign agents? Freelancers?

-kgj

hee hee

[mattyrobinson69 (751521)]

online trust falling overall in other news: Bank Of America Loses 1.2 Million Customer Records

fight club

[LordMyren (15499)]

what, ah, fight club style? obliterate all records?

did they loose the financial info too? seems like that'd be, um, a problem.

Myren

at odds

[underworld (135618)]

These two statements seem to be at odds with each other:

"We deeply regret this unfortunate incident," Barbara Desoer, who is in charge of technology, service and fulfillment for the Charlotte-based bank, said in a statement. "The privacy of customer information receives the highest priority at Bank of America, and we take our responsibilities for safeguarding it very seriously."

Sen. Charles Schumer, a New York Democrat, told Reuters that he had been informed by the Senate Rules Committee that the data tapes were likely stolen off a commercial plane by baggage handlers.

So - they are so concerned about maintaining the security of their data that they gave it (in a very non-descript way mind you) to a group of people outside of their organization who have a history of struggling with integrity.

yippee...

Aftereffects

[YrWrstNtmr (564987)]

As this also includes some senators records, maybe now something will be done about this type of thing.

about yay high

[nmec (810091)]

For the ignorant amoung us does anyone know exactly big a magnetic tape(s) containing 1.2 million customer records are? Are they say, big enough to fit in a breifcase or are they more on the truckload size?

Re:about yay high

[Electrawn (321224)]

Data tape reels can range from 6 inch diameter to 18 inch diameter with 10-12 being average.

http://www.datalinksales.com/cgi-bin/shop/datstor e .cgi?user_action=detail&catalogno=SM2400 [datalinksales.com]

They are shipped in a flat white box about 12 x 12 x 1. Usually no other markings other than address label.

Cartridge tapes are smaller.

This sounds like one server reel being lost amongst a full backup.

Time to fight fire with fire!

[gearmonger (672422)]

Since I'm apparently so at risk of having my online identity stolen, I guess it's time to go steal a few myself -- never hurts to have some backup indentities!

Data loss is not acceptable

[t_allardyce (48447)]

In Europe this bank would be in major trouble. Does the US seriously not have any laws what-so-ever regarding personal information? even for banks and medical records!? I know there are some states where you have to be told if its lost but thats pretty pathetic.

My bank

[commo1 (709770)]

My bank (a big chartered bank here in Canada) lost "a number of documents" in their branch renovation move - across the street! My documents were in the "number" that they had lost. I have a letter on bank letterhead to prove it, even if it took me over a month to get it. The bank seemed unconcerned.

They Are Getting Fined!

[Evil W1zard (832703)]

They will be getting fined $500 for exposing individuals personal information and they will also be getting fined $50,000 by the FCC because someone at the company said "Oh Shit!"

Senate hearings on the way?

[krbvroc1 (725200)]

Sen Leahy wrote http://leahy.senate.gov/press/200502/022205.html [senate.gov] to the Senate Judiciary Chairman Arlen Specter in the wake of ChoicePoint. From what I've read there will be hearings, but not sure when. I hope it leads to the start of strict laws on consumer data protection. I have doubts.

good thing it was just tapes

[Cheeze (12756)]

no one EVER recovers anything from tapes anyways.

This Is No Surprise - BOFA Is Run By Morons

[Master of Transhuman (597628)]

When I was arrested for bank robbery, part of the process involved a pre-sentencing interview by the Parole Department. I told them I worked at BOFA for two and a quarter years from January 1985 to April of 1987.

When they contacted BOFA to verify this, BOFA could not find any record I'd worked there, either under my name or SSN.

At the sentencing hearing, my PD told the judge he was prepared to produce names of supervisors, etc., to verify I had worked there. The judge decided that was unnecessary, commenting "It really makes you wonder how well they're keeping your money."

If they can't find employees, I'm sure they have no trouble losing customers.

BOFA is your typical big corporation - worse, a big bank. This means virtually everyone in the organization is incompetent and couldn't care less about their job.

As an example, I worked on customer support of the Microstar cash management system sold by BOFA's Automated Treasury Services Division to Fortune 1000 corporation treasury departments. This software package included a subsystem from a third party company which was riddled with bugs. When we in support were advised that the rest of that company's package was to be purchased and resold to replace the in-house developed part of the system, we advised against it. Ignoring us, management went ahead which resulted in 400 bugs in the bug database after rollout.

In the meantime, management concluded that the market for this package was "saturated" (no such thing in software - you upgrade and resell - where would Microsoft be if they thought the market was "saturated" after Windows 3.1?), so they either re-assigned or laid everybody off. The managers were promoted, and everybody else got dumped (or fired, in my case.)

So, yes, no surprise these morons lose customers.

Re:Why were the tapes on a plane to begin with?

[PedanticSpellingTrol (746300)]

Well, as the old adage goes, nothing has more bandwidth than a van full of media.

Except a cargo plane full of media.

Re:Why were the tapes on a plane to begin with?

[ebrandsberg (75344)]

Either you didn't read the article very well, or it just didn't sink in, given the questions. Quote " lost in shipment to a backup center", to to answer the second question, chances are it WAS a secure offsite storage that it was going to. This also answers the first question. Third question too. And finally, for the fourth one, it is routine to make tape backups of large quantities of data and ship to an offsite storage. In the article, it didn't say anything about flying, nor baggage handlers, unless

Annoying

[FreeLinux (555387)]

I doubt that you meant it that way but, your post has rubbed me the wrong way. Your's is just the latest in a long running series of similar posts where the blame for a situation is redirected at the victim.

The tapes were believed to be stolen by airport bagage handlers during shipment to BoA's offsite facility, likely another datacenter. It's still under investigation so the news agencies are not yet able to accurately report exactly what happened.

By all accounts BoA has made reasonable effort to protect its data, its tapes and its customers. BoA, and by proxy its customers, are the victim of theft. The blame lies squarely on the shoulders of the thieves and no where else.

In ANY incident, there will always be something more that could have been done to prevent the incident from happening. But, it becomes a question or reasonable care. Was reasonable care taken? It certainly seems as if it was in this case.

Let's put the blame where it belongs. Don't redirect the blame to the victims.

Re:most aggravating thing

[YrWrstNtmr (564987)]

These records were stolen during transfer on a *commercial airliner*. Why the hell would you put something that important on something you have no control over?
Sure, the senators are outraged that this happened. But they should be even more outraged that BoA chose to use a method so cheap to transfer critical data.

Quite a lot of 'critical data' and other items is moved on commercial airlines every day. Backup data such as this, organ transplants, diplomatic pouches, etc.

The airline is merely a subcontrator of BoA, charged with moving the stuff from A to B. An organization cannot handle everything inhouse. Quite a lot of functions are subcontracted out. The only more secure way would be for BoA to own and operate their own fleet of transport aircraft, with their own baggage handlers, and the data moved from the data center to the airport by their own security personnel, in their own armored trucks.

Same for a hospital. If they have to send your records somewhere, should the have to do it on their own aircraft?

Re:Wonder if they were using Windows?

[YrWrstNtmr (564987)]

This is /. Anytime anything bad happens, MS has to be implicated somehow. I believe there is a function for that in SlashCode.

Re:What's the Big Deal?

[ATMAvatar (648864)]

Clearly, the US Government should then have access to all our personal information, and closely monitor each and every one of our personal financial transactions. Only with this amount of surveillance and control can the government be expected to fully do its job in protecting its citizens from financial terrorism.

As an added bonus, citizens who purchase certain combinations of items will be awarded an all expenses paid trip to the beautiful country of Cuba.