Bank Of America Loses 1.2 Million Customer Records

Christopher Reimer writes "C|Net is reporting that Bank of America lost 1.2 million customer records when some backup tapes went missing while being shipped to a backup center. The lost records mainly effect U.S. government employees involved in the SmartPay program. From the article: 'The acknowledgment comes as several other cases of businesses losing consumer information have come to light.'"

Well..

[kunwon1]

As a US Government employee (US Air Force to be precise) I can tell you that Bank of America is regarded by most of us (us = gov't employees) as a faceless entity that cares nothing for customer service. I doubt this will come as much of a surprise to those of us who have been required by our occupation to associate with them for some time. Maybe now the powers that be will get their collective head out and pick a new bank.

One more thing...

[kunwon1]

GSA Smartpay is a program through which gov't employees are issued what is essentially a company credit card, but the US Gov't is the company. They're used for official purchases, for gas cards for government owned vehicles, etcetera.

The following website explains it in governmentese:
http://www.gsa.gov/Portal/gsa/ep/channelView.do?pa geTypeId=8199&channelPage=%2Fep%2Fchannel%2FgsaOve rview.jsp&channelId=-13497 [gsa.gov]

Big Brother's Little Helper?

[handy_vandal]

ChoicePoint Inc.'s top two executives made a combined $16.6 million in profit from selling company shares in the months after the data warehouser learned that people's personal information may have been compromised and before the breach was made public, regulatory filings show. ... ChoicePoint says the stock trading was pre-arranged under a plan approved by the company's board.

One might easily assume that the executives are profiteering swine, and that the company's board members are colluding at the trough.

Furthermore, ChoicePoint has a ... questionable history:

Consider what happened in Florida leading up to the 2000 presidential election. In 1998, the state hired a company called

Database Technologies [google.com] to scrub its voter rolls of ineligible voters. The scrub list was mandated by Florida legislators after a voting fraud investigation revealed dead people had cast ballots in the 1997 Miami mayoral election.

DBT combed through Florida's rolls and handed over the "ineligible" list to elections officials in May 2000 -- within days of the company's merger with ChoicePoint [google.com].

The problem was that DBT'S list purged the voter rolls not just of felons, who are disqualified from voting in Florida, but of eligible voters whose names resembled those of the felons.

While Florida and DBT failed to check a number of criteria that could have distinguished the actual felons from the non-felons, one criterion that DBT did bother cross-referencing was race. BBC reporter Greg Palast [google.com] and a handful of US journalists reported that the majority of the felons on the list were black, so thousands of legitimate black voters with the same names as black felons were struck from the rolls. Because Florida blacks vote heavily Democratic, a disproportionate number of votes for Al Gore were thrown out.

According to analyses by news organizations, somewhere between 8,000 and 22,000 qualified votes went uncounted. Whatever the number, it towers over 537 -- the margin by which George W. Bush won Florida, and therefore the national election.

The most jarring part, according to Palast, who broke the story, was that DBT knew the list was flawed -- because a Florida official told DBT, in a 1999 e-mail, "Obviously, we want to capture more names that possibly aren't matches and let the county supervisors make a final determination." Palast says the fact that the company would even hand over known mistakes shows that it doesn't always do its best -- contrary to its corporate mantra -- to protect the government against itself.

Source [creativeloafing.com]

With companies like that, who needs Big Brother? -kgj

Re:Well...

[bombadillo]

You are absolutely correct about law suits needing to be filed. My wife and I work for two large corporations. I am talking name brands that everyone knows. I was talking to her about a project that I was working on and how the users info is sorted in the Database by credit card number. There are a few things wrong with this. From a non-security stand point people have more than one credit card. So you would have plenty of duplicates. From a security standpoint there were loads of problems. Such as the data would be FTP'd from the mainframes to the unix midrange servers. So all of that data would be distributed about the enterprise. Makes absoutetley no sense. Especially since there was no reason for the application I was working on to know a credit card number. The only data needed was name and products bought. When talking with my wife about how bad it was she told me that it was the same way in her company. I can only think that these companies built there systems a long time ago and no one has taken on the ambitious project of updating their procedures. From a career standpoint I can't blame them. There is not a big demand to secure these systems better. It would be a huge effort with little reward. If things didn't work your career would be over.

If law suits start being filed there will be a sudden demand to get these systems more secure. It's always annoyed me that financial companies have charged us for their "credit protection" services. I have always felt that if my ID was stolen it would most likely be the fault of a financial institution and not me.

Re:Well...

[wfberg]

The way it works with the Data Protection Act is that the information has to stay within the EU, or certain states with which the EU has a "safe harbor" agreement. Those are countries that promise to be good. So your data gets shipped to the US, and then Faceless Corporation X just breaks their promise and ships all the work and data right back to India.

Sad but true.

Re:Well..

[kunwon1]

The air force has smaller credit unions and banks on base, but for things like government travel cards and purchase cards, we are not given an option as to which financial institution to use. Further, we are -required- in many cases to have and use these cards... lose-lose situation.

Not suprising

[Anonymous Coward]

For years Bank of America has shown their incompetence and utter lack of respect for their customers. My personal ordeal with them happened back in 2000. I was in the process of moving to another bank due to all of the past problems I had with them and had left a few hundred dollars in my account to cover several outstanding checks written for small amounts. Normally this would be ok but somehow BofA decided that they would reorder checks for me 27 times *AND* charge me for them. Well the charges for the "reorder" caused the account to be overdrawn when outstanding checks were cashed causing about $400 in so called "overdraft charges". Although they took care of the charges for the reorder glitch they absolutely refused to take care of the overdraft charges that resulted from THEIR goof. After about 6 months I finally had to file suit in order to get the matter resolved. During the 6 months of fighting with them I found out that a lot of the people I worked with had similar issues with them and that problems like that were not all that uncommon. At least BofA seems to be moving up in the world. Instead of screwing one customer at a time they've moved up to doing it in batches. Must be one of their new money saving moves!

My bank

[commo1]

My bank (a big chartered bank here in Canada) lost "a number of documents" in their branch renovation move - across the street! My documents were in the "number" that they had lost. I have a letter on bank letterhead to prove it, even if it took me over a month to get it. The bank seemed unconcerned.

Re:Well..

[heybo]

You are right BoA IS a faceless entity that cares nothing about their customers and only their profits. I live in Atlanta (their corp offices are here) I have been screwed out of my own money my them, and have heard 1,000s of stories that are the same. This has been happening with this bank for over 20 years that I know of. Still people continue to use them.

I will not use them in any form. I will drive 10 miles out of the way to NOT use even their ATM machines. (No they ain't even getting my $1.50 for a transaction.

Re:Annoying

[oftheapes]

"carried by a trusted entity that is bonded" we used to use a very large corporation handle our offsite data storage(in case of a disaster). i won't name them directly, but lets just say they're probably the largest company in the country to offer such a service. we went with them because of the assurances they offered about how secure our data tapes would be in their hands...stored in a converted salt mine, carried in unmarked trucks with more than one person present, secured tape cases, etc. etc. unfortunately, due to the nature of what was being put on the tapes, all sorts of security on some of the files contained had to be removed just to get proper and complete backups. they knew this, and also knew how enticing a target the tapes were - all sorts of personal and private data, research, etc. the research specifically was a very clear target for industrial espionage, especially given some of the people who knew exactly what was on the tapes and how much money the data was worth to the right people, or country. so we were very clear about tapes being signed for by specific individuals and delivered to very specific locations in double locked boxes. they were even provided maps and photos to be precise. after having a long series of incidents involving them not delivering on anything promised, they actually left a delivery of data tapes in a hallway, in an unlocked case, in a building with some of the highest traffic of anywhere in the organization. no attempt was made to contact the people in charge of recieving the data when the delivery people had trouble finding the office they were to be delivered to(which is extremely secure and specifically designed for protecting data tapes while on-site. so they left them, at the front door!! after waiting for the delivery and not seeing it, the company was called to see what the problem was...they informed us that the tapes had been delivered and signed for...the tapes had of course not been signed for by anyone and merely discarded when the drivers found they'd left their phone in the truck and couldn't be arsed to walk back to get it. when called on such a blinding error in judgement and failure to deliver on any promises in the contract, they responded with "we're very sorry, we'll not charge you for this month's service" so just because someone is bonded and makes promises you need to hear. doesn't mean that you won't have issues - the only way to be sure is to hand deliver the tapes yourself, by people trusted within the organization to have complete access to them. and even then they should be locked and monitored.

Re:Data loss is not acceptable

[Cepheus]

Financial Service Companies do have Gramm-Leach-Bliley Act which has privacy and safeguard rules on private data. Much of the problem stems from the lack of understanding that the bank (and other financial service company) regulators have with respect to data security. To most of them, whether a financial institution has a privacy and security policy allows them to check off a check box on their aduit forms. Few actually spend much time reading the various policies and reports because most are accountants and financial statement auditors that have attended a 1 week school that gives them a very basic overview of data security.

Re:Encryption?

[JhohannaVH]

I'm the backup admin for my company, and if what I've been doing for the last six months is any indication - SOX 404 requires that tapes with *any* financial or personnel information must be encrypted as it is written to tape. We've been completely revamping our backup schedule and jobs to comply with all of the regulations that are required by law to protect our financials etc.

Now, if they didn't encrypt their data, and that can be proven, THAT is grounds for a class-action from all of these victims. Because at that point, there is no way to know who's hands that has fallen into, and they are indeed victimized.
I'm a long time customer of BofA and they are a long time customer of ours, but I'm really scared of the outcome of this. I've done everything imaginable to think of to keep my personal data secure (including only accessing my web-banking through SSL, Digital Certificates and BEHIND my office's firewall) all of my days. Now because someone wants to be an asshat, I could be a victim of ID theft, and material theft at that!! Thank god I spend my paycheck so fast on bills and such there ain't much left in there... and my savings is at another bank.

Re:Well..

[WebCrapper]

Well, see - there are problems with that. I'm currently in Germany and the only "American" bank that I can use is Community Bank [dodcommunitybank.com] aka: Bank of America... Makes me feel GREAT. The past 2 security stories listed in the last week have skirted around me, but its starting to creep up on me. Time to start using the "under the bed" savings method.

Friend noticed odd processing on B of A account

[Helen O'Boyle]

Interesting in the context of this news story...

A friend of mine was marvelling how Bank of America, which is normally very fast to process debits and checks written against a balance, seemed to lag a bit between late the week before last and mid this week. As in, none of his transactions against his balance posted for nearly a week, then in the middle of this week, they all posted at once. He speculated that they must have had computer problems for a few days.

I wonder if the behavior he was telling me about was a result of everything stopping while the bank investigated this records situation. I don't have B of A, so I can't tell if it was just something unique to his account, or if it affected all customers.