Bank Of America Loses 1.2 Million Customer Records 299
Christopher Reimer writes "C|Net is reporting that Bank of America lost 1.2 million customer records when some backup tapes went missing while being shipped to a backup center. The lost records mainly effect U.S. government employees involved in the SmartPay program. From the article: 'The acknowledgment comes as several other cases of businesses losing consumer information have come to light.'"
Backup Tapes? (Score:1, Insightful)
So? (Score:2, Insightful)
Well... (Score:5, Insightful)
Now, I generally frown on lawsuits, but this is one type of case where it works. The people on these lists need to start filing class action lawsuits against these companies. Large corporations only feel something when they lose money, maybe it would send the message that you will be held accountable if you do not take security seriously.
As we all know, nothing is as valuable as our information.
Encryption? (Score:5, Insightful)
This has been coming for a _long_ time... (Score:5, Insightful)
1. unlimited storage capacity meant complex and detailed records could be kept on every person.
2. guaranteed incompetence meant these records would be abused, lost, exposed and manipulated.
I don't see either of these trends changing.
Applies to both commercial and governmental databases. Chaos, mess, confusion, abuse, on a huge and ever-increasing scale.
Welcome to the 21st century. You can opt out by unchecking the "Connect to the Internet" box about 10 years ago...
Spooky Business (Score:4, Insightful)
-kgj
Re:Well... (Score:5, Insightful)
You're hearing about this because of the flap about CheckPoint, and you heard about CheckPoint because of the current flap about identity theft.
If not for those circumstances, these stories would very likely have been reported in the business press, but otherwise below the general public's radar.
So, you have no reason to assume that the first appearance of an event on TV or in Slashdot means it never happened before.
BofA ought, of course, be held responsible for their behavior. I don't know if these cardholders can sue, since the card's were issued to them in conjunction with their federal employment. And, unless they are able to document loss as a result of the loss, I'm not sure what grounds they'd have for a suit.
That said, BofA just dug itself a big hole for the next contract recompete. Their accountablity may come in the form of losing that recompete. (Don't imagine, though, that a contract of that size will be given to some local mom-and-pop bank.)
Re:Well... (Score:0, Insightful)
Class Action Lawsuits are NOT the answer. If a company does wrong, you can go to the company-sponsored arbitration - it's more fair, and it's extremely unlikely for the arbitration board to hand out significant awards to the victim.
The problem with class action lawsuits is that the damages caused by the corporation can negatively impact the bottom line of a company.... impact stock prices and real employees... and the cost is ALWAYS passed on to the customer.
Class action lawsuits only cause more damage, and in the end we need to have faith in the self-regulation of corporations.
Not an Internet Issue (Score:3, Insightful)
For all we know, they were stolen out of the back of some truck and lifted by the overnight cleaning crew.
at odds (Score:4, Insightful)
"We deeply regret this unfortunate incident," Barbara Desoer, who is in charge of technology, service and fulfillment for the Charlotte-based bank, said in a statement. "The privacy of customer information receives the highest priority at Bank of America, and we take our responsibilities for safeguarding it very seriously."
Sen. Charles Schumer, a New York Democrat, told Reuters that he had been informed by the Senate Rules Committee that the data tapes were likely stolen off a commercial plane by baggage handlers.
So - they are so concerned about maintaining the security of their data that they gave it (in a very non-descript way mind you) to a group of people outside of their organization who have a history of struggling with integrity.
yippee...
Re:Encryption? (Score:4, Insightful)
Re:Well... (Score:3, Insightful)
Re:Well.. (Score:1, Insightful)
most aggravating thing (Score:0, Insightful)
Sure, the senators are outraged that this happened. But they should be even more outraged that BoA chose to use a method so cheap to transfer critical data.
Look guys - until you put regulations in to make people responsible for properly securing and transporting private data, the principals involved won't worry that much, beyond PR, about taking the right steps for the future.
Re:Well.. (Score:3, Insightful)
Then they might just get a freakin clue.
Re:Well... (Score:4, Insightful)
Annoying (Score:5, Insightful)
The tapes were believed to be stolen by airport bagage handlers during shipment to BoA's offsite facility, likely another datacenter. It's still under investigation so the news agencies are not yet able to accurately report exactly what happened.
By all accounts BoA has made reasonable effort to protect its data, its tapes and its customers. BoA, and by proxy its customers, are the victim of theft. The blame lies squarely on the shoulders of the thieves and no where else.
In ANY incident, there will always be something more that could have been done to prevent the incident from happening. But, it becomes a question or reasonable care. Was reasonable care taken? It certainly seems as if it was in this case.
Let's put the blame where it belongs. Don't redirect the blame to the victims.
Re:Well.. (Score:4, Insightful)
Re:most aggravating thing (Score:4, Insightful)
Sure, the senators are outraged that this happened. But they should be even more outraged that BoA chose to use a method so cheap to transfer critical data.
Quite a lot of 'critical data' and other items is moved on commercial airlines every day. Backup data such as this, organ transplants, diplomatic pouches, etc.
The airline is merely a subcontrator of BoA, charged with moving the stuff from A to B. An organization cannot handle everything inhouse. Quite a lot of functions are subcontracted out. The only more secure way would be for BoA to own and operate their own fleet of transport aircraft, with their own baggage handlers, and the data moved from the data center to the airport by their own security personnel, in their own armored trucks.
Same for a hospital. If they have to send your records somewhere, should the have to do it on their own aircraft?
Re:Annoying (Score:1, Insightful)
I'm posting this as AC since I do consulting for a living and some of my clients are financial institutions.
There is one surefire way to fix this: make the banks directly liable for any data loss. Do not allow them to disclaim resposibility. Implement strict guidelines that require them to disclose any breach of security. Make sure that failure to follow those guidelines results in mandatory jailtime for the company's officers.
Problem fixed.
Re:Well... (Score:2, Insightful)
According to the 2004 FBI/CSI Computer Crime and Security Survey, 53% of polled corporations, government agencies, financial institutions, medical institutions, and universities detected computer security breaches within the last twelve months.
To speak as if network security is some simple line item an organization would check-off and pay if they "cared" about their customers is utterly ignorant. Yes, there are thousands more organizations getting hacked all the time, losing their customer's information, and you never hear about it. I've done network forensics for three Michigan organizations that have been hacked already this year, and none of them told me "Hey by the way, please take this to the press and let everyone know we got hacked."
The bottom line is this: No network is 100% secure. Security is not some line item that can be paid for when an organization "cares" about their customers. To speak as though any organization that gets hacked must have been negligent only exposes your ignorance on the topic.
True, too many organizations purchase firewalls and IDS and think they're secure. Organizations need to learn security is a process. Not a product.
That's where security consultants [2core.com] provide value.
What's the Big Deal? (Score:1, Insightful)
In light of recent news that Choice Point sold the personal data of an as yet unknown thousands of consumers to phony companies, and today's reporting that the Bank of America has lost the account records of 1.2 million customers, I thought I would throw a little scenario out there. Just something to think about.
Since September 11, 2001, the U.S. has been on the defense at home (and offense abroad) against more physical attacks in this country. The terrorists are no doubt finding it much more difficult to go about the business of planning those attacks. The acts required to put together an attack on physical objects is by nature "noisy". If they want to attack a building, they need to case the building. That means visiting, filming, perhaps a number of times. In other words, they need to do things that are visible to and noticeable by other people, people who would likely find those things suspicious. People are much more observant these days, thank goodness.
So, if conducting a physical attack is difficult, what is less difficult, but achieves the goal of attacking democracy and capitalism?
What if an organization with modest funding were to operate from abroad, supported by a friendly host country (why not just pick one at random, say Iran) and, using the legwork of sympathizers, aquire easily obtained infrastructure here in the U.S.? The infrastructure could consist of a simple post office box to establish a mailing address, perhaps rented office space, but not necessarily. A physical office would provide a semi-secure space to install the organization's servers to provide virtual private networking capability in order to have their connections appear to originate inside the U.S. Add VoIP services to allow the organization to pick up the telephone in Iran and seem to appear in Los Angeles (I know, there are some technical issues with this, like latency, but Joe Schmoe at Choice Point might not notice). There are any number of ways to establish a virtual office. The point would be to create a presence allowing the organization to operate without much suspicion.
After having established a presence, this organization could set about establishing the business relationships required to further the goal of attacking the U.S. financial system. This might include paying for the details of consumers' credit reports, including Social Security numbers, credit card accounts, etc. This is not to say that the organization is limited to operating within the confines of the law. Why not also steal the records if you can? How about 1.2 million customer records of a bank? That's quite a lot of information.
The point is this: after obtaining a large amount of information about U.S. consumers (read "evil capitalists"), the organization could set about several things at once. First, it could ruin the credit of thousands, if not millions, of Americans. Two, throw financial institutions, and the economy into turmoil. Three, in accomplishing the first two goals, also accomplish the goal of taking a form of terror to any American anywhere, not just the big cities.
How could this happen? A man going to an office everyday does not seem suspicious, whereas a foreigner filming a building most certainly is. And, by the way, that man going to the office everyday does not necessarily even have to go to the office in the U.S. He might just as well do it from the comfort of Tehran with the support of his friendly host country. If the authorities in the U.S. happen to break into the office in LA, they sieze computers and not personnel. And noone says the connection has to lead directly back to Iran. Using a two-way satellite connection, the organization could operate from anywhere within the satellite's footprint.
I hope I'm not the only one thinking about these things.
This Is No Surprise - BOFA Is Run By Morons (Score:3, Insightful)
When I was arrested for bank robbery, part of the process involved a pre-sentencing interview by the Parole Department. I told them I worked at BOFA for two and a quarter years from January 1985 to April of 1987.
When they contacted BOFA to verify this, BOFA could not find any record I'd worked there, either under my name or SSN.
At the sentencing hearing, my PD told the judge he was prepared to produce names of supervisors, etc., to verify I had worked there. The judge decided that was unnecessary, commenting "It really makes you wonder how well they're keeping your money."
If they can't find employees, I'm sure they have no trouble losing customers.
BOFA is your typical big corporation - worse, a big bank. This means virtually everyone in the organization is incompetent and couldn't care less about their job.
As an example, I worked on customer support of the Microstar cash management system sold by BOFA's Automated Treasury Services Division to Fortune 1000 corporation treasury departments. This software package included a subsystem from a third party company which was riddled with bugs. When we in support were advised that the rest of that company's package was to be purchased and resold to replace the in-house developed part of the system, we advised against it. Ignoring us, management went ahead which resulted in 400 bugs in the bug database after rollout.
In the meantime, management concluded that the market for this package was "saturated" (no such thing in software - you upgrade and resell - where would Microsoft be if they thought the market was "saturated" after Windows 3.1?), so they either re-assigned or laid everybody off. The managers were promoted, and everybody else got dumped (or fired, in my case.)
So, yes, no surprise these morons lose customers.