Bank Of America Loses 1.2 Million Customer Records

Christopher Reimer writes "C|Net is reporting that Bank of America lost 1.2 million customer records when some backup tapes went missing while being shipped to a backup center. The lost records mainly effect U.S. government employees involved in the SmartPay program. From the article: 'The acknowledgment comes as several other cases of businesses losing consumer information have come to light.'"

I wonder how long ago they found out about this?

[bigtallmofo]

You may recall the recent Choicepoint security breach [slashdot.org]. Apparently there's profit to be made in between finding out about a security breach and actually announcing it!

ChoicePoint execs sold shares before theft news

ChoicePoint Inc.'s top two executives made a combined $16.6 million in profit from selling company shares in the months after the data warehouser learned that people's personal information may have been compromised and before the breach was made public, regulatory filings show. ChoicePoint's stock has dropped about 10 percent since last week when the company announced that criminals had duped it into allowing them access to its massive database. Alpharetta, Ga.-based ChoicePoint says the stock trading was pre-arranged under a plan approved by the company's board. Corporate governance experts say the pattern and timing of the trading by chief executive Derek Smith and president Douglas Curling raises questions. Smith and Curling did not respond to repeated requests through a spokesman for comment Friday.

Full Story: Twincities.com (Subscription Requred - use bugmenot.com) [twincities.com]

Indeed.

[game kid]

Especially from a company that prided itself in TV ads as one that "engineer[s] our own software" because "one error in a billion" in their checking was one too many.

Well, I guess they have at most 999,999,999 more transactions until we know that they've blown their *ahem*commitment to their consumers--unless you count each person affected as an error here, in which case we can probably sue them for false advertising. Or at least utter stupidity.

That said, I bet someone mixed those backup tapes in their bedroom with their pornos, in which case roughly half of the Government officials are thanking teh Bank this morning.

Re:Encryption?

[Anonymous Coward]

No, they'll be straight DB dumps onto tape. If you think that's crazy, work out how much data you'd need to encrypt every night during a backup run, and then work out how much time you have to complete a full backup run. That's why no one encrypts the data when they back it up.

Aftereffects

[YrWrstNtmr]

As this also includes some senators records, maybe now something will be done about this type of thing.

about yay high

[nmec]

For the ignorant amoung us does anyone know exactly big a magnetic tape(s) containing 1.2 million customer records are? Are they say, big enough to fit in a breifcase or are they more on the truckload size?

Data loss is not acceptable

[t_allardyce]

In Europe this bank would be in major trouble. Does the US seriously not have any laws what-so-ever regarding personal information? even for banks and medical records!? I know there are some states where you have to be told if its lost but thats pretty pathetic.

The value of Data

[cowboy76Spain]

I have browsed through the comments and I am shocked to see that people comments show that the only thing that should worry BoA about this issue is the PR problem or if they piss off some VIP by revealing its data. One of them even claimed that the bank could benefit from this.

The data of a company is one of its most important actives, and forever (long before the computers hage) the companies have tried to lock it, because it shows everything about its costumers, but also it shows everything about the companies themselves.

Now if a bank gets hold of that data, they can browse and find out which are the good customers(a lot of transactions, no problems with payment or delays, big benefits) and try to offer them better conditions than their current ones and which one are the bad customers (little movement, debts, bad financial situation) and must be rejected if they go to their bank.

Aside from the legal and PR stances, the companies own interest is to protect its data, and it is enough to make me sure that some heads have been already cut...

Senate hearings on the way?

[krbvroc1]

Sen Leahy wrote http://leahy.senate.gov/press/200502/022205.html [senate.gov] to the Senate Judiciary Chairman Arlen Specter in the wake of ChoicePoint. From what I've read there will be hearings, but not sure when. I hope it leads to the start of strict laws on consumer data protection. I have doubts.

Re:Encryption?

[Motherfucking Shit]

Yeah, and backups are also barcoded and hand-tranported by courier to and offsite storage/security vault.

Actually they may well be barcoded, they damn sure ought to be encrypted, and they are indeed hand-transported by courier to the backup location. In fact, several of the articles that I read had BOFA blaming ramp workers for stealing the tapes at some stage. IMO that's a cop-out, any ramp agent is going to be hard pressed to leave an airport with something he didn't bring in.

Bank record transportation is (or at least was, before Check21 went into effect) a major and rather vertical industry. The general chain of command is that a courier service picks up "the goods" (cancelled checks, backup tapes, whatever) from a bank, takes the cargo to the nearest airport, and drops it off in one manner or another. Depending on the bank and the courier, the goods are either dropped at the airport Post Office or taken to an airline's cargo input on the ramp.

From there, the obvious happens. Either the items are transported via USPS to their destination, or they fly as commercial cargo and wind up at the destination airport, where another series of couriers collects and delivers it to the receiving location. The article that I saw claimed that BOFA declined to describe how the process works. Well, this is how the process works.

The thing is, bank records are not exactly labeled "PERSONAL FINANCIAL RECORD BACKUPS, TOTALLY SECRET, PLEASE BE CAREFUL." The people who are working as couriers for banks know what they're picking up, but they also know that they're constantly under scrutiny. Once this stuff hits the ramp, it's just cargo as far as airline employees are concerned. It gets on a plane, flies to a destination, and things reverse; ramp agents unload random cargo as far as they know, and then some courier who knows damn well that he's being watched takes it to the receiving bank.

From all accounts, BOFA seems to be blaming ramp agents. I call bullshit. For one thing, nobody goes on or off a ramp without some sort of security check; I should know, I'm on the ramp almost every day. And most of the "secure" cargo flowing through a given ramp is unmarked and can't readily be recognized. The only time you pick up on something "special" is when Customs imounds a shipment.

As far as the explanations I've heard, I say BOFA are full of shit. This wasn't a ramp worker nabbing a case of backup tapes - he'd never have gotten off the ramp. This is negligence one way or another.

Re:about yay high

[mduckworth]

Well it's completely subjective because it depends on the size of each record. But if you assume 2 pages of text data per record or so. We can say 1.5KB per customer. 1.2 million = 1,800,000 KB or 1.8 Gigs. Most likely a single tape was stolen with a single DB backup from a single old DB server.

BoA and getting screwed....

[King_TJ]

I, too, haven't heard much good about Bank of America, so I've avoided them. Unfortunately, my experience is, most of the banks that are large enough to offer "conveniences" like ATM machines in multiple places in town will screw you over.

I view my banks as necessary evils, and little more. I have my primary checking account with U.S. Bank right now, and for a while, thought they were going to be "above average". They offer free, unlimited online billpay, for example - while many others want to charge monthly fees for using it. Unfortunately, they're teriffic about tossing around service charges and penalties like candy at every opportunity.

For example, a while back, they talked me into getting a VISA card with them, to go along with my checking account and debit card. (They said, if you want overdraft protection on your checking account, this is the only way you can do it. Get our VISA card, and then if your account is ever overdrawn, we'll just charge the difference to the VISA and save you all those bounced check charges, etc.) Sounded good - but it's been a nightmare. When I got divorced, I asked to have my card numbers changed for security reasons. They did, but that broke the relationship between the VISA card and my new bank acct. # - and it took me almost a week to get it resolved. (It was still providing the overdraft protection on the old account number!)

After that, I started having problems where every time my checking account came within $75 or so of being overdrawn, they'd automatically transfer hundreds of dollars over from the VISA, plus service charges, even though I never actually overdrew it at all.

Last week, I rushed to deposit my paycheck before several online billpay payments were due to process. Even though the check cleared on the same day the outgoing payments were scheduled for - they overdrew my account first, and THEN credited the deposit to it. Again, a tactic to maximize their service fees.

Re:about yay high

[Electrawn]

Data tape reels can range from 6 inch diameter to 18 inch diameter with 10-12 being average.

http://www.datalinksales.com/cgi-bin/shop/datstore .cgi?user_action=detail&catalogno=SM2400 [datalinksales.com]

They are shipped in a flat white box about 12 x 12 x 1. Usually no other markings other than address label.

Cartridge tapes are smaller.

This sounds like one server reel being lost amongst a full backup.