back to article US bank loses unencrypted data on 4.5m people

Couriers lost magnetic tapes containing the personal details of 4.5 million people who had dealt with the Bank of New York Mellon, it has emerged. The incident happened three months ago, but has only surfaced after legal papers were filed in the state of Connecticut. The Bank of New York Mellon offered people whose details …

COMMENTS

This topic is closed for new posts.
  1. Graham Bartlett
    Joke

    Lord of the Rings: The Return of the Snafu

    Gandalf: (laughs) Oh, of course. "Speak, friend, and enter."

    (Stands up and holds up staff)

    Gandalf: MELLON!

    (Security doors open wide...)

  2. Davey Bee

    Couriers

    I'm probably going over old ground here (various British cock-ups) - but why, when you're moving such sensitive data, isn't it held in the safekeeping of the same human being(s) from the beginning of its journey to the end of it? No sorting offices, no handovers: the courier takes it from the sending office to the receiving office, and does not allow himself to be distracted from that task.

    OK, maybe in USA these can be quite long journeys. Even so, I would still give it to one trusted guy (or pair of guys) to take from A to B, with strict instructions about never letting it out of their sights.

  3. Anonymous Coward
    IT Angle

    Situation normal all fouled up

    Snafu? You're being ironic. From the customers' PoV, tarfu at least.

  4. NoCo37
    Paris Hilton

    What courier?

    I'd really like to know what courier lost the tapes... Did the bank just pop the tapes into their local FedEX Kinko's drop box or did it fall out of the back of an Iron Mt. truck.

    Paris - 'cause she now knows to secure her tapes.

  5. DAN*tastik

    This is a genuine question

    Wouldn't it be safer to somehow transfer the data over the network?

    Obviously not a zipped file, but if there's data being transferred daily over the network, that can't constitute an extra risk? Or can it?

  6. Cameron Colley

    Two fucking years?!?

    If you loose someone's data you owe them insurance for life -- after all, that's how long their personal details will be valid.

    It seems only honest people need worry in this world.

  7. Daniel B.
    Coat

    Oh, their first blunder!

    It seems like the "NY Mellon Bank" is a recently-merged financial entity. It is barely one year old, and they've already done an epic SNAFU. Way to go!

    With that name, though, I'd wonder if speaking 'friend' will give me full r00t access...

  8. El PM

    So this is not really about "US Bank" after all

    Thanks for making the heart of US Bank (usbank.com) customers race... with the ambiguous title.... Turns out this is about a USA-based Bank, not the actual US Bank company.

  9. Steve Mann

    WTF?

    Is it REALLY going to take a law backed by punitive damages to make these buggers start using a bit of common before burning tapes/CDs/whatever and carrying them offsite? My details were on a tape lost by a bank about 18 months ago.

    The IT department responsible for this disgraceful cock-up issued a statement that it was "about to" implement encryption at the time (so any future IDs I might adopt and give to the bank were presumably safe), and they assured me that it was unlikely that anyone would have the equipment to read the tape anyway so I shouldn't worry my little head about it.

    Oh yeah? Is it *that* unlikely that a tape containing a DIY kit for forging the ID of a couple of million customers would be stolen by someone who *hadn't* taken the preliminary step of obtaining a couple of easy-to-get surplus-these-days tape units BEFORE concocting the elaborate "steal tape from courier" plan?

    Hay-Zeus on a Bike! You'd think that at least ONE of these buggers would get the message. Perhaps only when Glorious Leader Bush or Beloved Co-Leader Cheney have had their Name, SSN, Address and Deposit Account numbers stolen will Something Be Done.

    Bah.

  10. Jack Harrer
    Thumb Down

    But if they had...

    ... national ID Scheme that wouldn't happen, of course!

    //Coat

  11. Anonymous Coward
    Anonymous Coward

    Why are Banks so F'ing stupid, still ?

    It is no wonder that there is a global banking crisis when we see time and time again that the bank cannot even look after data let alone money !!. I would not trust Bank of New York Mellon with any money at all, let alone mine.

  12. Alan Esworthy
    Pirate

    ignoramuses and/or fools

    Anyone in any organization that handles data pertaining to clients or customers, especially financial and medical establishments, who transfers unencrypted data is an ignoramus or a fool. And that goes as well for at least one level up in chain of command.

    Oh, yes, regarding "...bank has promised to transfer data electronically, where possible, rather than depending on the transport of physical media..." can you say "Hannaford" boys and girls?

    Skull and crossed bones because Pirates is Everywharrrrr. Arrrr.

  13. Dave Jones
    Happy

    Not really a problem

    After all, who's going to have mag tape equipment anyway. Only stodgy old banks and telcos.

  14. NoCo37
    Happy

    @ Not really a problem

    >After all, who's going to have mag tape equipment anyway. Only stodgy old banks and telcos.

    And me... I bet I am not the only Reg reader with this kind of kit at the house or available for use at work

  15. Captain DaFt
    Alert

    @ Dave Jones

    "After all, who's going to have mag tape equipment anyway. Only stodgy old banks and telcos."

    -Holds up hand- The last refurbished computer I bought had a mag tape bay in it! (Pulled it out, it's probably still in my closet)

    Hmm, maybe I should put it on E-bay? It looks like it might be worth serious cash to someone, eh?

  16. Anonymous Coward
    Go

    @Davey Bee

    It comes down to cost. Most of the UK and US banks in the UK (including NYM) use Bike couriers as we are secure and hard to rob but we're not cheap. The US doesn't have many Bike couriers and they are VERY expensive so uses overnight services which cost little.

    Overnight courier is very insecure but when nothing goes wrong it looks cheap. I guess its a perception thing.

    Ex Securicor Pony Express rider who used to carry everything from cash to penny under a Billion bearer bonds to your banks clearing to bullion from cash centres all on Motorbikes. Ex company manager with a few banks as clients.

    Anon as I signed confidentiality agreements (seriously)

  17. Anonymous Coward
    Pirate

    no big shock here

    US banks routinely contract with small Puerto Rican software shops who in turn sub the work out to... well the US banks would rather not know.

    It doesn't take a bank losing tapes to leak this stuff, they ship it offshore routinely.

  18. Anonymous Coward
    Unhappy

    tards

    Knowing these tards, they probably are still using 7 track round reel . No excuse is good enough for this type of stupidity. Loonies in Ohio were having interns take computer files home with them as an off-premises storage backup....ha.ha.ha.ha.ha

    computer tards.... where do they get them?

  19. Justin Clift
    Boffin

    @Why are Banks so F'ing stupid, still ?

    Because all of the practical encryption options for backup media are *expensive*.

    There's:

    + licensing

    ie Encryption option for NetBackup isn't cheap

    + implementation

    new tape drives [for hw encryption rather than sw encryption]

    key management software plus associated new processes/procedures

    impact on restoration/recovery times of encrypted data vs unencrypted

    + legal compliance

    + data expiration considerations

    + and DR can become further complicated

    Most places seem to get their backup and recovery strategy "working ok", without then going and getting the next step of securing it properly.

    Personally, I'd feel a bit safer if the encryption of *sensitive* data on backup media was legally mandatory AND part of the auditing that's done of financial institutions (i.e. by APRA here in Australia)

  20. Justin Clift
    Happy

    @ Not really a problem

    Me too.

    I use an LTO tape library even at home. Just keeps things nice and simple.

  21. David Rollinson
    Pirate

    @ Dave Jones

    Ten years ago, losing a tape or CD was less of a problem; it would probably just end up in a bin. Now though, the criminals are more aware of the value of data and are more likely to look through it and attempt to sell it to someone who can make use of it.

    Encrypt everything!

  22. Anonymous Coward
    Dead Vulture

    @AC @Davey Bee

    How excatly is a bike courier safe or hard to rob?

    *Car Vs. Bike. Car wins. Car driver gets the physical data price.*

  23. Anonymous Coward
    Anonymous Coward

    Large Scale IT Support

    I'm loving some of the comments you guys are making. Agreeing with most i.e end to end delivery by responsible individuals and encryption where possible. But it seems a lot of you guys are really out of touch practical and economic reality.

    Large organisations simply cannot encypt all tape data due to the size and amounts of data we are talking about, as well as the recovery procedures and timescales that would be required to get the details back from the disk, it may be ok if you are handling a few megs of tape data but when you are dealing with hundreds of Gigs it is a different story.

    And don't even get me started on risk calculations. Those of you who have never worked on a large scale IT projects would be well served to get out there and get some experience of systems that make ACME Pot Rivet ltd. Company to shame before chucking in there two penith.

  24. Anonymous Coward
    Dead Vulture

    How very silly...

    @Justin Clift:

    How expensive do you actually think that encryption measures are, compared to the cost and hassle of losing unencrypted data? And we're talking about banks here, not exactly the poorest institutions around.

    I'd imagine that most tape drives (libraries, more likely) that banks use are already advanced enough to include hw encryption and compression, I don't think key management is that much of an issue, and I don't see how DR would be significantly impacted either. Overall, definitely a small sacrifice compared to the potential benefits it brings.

    @AC about car vs bike:

    Motorcycles (or even bikes) are probably a lot more agile, so unless you have some real pros trying to steal the data, you're probably more likely to get away on one of those rather than a car.

    But seriously, unencrypted tapes, in 2008? FAIL++ :[

  25. Steve

    Pathetic!

    Is that the best the yanks can do?

    Our lads lose that much data before breakfast.

  26. Slaine
    Boffin

    still @ [least it's] not really a problem

    >After all, who's going to have mag tape equipment anyway. Only stodgy old banks and telcos ... and me too [holds hand up in sheepish manner]. Truth is, I just can't throw anything away.

  27. Alfazed
    Pirate

    Buy ID Protection

    From your bank !!!!!!!!!

    They are all at it in UK at any rate, pay £x per month and we'll provide legal assistance while you sort out your shit in the (increassed likelyhood) eventuality that your ID gets stolen (after we lost your fucking data HA! HA! HA! - give us more of your money - idiot !)

    This is how they are going to stabalise the world currency deficit caused by their bad capital investments and their incredibly weak security policies - not to mention the rather excessive fat cat payouts and executive jollies they've had recently)

    I read somewhere that you are safer from ID theft if you only have debts.

    Wicked ...................

    ALF

  28. Anonymous Coward
    Happy

    @AC Car vs Bike

    There's something like 5000 couriers on bikes within Central London, how do you tell which one has the important package? Not even the customer knows which rider has the package or what route they will take.

    I suppose you could wait around outside a bank on Canary wharf but then how do you know what rider is carrying important data and which dross?

    In the two years I worked for Securicor only one bike was robbed and that was because he forgot to lock his top box. In the several years I ran a company not one rider was robbed although the bank was.

    The system of obscurity and speed works in this instance. If it didn't it wouldn't have been used for so long.

  29. Scott

    Booky

    Anyone running a book on who will beat the incompetence of the UK goverment, they lost 25 Million details, i was going to say Australia but then i relised they don't even have 25 million people's details to lose.

  30. Shell
    Go

    @AC (ca vs bike)

    A big net and a lot of patience.

  31. Barry Tabrah

    History repeating itself?

    People have been shipping backups around ever since we've had backups. I realise that the reporting of these incidents in recent times is highlighting the problem, but imagine how much information has been lost over the last few decades. It's not like courier services have suddenly become incompetent overnight.

  32. H Lucas

    Systems Engineer

    If you ain't got a NSA certificated key custodian - with an active account - you AIN'T got encryption - you've got PRIVACY.. and that's a 20 min job to break usually.

  33. Chris jones
    Flame

    Hit Them Where it Hurts!!!

    This takes the pee pee yet again. How many times does this need to happen before banks will wake up and smell the proverbial coffee (Or in the banks case when will they smell the shit hitting the fan??).

    Those affected need to hit them in the only place that hurts for large American Corporations, the bottom line. Hit their profit margin very hard and they'll soon sit up and take notice. A class action lawsuit from 4.5 million people should do the trick.

    When will the US administration stop spying on it's own populace and bring in some laws to protect them instead?

    Flames; 'Cos whoever at the bank took the decision to send the unencrypted details of 4.5 million people, via a third oarty courier, should be burned at the stake in Times Square. I'll bring the petrol...

  34. Pierre

    Re: Large Scale IT Support

    Can you tell us which company you work for, so that we can stay as far as possible from it?

This topic is closed for new posts.

Other stories you might like