A prior post discussed the data breach at Bank of New York Mellon Corporation (BNY). On Monday June 2, 2008 my wife received the following letter from BNY:
"May 21, 2008
Dear Sir or Madam:
BNY Mellon Shareowner Services provides stock transfer agency, employee plan administration and related services for issuers of securities such as publicly traded corporations. This includes records for accounts that are currently active, as well as those that have been closed for some years. While we have no reason to believe your information has been or will be accessed or misused, we are writing to inform you of an incident involving personal information that we maintain in connection with these services. On February 27, 2008, our archive services vendor notified us that they could not account for one of several boxes of data backup tapes that they were transporting to an off-site storage facility. The missing tapes contained personal account information that we are required to maintain for the provision of these services."
Wow! The data breach happened on February 27 and BNY notifies consumers in June! That's a three-month dalay! Unacceptable. That's too long and it gives plenty of time for identity thieves to do damage. The letter didn't explain the three-monthly delay in notification. Nor did the letter explain why the BNY data tapes were not encrypted, a serious lapse in data security.
Moreover, the BNY letter includes this absolutely pathetic and insulting, "we have no reason to believe your information has been or will be accessed or misued..." Is BNY serious? The missing data tapes are not enough evidence of theft? Do BNY executives not realize how smart identity criminals are today? And how can BNY make a claim about the future ("... or will be accessed...)? What arrogance! If BNY has a crystal ball to see into the future, maybe they should have put it to better use to monitor their archive services vendor before "losing" any more data tapes. Geez!
What makes this letter even worse is that BNY never comes clean and informs its data breach and ID-theft victims exactly what sensitive personal data was exposed. So consumers have to assume the worst that name, birth date, Social Security Number, and bank account number were all exposed. The letter continues:
"As stated above, we have no indication of any improper access to this data. As a precaution, however, to help you detect any possible misuse of your data, we are offering to you free credit monitoring for a 12-month period. We have engaged ConsumerInfo.com, an Experian® Company, to provide you with their Triple Alert Credit Monitoring product, which includes daily monitoring of your credit reports from three national credit reporting companies (Experian, Equifax and TransUnion), e-mail monitoring alerts of key changes to your credit reports, and additional services."
"For more information, please visit our Web site at www.bnymellon.com/tapequery. You have 90 days from the date of this notice to activate this credit monitoring by using the activation code [code omitted]. This code is unique for your use and should not be shared. to learn more about Triple Alert and to enroll, go to http://partner.consumerinfo.com/monitor and follow the instructions. To enroll by phone, of if you have any questions, please call us toll-free at 1-877-278-3460. Our customer service representatives are available Monday through Friday, between the hours of 8 am and 8 pm ET; and Saturday between 9 am and 4 pm ET."
Well, BNY seems to be doing the absolute minimum to help its ID-theft victims. One year of free credit monitoring is pitiful, since identity criminals can attempt identity fraud for a period far longer than one year. The letter does not explain how BNY arrived at this one-year period. The letter continues:
"Even if you do not feel the need to register for the credit monitoring, we recommend that you regularly review statements from your accounts and obtain your credit report from one or more of the national credit reporting companies. You may obtain a free copy of your credit report once every 12 months by visiting www.annualcreditreport.com or by calling one of the three national credit reporting companies, toll-free..."
This is some good advice. It is always wise to remind consumers to check their credit reports periodically for accuracy and fraudulent entries. And, the letter mentioned the offical Web site for consumers to get free credit reports. Now that BNY has exposed consumers' sensitive personal data, consumers must check their credit reports more frequently for fraudulent entries. The letter continues:
"We recommend you remain vigilant and that you report any incidents of suspected identity theft to us and to proper law enforcement authorities, including the Federal Trade Commission (FTC). You have the right to obtain a police report if you are the victim of identity theft. Please visit the FTC's Web site, www.ftc.gov/bcp/edu/microsites/idtheft, to learn more about protecting yourselft from identity theft, such as requesting a fraud alert.
I've Been Mugged readers know all about this since my blog has covered fraud alerts, the FTC, and consumers' rights to free credit reports annually. It would have been better if the letter provided the specific Web site address for consumers to report incidents to the FTC. The ID-Theft Resources page contains the FTC link and many other resources.
I also spent some time reading the BNY data breach web site. Consumers have to dig deep to find that it took BNY a while to determine which consumers were affected. The bank didn't know what was on the lost/stolen data tapes. How disorganized! According to the BNY data breach site, BNY:
The forensic investigation initially identified approximately 270,000 individuals and 409 institutions with data on the tapes. The Company worked closely with its institutional clients to notify these individuals, which was completed by early April. The continuing forensic investigation also identified approximately four million additional individuals and 293 additional institutions with data on the tapes. This data took longer to identify and extract because of the manner in which it was stored on the tapes..."
- "Engaged Kroll Inc., along with independent legal counsel, to assist in conducting a forensic investigation into the circumstances of the loss and assessment of the data on the tapes.
- Terminated the courier services of the third-party vendor responsible for transporting these back-up tapes.
Do the math: that's data lost/stolen affecting 4.5 million consumers and 702 companies. How lax can a bank be about its data security? I agree with Michael Krigsman's conclusion in his IT Project Failures blog: "BNY Mellon should fire Todd Gibbons immediately for this serious breach of public trust and fiduciary responsibility." Jail time is the only way to get company executives to pay appropriate attention to data security.
[Editor's note: in September 2008, Bank of New York Mellon revised its estimate of affected consumers by the bank's data breach from 4.5 million to 12 million, covering several states. At the same time, the bank also changed its offer to it's data breach victims.]