Several news outlets have reported about a massive data breach at TD Bank, affecting about 260,000 persons from Maine to Florida. The affected consumers include 35,000 in Maine, 3,000 in Florida, 73,000 in Massachusetts, and 43,000 in New Hampshire. According to the CBS affiliate in Philadelphia, most breach victims -- about 150,000 -- are in states in the New England region of the USA.
The bank is notifying affected customers via letters. In a breach notice sent to the New Hampshire Attorney General (Adobe PDF), the bank said:
"We have determined that personal information of New Hampshire residents was included on two data backup tapes that we shipped to one of our locations in late March 2012. The tapes have been missing since then, and we have been unable to locate them..."
The sensitive personal information exposed/stolen includes full names, addresses, Social Security numbers, bank account numbers, birth dates, and driver's license numbers. The bank is offering breach victims with one year of free credit monitoring services via ITAC Sentinel Plus.
In a statement, Martha Coakley, the Massachusetts Attorney General, said:
"The loss of these tapes potentially puts the personal information of thousands of Massachusetts consumers at risk, and we remind consumers to take appropriate steps to protect themselves... We will be reviewing the circumstances of this breach and the steps that TD Bank is taking to address the loss.”
A close review of the bank seems appropriate, since banks are not supposed to lose things, since they are entrusted with valuable items. And, this is not the bank's first data breach:*
- March 2011: "insider identity theft" involving an employee that sold the account information of about about 10 customers causing about $39,000 in fraudulent charges
- March 2010: a fraud ring, using a former employee, stole and sold the account information of customers to accomplices who then stole about $200,000 from bank accounts
This breach sounds similar to what I experienced in 2007 with IBM, where computer data tapes were lost or stolen during shipment from its headquarters fo an off-site storage facility. That breach sounded like theft, as does the recent TD Bank breach. Vendors don't just accidentally lose computer tapes. Misplace them, perhaps. Lose, no.
Things I noticed in the TD Bank breach notice to its affected customers lacked:
- If a vendor or contractor was involved with transporting the missing/stolen computer data tapes, the corrective actions the bank is taking with this vendor to avoid a repeat of this breach
- If an employee was involved with transporting the missing/stolen computer data tapes, the internal employee training and data security methods is taking to avoid a repeat of this breach. Sadly, there are numerous breaches where company employees left data tapes unsecured in parked autos.
- Notice about how results of its breach investigaton will be communicated to breach victims
- Whether or not the data on the tapes was encrypted; and if it wasn't encrypted why not
- An explanation of why only 12 months of free credit monitoring, when the usability of stolen personal information is far longer
*Note: breach history from Privacy Rights Clearinghouse.