Technorati Tag: Security Breach
Date Reported:
3/26/08
Organization:
The Bank of New York Mellon Corporation
Contractor/Consultant/Branch:
BNY Mellon Shareowner Services
Victims:
Clients
Number Affected:
~3,500
Types of Data:
"personal information including names, Social Security numbers and possibly bank account numbers"
Breach Description:
BNY Mellon Shareowner Services "has notified about 3,500 individuals -- some of them Maryland residents -- that the company lost a box of computer data tapes last month storing personal information including names, Social Security numbers and possibly bank account numbers".
Reference URL:
The Baltimore Sun
Report Credit:
Liz F. Kay, Baltimore Sun reporter
Response:
From the online source cited above:
A Pittsburgh-based shareholder services firm has notified about 3,500 individuals -- some of them Maryland residents -- that the company lost a box of computer data tapes last month storing personal information including names, Social Security numbers and possibly bank account numbers
BNY Mellon Shareowner Services, which assists clients such as MetLife, sent letters to affected shareholders of such clients offering them 12 months of free credit monitoring and other assistance
[Evan] It's not "free". Somebody pays for it. So with credit monitoring, affected persons would be notified AFTER they become an identity theft victim, IF they become an identity theft victim. The monitoring lasts for 12 months, at which time what happens?
"We have received no indications that there's been any inappropriate use of the data on the tapes,"
The company backs up its computer database every day and sends the tapes to a secure storage facility
On Feb. 27, a courier told them that one box could not be found.
BNY Mellon investigated to determine what kind of information the tapes held and notified its clients.
It then sent a letter to the shareholders.
The company estimates that less than 1 percent of its 35 million clients nationwide have been affected
[Evan] So? Is this statement meant to minimize the impact of this breach, or what?
Commentary:
Was the information on the tape(s) encrypted? There was no mention, so I assume that it was not. Continuing with this assumption, this means that BNY Mellon Shareowner Services sends unencrypted customer database back-up tapes offsite every day. Does anyone else see an unnecessary risk here? Unnecessary and likely unacceptable.
Now let's assume that the information was encrypted and the keys are managed well. Risk of exposure is minimal. In most states there isn't even a requirement to go through the expense of notification.
Past Breaches:
Unknown
Date Reported: 3/26/08
Organization:
The Bank of New York Mellon Corporation
Contractor/Consultant/Branch:
BNY Mellon Shareowner Services
Victims:
Clients
Number Affected:
~3,500
Types of Data:
"personal information including names, Social Security numbers and possibly bank account numbers"
Breach Description:
BNY Mellon Shareowner Services "has notified about 3,500 individuals -- some of them Maryland residents -- that the company lost a box of computer data tapes last month storing personal information including names, Social Security numbers and possibly bank account numbers".
Reference URL:
The Baltimore Sun
Report Credit:
Liz F. Kay, Baltimore Sun reporter
Response:
From the online source cited above:
A Pittsburgh-based shareholder services firm has notified about 3,500 individuals -- some of them Maryland residents -- that the company lost a box of computer data tapes last month storing personal information including names, Social Security numbers and possibly bank account numbers
BNY Mellon Shareowner Services, which assists clients such as MetLife, sent letters to affected shareholders of such clients offering them 12 months of free credit monitoring and other assistance
[Evan] It's not "free". Somebody pays for it. So with credit monitoring, affected persons would be notified AFTER they become an identity theft victim, IF they become an identity theft victim. The monitoring lasts for 12 months, at which time what happens?
"We have received no indications that there's been any inappropriate use of the data on the tapes,"
The company backs up its computer database every day and sends the tapes to a secure storage facility
On Feb. 27, a courier told them that one box could not be found.
BNY Mellon investigated to determine what kind of information the tapes held and notified its clients.
It then sent a letter to the shareholders.
The company estimates that less than 1 percent of its 35 million clients nationwide have been affected
[Evan] So? Is this statement meant to minimize the impact of this breach, or what?
Commentary:
Was the information on the tape(s) encrypted? There was no mention, so I assume that it was not. Continuing with this assumption, this means that BNY Mellon Shareowner Services sends unencrypted customer database back-up tapes offsite every day. Does anyone else see an unnecessary risk here? Unnecessary and likely unacceptable.
Now let's assume that the information was encrypted and the keys are managed well. Risk of exposure is minimal. In most states there isn't even a requirement to go through the expense of notification.
Past Breaches:
Unknown
