Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Bank Of America Loses 1.2 Million Customer Records

Zonk posted more than 9 years ago | from the great-week-for-customer-service dept.

Privacy 299

Christopher Reimer writes "C|Net is reporting that Bank of America lost 1.2 million customer records when some backup tapes went missing while being shipped to a backup center. The lost records mainly effect U.S. government employees involved in the SmartPay program. From the article: 'The acknowledgment comes as several other cases of businesses losing consumer information have come to light.'"

cancel ×

299 comments

Sorry! There are no comments related to the filter you selected.

heh (5, Funny)

aendeuryu (844048) | more than 9 years ago | (#11786381)

SmartPay program

Doesn't sound so smart right now...

Indeed. (3, Interesting)

game kid (805301) | more than 9 years ago | (#11786466)

Especially from a company that prided itself in TV ads as one that "engineer[s] our own software" because "one error in a billion" in their checking was one too many.

Well, I guess they have at most 999,999,999 more transactions until we know that they've blown their *ahem*commitment to their consumers--unless you count each person affected as an error here, in which case we can probably sue them for false advertising. Or at least utter stupidity.

That said, I bet someone mixed those backup tapes in their bedroom with their pornos, in which case roughly half of the Government officials are thanking teh Bank this morning.

Quick (0)

Anonymous Coward | more than 9 years ago | (#11786593)

Shoot them all if they mention the word "secure" anywhere!

SNAFU (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11786383)

FOOBAR

Well.. (5, Informative)

kunwon1 (795332) | more than 9 years ago | (#11786388)

As a US Government employee (US Air Force to be precise) I can tell you that Bank of America is regarded by most of us (us = gov't employees) as a faceless entity that cares nothing for customer service. I doubt this will come as much of a surprise to those of us who have been required by our occupation to associate with them for some time. Maybe now the powers that be will get their collective head out and pick a new bank.

Re:Well.. (1)

smitty_one_each (243267) | more than 9 years ago | (#11786413)

I thought they were really kinda smart, cutting the deal to force all US Gubmint people to use their cards for travel.
My question is, why the conflict of interest, requiring all employees to use a single credit card provider?
Why cannot this bogus thinking be applied such that everyone has to use the same bank, in addition to credit card provider?
In defense of the policy, you get that swell logo that tells the airline or hotel to give you the government rate. Whoopee. Why can't other credentials suffice? Fraud, you say? Look, if you can't trust yo' peeps, get new peeps, say I.
Oh, and I am a squid. Go, Navy!

Re:Well.. (1)

Kn0xy (792482) | more than 9 years ago | (#11786554)

"Why cannot this bogus thinking be applied such that everyone has to use the same bank, in addition to credit card provider?"

Well... For one, BofA is not a Credit Card/Plastic Vendor. Master Card, Visa, Discover are CC Providers. BofA just has bin's with those providers/vendors so they can offer their cards to their Banking Customers. Also, depending on what restrictions your talking about, most banks do offer a choice of Visa or Master Card aside from whatever they choose to use with your Debit Card.

But regardless, they lost 1.2 million records of Government Employee information. That means Payroll, ACH info, Transactions, Loan details, etc. Even if it was civilian information, I'd still be looking for new options in where I stash my money, at this point, putting in a sock drawer might be safer. =)

Re:Well.. (1)

mordors9 (665662) | more than 9 years ago | (#11786422)

And hopefully there are people included in the problem high enough up on the food chain to make some actual legislative changes.

Re:Well.. (2, Insightful)

Kn0xy (792482) | more than 9 years ago | (#11786527)

Hmm, Doesn't the USAF have a Credit Union of some sort? I know the Navy has Sea-Air, surely should be more options for your banking needs than just that of Bank of America.

Re:Well.. (2, Informative)

kunwon1 (795332) | more than 9 years ago | (#11786567)

The air force has smaller credit unions and banks on base, but for things like government travel cards and purchase cards, we are not given an option as to which financial institution to use. Further, we are -required- in many cases to have and use these cards... lose-lose situation.

Re:Well.. (0)

Anonymous Coward | more than 9 years ago | (#11786638)

duh, why would they let you choose what bank they want their "corporate" cards coming from, that would create a paperwork nightmare. Choosing one bank for travel cards, purchase cards, isn't uncommon, major corporations only use one bank, not 20 others just to make the people who are spending their money happy...

Re:Well.. (2, Insightful)

mboverload (657893) | more than 9 years ago | (#11786565)

I wish all the senators personal info was stolen by theives and logged and posted to the net by spyware companies.

Then they might just get a freakin clue.

Re:Well.. (3, Insightful)

ScrewMaster (602015) | more than 9 years ago | (#11786622)

Yes, and they would most certainly take steps to protect themselves. What that would do for the rest of us is anyone's guess.

Re:Well.. (1)

Jameth (664111) | more than 9 years ago | (#11786632)

pick a new bank = yes

pick a better bank = no

Be more picky with your requests.

Odd (0)

Anonymous Coward | more than 9 years ago | (#11786390)

Doesn't this make like the third time this week this kind of thing has come out?

Re:Odd (0)

Anonymous Coward | more than 9 years ago | (#11786482)

Yes and that's just in the finance sector.

There was that big story last week about thousands of HIV/AIDS patients identities being broadcast to 800 council employees by email. Maybe it was already big news in the US though

Re:Odd (1)

Trix606 (324224) | more than 9 years ago | (#11786555)

Odd? No. Just like with a large number of plane crashes occuring within a short period of time, the frequency of the events just increases our awareness. It doesn't necessarily mean the occurences are related in any way. Also consider the increase of personal information that is being consumed by entities everywhere. It only stands to reason that the frequency of mishaps would increase as well.

Backup Tapes? (1, Insightful)

Anonymous Coward | more than 9 years ago | (#11786392)

At least BoA seems to be actually tracking those. How many companies bother with that, especially old tapes or old disk drives? "Just throw them in the dumpster", or sell them as surplus.

Re:Backup Tapes? (0)

Anonymous Coward | more than 9 years ago | (#11786462)

The tapes were lost between BoA and the offsite backup storage. If your company doesn't know what tapes it has sent and is due to recieve, God help you.

On another note, anyone know which offsite backup provider BoA use? Just so we can all avoid them.

Re:Backup Tapes? (1)

ergo98 (9391) | more than 9 years ago | (#11786486)

On another note, anyone know which offsite backup provider BoA use? Just so we can all avoid them.

Why? The tapes were stolen during shipping if I've read correctly, so it is certainly not the fault of the backup storage.

Re:Backup Tapes? (0)

Anonymous Coward | more than 9 years ago | (#11786502)

I'd expect any company tasked with moving financial records between two physical locations to use as secure a method as possible. Why wern't these tapes in a secure truck E.g. the same type used by banks to transfer cash?

Annoying (4, Insightful)

FreeLinux (555387) | more than 9 years ago | (#11786578)

I doubt that you meant it that way but, your post has rubbed me the wrong way. Your's is just the latest in a long running series of similar posts where the blame for a situation is redirected at the victim.

The tapes were believed to be stolen by airport bagage handlers during shipment to BoA's offsite facility, likely another datacenter. It's still under investigation so the news agencies are not yet able to accurately report exactly what happened.

By all accounts BoA has made reasonable effort to protect its data, its tapes and its customers. BoA, and by proxy its customers, are the victim of theft. The blame lies squarely on the shoulders of the thieves and no where else.

In ANY incident, there will always be something more that could have been done to prevent the incident from happening. But, it becomes a question or reasonable care. Was reasonable care taken? It certainly seems as if it was in this case.

Let's put the blame where it belongs. Don't redirect the blame to the victims.

Re:Annoying (0)

Anonymous Coward | more than 9 years ago | (#11786614)

The tapes were believed to be stolen by airport bagage handlers during shipment to BoA's offsite facility AND when we fly, I'm told by home land F***K$#G security to NOT lock my luggage because if they have to do a random search they'd have to cut off the locks... Isn't this just great... You can't trust anyone... So Now, not only do I avoid flying anymore (Espcially after the december fiasco I went through of almost being stranded at the airport), but now I can't even trust the banks... Just another reason to invest in precious metals and secure them in the backyard under 6 foot of dirt.... Thats my retirement plan...

Re:Annoying (1)

fimbulvetr (598306) | more than 9 years ago | (#11786624)

Fair enough, we know who to blame.
Now what do we do to fix it? Sure BoA is taking reasonable steps to avoid this happening, and I'm sure every other company this has happened to would say the same. The question is, what now?
We can't stop the thieves, I can only see two maybe three possible options:

#1. Make it more difficult to steal data. I feel this is what will probably be done, but then this problem is only mitigated, not fixed.
#2. Change the nature of the data. Make it useless to steal. Got your loan number/SSN/etc stolen? No big deal, it's useless now.
#3. Third parties popping up, offering secure databackups, transfers, the whole 9 yards, and more importantly, accountability. I think this is already happening, but it's not an everyday thing.

Of these, I vote for #2. Anyone have any other ideas?

Re:Annoying (1)

fdiskne1 (219834) | more than 9 years ago | (#11786659)

True, the actual loss of the tapes may not be BoA's fault, but more security should have been taken. In my opinion, data should be secure when being transferred to storage. Again in my opinion, this means the data is carried by a trusted entity that is bonded or the data is encrypted before being carried by an untrusted entity.

So? (2, Insightful)

BibelBiber (557179) | more than 9 years ago | (#11786393)

I wonder who got all the data now. Losing stuff is bad but finding stuff in the wrong hands is much worse.

Re:So? (1)

game kid (805301) | more than 9 years ago | (#11786492)

Ask the One-Armed Man--but seriously, I do wonder what the hell is going on; as C|Net said, this does come right after the T-Mobile hacks. Next we'll see Donald Trump bald in leaked images from his bed or something. It's like anything can disappear from our control and we're powerless to stop it.

At this point... (0)

Anonymous Coward | more than 9 years ago | (#11786395)

At this point it might be easier to start telling the public the financial institutions who have NOT lost any personal information of their customers.

Well... (5, Insightful)

JavaMoose (832619) | more than 9 years ago | (#11786396)

This is really getting out of hand. For every case like this we hear about, I wonder if there are a few that get swept under the rug?

Now, I generally frown on lawsuits, but this is one type of case where it works. The people on these lists need to start filing class action lawsuits against these companies. Large corporations only feel something when they lose money, maybe it would send the message that you will be held accountable if you do not take security seriously.

As we all know, nothing is as valuable as our information.

Re:Well... (5, Insightful)

reallocate (142797) | more than 9 years ago | (#11786459)

This is really getting out of hand. For every case like this we hear about, I wonder if there are a few that get swept under the rug?

You're hearing about this because of the flap about CheckPoint, and you heard about CheckPoint because of the current flap about identity theft.

If not for those circumstances, these stories would very likely have been reported in the business press, but otherwise below the general public's radar.

So, you have no reason to assume that the first appearance of an event on TV or in Slashdot means it never happened before.

BofA ought, of course, be held responsible for their behavior. I don't know if these cardholders can sue, since the card's were issued to them in conjunction with their federal employment. And, unless they are able to document loss as a result of the loss, I'm not sure what grounds they'd have for a suit.

That said, BofA just dug itself a big hole for the next contract recompete. Their accountablity may come in the form of losing that recompete. (Don't imagine, though, that a contract of that size will be given to some local mom-and-pop bank.)

Re:Well... (3, Insightful)

TopShelf (92521) | more than 9 years ago | (#11786577)

Remember also that you heard about Checkpoint because California law requires that companies inform customers whose data has been comprimised. If this had happened just about anywhere else, it could easily have been swept under the rug.

Re:Well... (0)

Anonymous Coward | more than 9 years ago | (#11786591)

Gawd, you gotta love how you shill for the polyester plurality.

The only reason you are hearing about this is because CA passed a law requiring customers to be notified. By your own definition of how law and order works, CA is a renegade state since the vast majority of the US have no such laws. Since the law is specific to CA, it is hard to see how a class-action lawsuit will proceed since that lawsuit must be procured through a federal court (Gawd bless mom and apple pie).

But everything thing is fine and well. Society's will is done, and you have proven yourself once again to be a shining example of hypocrisy.

Re:Well... (0, Insightful)

Anonymous Coward | more than 9 years ago | (#11786464)

I generally frown on lawsuits, but this is one type of case where it works. The people on these lists need to start filing class action lawsuits against these companies.

Class Action Lawsuits are NOT the answer. If a company does wrong, you can go to the company-sponsored arbitration - it's more fair, and it's extremely unlikely for the arbitration board to hand out significant awards to the victim.

The problem with class action lawsuits is that the damages caused by the corporation can negatively impact the bottom line of a company.... impact stock prices and real employees... and the cost is ALWAYS passed on to the customer.

Class action lawsuits only cause more damage, and in the end we need to have faith in the self-regulation of corporations.

Re:Well... (1)

rpozz (249652) | more than 9 years ago | (#11786494)

I'm not a lawyer, but in the UK, the Data Protection Act states that a company must make sure that personal data is kept secure. Is it the same in the US?

Re:Well... (2, Insightful)

bombadillo (706765) | more than 9 years ago | (#11786516)

I used to work in the UK and am a little familiar with the Data Protection Act. We could not access the system from outside of the UK since the systems contained information regarding UK tax data. It's very different over here. I was surprised to find out that large US tax firms send their work over seas to get processed. I don't believe that we have a Data Protection Act which is as robust as the UK.

Re:Well... (3, Informative)

wfberg (24378) | more than 9 years ago | (#11786551)

The way it works with the Data Protection Act is that the information has to stay within the EU, or certain states with which the EU has a "safe harbor" agreement. Those are countries that promise to be good. So your data gets shipped to the US, and then Faceless Corporation X just breaks their promise and ships all the work and data right back to India.

Sad but true.

Re:Well... (4, Informative)

bombadillo (706765) | more than 9 years ago | (#11786499)

You are absolutely correct about law suits needing to be filed. My wife and I work for two large corporations. I am talking name brands that everyone knows. I was talking to her about a project that I was working on and how the users info is sorted in the Database by credit card number. There are a few things wrong with this. From a non-security stand point people have more than one credit card. So you would have plenty of duplicates. From a security standpoint there were loads of problems. Such as the data would be FTP'd from the mainframes to the unix midrange servers. So all of that data would be distributed about the enterprise. Makes absoutetley no sense. Especially since there was no reason for the application I was working on to know a credit card number. The only data needed was name and products bought. When talking with my wife about how bad it was she told me that it was the same way in her company. I can only think that these companies built there systems a long time ago and no one has taken on the ambitious project of updating their procedures. From a career standpoint I can't blame them. There is not a big demand to secure these systems better. It would be a huge effort with little reward. If things didn't work your career would be over.

If law suits start being filed there will be a sudden demand to get these systems more secure. It's always annoyed me that financial companies have charged us for their "credit protection" services. I have always felt that if my ID was stolen it would most likely be the fault of a financial institution and not me.

Re:Well... (1)

HangingChad (677530) | more than 9 years ago | (#11786636)

The people on these lists need to start filing class action lawsuits against these companies.

The great Republican defenders of the people just made it much more difficult to file a class action. It'll go to federal court and get dismissed quietly a few months down the road.

Class action lawsuits in limbo... (1)

quarkscat (697644) | more than 9 years ago | (#11786656)

thanks to our pro-big business government's
recent successful attempt to limit the venue
and the damages for any future class action
lawsuits - the Tort Reform Act was just signed
into law.

Isn't it just amazing that mere days after this
legislation passes:

(1) CheckPoint reveals 150 million users
information has been compromised,

(2) Microsoft accepts $5.00/incident liability
for their bugs causing data loss, and

(3) Bank of America loses backup tapes that
compromises 1.2 million (+) Federal
employees' account information.

The FBI's "Carnivore" program has been phased out
because new COTS software (and the ISPs that will
use it) is a better solution. The DHS's "TIPPS"
(air travelers' info) database is drawn from
commercial entities. And the DoD's "TIA" program
was scrapped in favor of the DHS's "MATRIX" program,
which is a collaboration between industry
(including CheckPoint) and government.

Does anyone else besides me starting to have
high anxiety about the accuracy, safety, and
security of information about us all out in the
wild?

Encryption? (4, Insightful)

lachlan76 (770870) | more than 9 years ago | (#11786397)

But aren't the backups encrypted? Right?

Re:Encryption? (0)

Anonymous Coward | more than 9 years ago | (#11786421)

No, they are not.

Re:Encryption? (2, Interesting)

Anonymous Coward | more than 9 years ago | (#11786467)

No, they'll be straight DB dumps onto tape. If you think that's crazy, work out how much data you'd need to encrypt every night during a backup run, and then work out how much time you have to complete a full backup run. That's why no one encrypts the data when they back it up.

Re:Encryption? (1)

pe1chl (90186) | more than 9 years ago | (#11786598)

You are considered about the processing required to encrypt the data? Or about the key management involved?

I think the decision not to encrypt backups is normally motivated by the hassle it would cause. When you lose the keys, the encryption is worthless. When the same keys are used every time, it is also almost worthless. So encryption causes extra work, to manage and securely store the keys.
The actual encryption of course isn't a problem.

Re:Encryption? (0)

Anonymous Coward | more than 9 years ago | (#11786605)

Several Backup Products encrypt on the fly to tape. Its a little performance hit, but not much. Now if you want wire speed encryption, check these guys out.

http://www.decru.com/products/specsT525.htm

On the fly encryption to tape, 256 bit AES.

Iron mountain will come to your site and pick up tapes FWIW.

Re:Encryption? (0)

Anonymous Coward | more than 9 years ago | (#11786500)

Just like DVDs are encrypted also....

Re:Encryption? (3, Insightful)

EvilTwinSkippy (112490) | more than 9 years ago | (#11786505)

Yeah, and backups are also barcoded and hand-tranported by courier to and offsite storage/security vault.

Re:Encryption? (1)

frankvl (817911) | more than 9 years ago | (#11786522)

And they are backupped at least another 2 times, so what's the big deal?

Re:Encryption? (0)

Anonymous Coward | more than 9 years ago | (#11786550)

"whats the big deal?" anyone can get hold of that infomation.

I wonder how long ago they found out about this? (5, Interesting)

bigtallmofo (695287) | more than 9 years ago | (#11786399)

You may recall the recent Choicepoint security breach [slashdot.org] . Apparently there's profit to be made in between finding out about a security breach and actually announcing it!

ChoicePoint execs sold shares before theft news

ChoicePoint Inc.'s top two executives made a combined $16.6 million in profit from selling company shares in the months after the data warehouser learned that people's personal information may have been compromised and before the breach was made public, regulatory filings show. ChoicePoint's stock has dropped about 10 percent since last week when the company announced that criminals had duped it into allowing them access to its massive database. Alpharetta, Ga.-based ChoicePoint says the stock trading was pre-arranged under a plan approved by the company's board. Corporate governance experts say the pattern and timing of the trading by chief executive Derek Smith and president Douglas Curling raises questions. Smith and Curling did not respond to repeated requests through a spokesman for comment Friday.


Full Story: Twincities.com (Subscription Requred - use bugmenot.com) [twincities.com]

Big Brother's Little Helper? (5, Informative)

handy_vandal (606174) | more than 9 years ago | (#11786456)

ChoicePoint Inc.'s top two executives made a combined $16.6 million in profit from selling company shares in the months after the data warehouser learned that people's personal information may have been compromised and before the breach was made public, regulatory filings show. ... ChoicePoint says the stock trading was pre-arranged under a plan approved by the company's board.

One might easily assume that the executives are profiteering swine, and that the company's board members are colluding at the trough.

Furthermore, ChoicePoint has a ... questionable history:
Consider what happened in Florida leading up to the 2000 presidential election. In 1998, the state hired a company called
Database Technologies [google.com] to scrub its voter rolls of ineligible voters. The scrub list was mandated by Florida legislators after a voting fraud investigation revealed dead people had cast ballots in the 1997 Miami mayoral election.

DBT combed through Florida's rolls and handed over the "ineligible" list to elections officials in May 2000 -- within days of the company's merger with ChoicePoint [google.com] .

The problem was that DBT'S list purged the voter rolls not just of felons, who are disqualified from voting in Florida, but of eligible voters whose names resembled those of the felons.

While Florida and DBT failed to check a number of criteria that could have distinguished the actual felons from the non-felons, one criterion that DBT did bother cross-referencing was race. BBC reporter Greg Palast [google.com] and a handful of US journalists reported that the majority of the felons on the list were black, so thousands of legitimate black voters with the same names as black felons were struck from the rolls. Because Florida blacks vote heavily Democratic, a disproportionate number of votes for Al Gore were thrown out.

According to analyses by news organizations, somewhere between 8,000 and 22,000 qualified votes went uncounted. Whatever the number, it towers over 537 -- the margin by which George W. Bush won Florida, and therefore the national election.

The most jarring part, according to Palast, who broke the story, was that DBT knew the list was flawed -- because a Florida official told DBT, in a 1999 e-mail, "Obviously, we want to capture more names that possibly aren't matches and let the county supervisors make a final determination." Palast says the fact that the company would even hand over known mistakes shows that it doesn't always do its best -- contrary to its corporate mantra -- to protect the government against itself.

Source [creativeloafing.com]
With companies like that, who needs Big Brother? -kgj

This has been coming for a _long_ time... (5, Insightful)

ites (600337) | more than 9 years ago | (#11786401)

When businesses started collecting huge amounts of detailed via through the web in the mid 1990's, it was clear where we were heading:

1. unlimited storage capacity meant complex and detailed records could be kept on every person.

2. guaranteed incompetence meant these records would be abused, lost, exposed and manipulated.

I don't see either of these trends changing.

Applies to both commercial and governmental databases. Chaos, mess, confusion, abuse, on a huge and ever-increasing scale.

Welcome to the 21st century. You can opt out by unchecking the "Connect to the Internet" box about 10 years ago...

Not an Internet Issue (2, Insightful)

reallocate (142797) | more than 9 years ago | (#11786470)

These were data tapes. Been in use long before the Internet, and, almost certainly, have been going missing long before the Internet. Could just as well have happened with old fashioned ledgers in 1910.

For all we know, they were stolen out of the back of some truck and lifted by the overnight cleaning crew.

Re:This has been coming for a _long_ time... (1)

ergo98 (9391) | more than 9 years ago | (#11786512)

You can opt out by unchecking the "Connect to the Internet" box about 10 years ago...

This statement stands out as nonsensical in an otherwise insightful post - this fault had nothing to do with the internet, nor have most other identity theft type of issues.

In this case it was a standard tape backup, in others it has been social engineering, and maybe a connection that could just as well been through a dial-up port. My wife had a credit issue where someone received a credit card under her name, apparently after dumpster diving at the outsourced payroll administration office.

What really makes this a modern issue is that it's the era of instant credit by terribly incompetent banks. With even the slightest amount of concern for actually running a solid, intelligent operation, both banks and credit agencies would have eliminated this problem long ago, but as it is someone can have a long paper trail pointing to one location, and somehow at the same time get a new credit card mailed to them half a continent away. In the case of my wife, someone got a credit card under her name, but with an entirely different face name, by claiming to be her brother. She neither has a brother, or lives in Quebec, and it was revealing that some low paid, low skilled credit hound found the real Mrs. Ergo98 in an instant yet the banks couldn't bother would the most rudimentary of checks when handing out easy credit.

Re:This has been coming for a _long_ time... (1)

JabberWokky (19442) | more than 9 years ago | (#11786580)

In the case of Bank of America, the problem is quite simple - BoA has been merging far faster than the IT department can keep up. Thus the terrible lack of features between "east coast" and "west coast" accounts when used on the opposite coast, and account types that are only valid for a few states. Their online banking is keyed by the state you got your account in.

To a certain extent, the failure is due to the manner in which the banking industry develops and merges. Each merger brings in a different set of "standards" and a whole new set of systems (both computer *and* human) that may or may not follow the documented system.

--
Evan

Re:This has been coming for a _long_ time... (1)

ites (600337) | more than 9 years ago | (#11786582)

My point was: there is no opting out except by the extreme means of disconnecting yourself from the online world.

The "Internet" is not just your PC and the web, it includes all banks, all information processing institutions, and this lorry-full of magtapes.

The vanishing cost of storage combined with the universal constant of human incompetence is what caused this "fault".

I.e. asking banks and credit agencies to tighten their act is not going to help. They are and always have been structurally incompetent. It's just that now, it affects terrabytes, not megabytes, of data at once.

Re:This has been coming for a _long_ time... (1)

fdiskne1 (219834) | more than 9 years ago | (#11786669)

It's just that now, it affects terrabytes, not megabytes, of data at once.

It's pushing the petabyte range now.

Re:This has been coming for a _long_ time... (1)

remmelt (837671) | more than 9 years ago | (#11786635)

What really makes this a modern issue is that it's the era of instant credit by terribly incompetent banks. With even the slightest amount of concern for actually running a solid, intelligent operation, both banks and credit agencies would have eliminated this problem long ago... yet the banks couldn't bother would the most rudimentary of checks when handing out easy credit.

The banks are not incompetent. They can hire the best IT personel, get the best encrypters and backuppers and whatnot.
Why they won't do it? Because the bank isn't there for you or me, it's not there for service or loans or good advice or a friendly smile, it's there to make profit. If the shareholders agree that the most profit could be made by mailing you dogshit to your door, prepare for a stink.
The shareholders need to be convinced of good business practice. This is hard because any good practice involves doing work, which costs money. Involves hiring the right people, teaching them new tricks, having these bothersome backupservers... Short-term profit is what they want.
And don't think that something like this will change any of that. Stock gets sold, stock gets bought, you get a whole new can of nitwits.

Advanced capitalism 101.

Re:This has been coming for a _long_ time... (1)

ergo98 (9391) | more than 9 years ago | (#11786574)

As an aside, I think the point we're getting to is one where data such that I would provide to a bank or a credit issuer should be one-time use, and generally "public" -- these sorts of issues are becoming more and more regular, and it's going to reach a point where every single person has all of their information in the wild. If it isn't from backups, it's from sleazy employees and contractors at the dozens of organizations that we have to deal with in the modern era. We're long past the point where having a single magical master key SIN/SSN makes any sense at all.

I'm not proposing a solution (of course for the technically savvy perhaps the government runs a user->organization site where I can allocate special identifiers only for use and usefulness by specific organizations. Here Big Incompetent Bank, you can have number XYZ-123a that I generated specifically for you, correlating with me in the super-duper secure government master database, so if your douche-bag employees back it up to a USB key it's of little relevance.

One more thing... (5, Informative)

kunwon1 (795332) | more than 9 years ago | (#11786402)

GSA Smartpay is a program through which gov't employees are issued what is essentially a company credit card, but the US Gov't is the company. They're used for official purchases, for gas cards for government owned vehicles, etcetera.

The following website explains it in governmentese:
http://www.gsa.gov/Portal/gsa/ep/channelView.do?pa geTypeId=8199&channelPage=%2Fep%2Fchannel%2FgsaOve rview.jsp&channelId=-13497 [gsa.gov]

For want of a nail... (1)

rah1420 (234198) | more than 9 years ago | (#11786405)

... the kingdom was lost.

I wonder how many of these customer data compromises ultimately are going to be chalked up to good old fashioned human error?

Yeah, I know, ultimately all of them until computers write their own programs (and that's the day that I unplug and head for .mt.us).

I mean stupid stuff, like a clerk misfiling a tape, or someone leaving a door unlocked, or something "non-computerish." Doesn't mollify the millions of people whose data are now at risk, I know.

You can't just throw automation at something and know that it's gonna get better. If you don't have a business process, all your computers are ultimately only large paperweights.

Re:For want of a nail... (1)

forceflow2 (843966) | more than 9 years ago | (#11786423)

But without large paperweights, with what shall we hold down the paper?

Spooky Business (3, Insightful)

handy_vandal (606174) | more than 9 years ago | (#11786411)

According to Time.com ...
The U.S. official said a large percentage of the accounts are for the Pentagon but that some 40 federal agencies and other entities are affected. Some of the tapes related to non-federal card-holders, the official added. Trower would not comment on which agencies are affected, referring questions to the General Services Administration. A GSA spokesperson had no immediate response to an inquiry about the matter, including whether any of the Pentagon's billions of dollars in secret "black" programs could be affected. Pentagon spokesman Bryan Whitman said the data loss includes files on 900,000 of the Pentagon's three million or so military and civilian workers. "It is a significant number of the Department's employees," he said, declining to say whether it affected any who are working undercover.

Source [time.com]
Spooky business. One wonders ... were these records stolen by domestic agents? Foreign agents? Freelancers?

-kgj

Re:Spooky Business (1)

conteXXt (249905) | more than 9 years ago | (#11786448)

sounds like they were lost, as in misplaced and not yet found.

Re:Spooky Business (1)

haus (129916) | more than 9 years ago | (#11786583)

yes, that is what it sounds like, but one does not know. Even if they were to be found in the future, unless it happenes to be in a very unusual event, in which they can somehow prove the whereabouts and control of the tapes for the entire time, there will be no way to prove that someone of dubious intention has not had them and already gained what information that they wanted from the tapes.

hee hee (1)

mattyrobinson69 (751521) | more than 9 years ago | (#11786414)

online trust falling overall in other news: Bank Of America Loses 1.2 Million Customer Records

Effect (0)

Anonymous Coward | more than 9 years ago | (#11786415)

The lost records mainly effect U.S. government employees

So it brings more government employees into being? Doesn't everything?

Re:Effect (0)

Anonymous Coward | more than 9 years ago | (#11786432)

The full quote is:

"The lost records mainly effect U.S. government employees involved in the SmartPay program."

So he's saying that this will produce more government employees not in total, but more who are involved in the SmartPay program. I would have thought it would put them off rather than enourage them but I guess Zonk knows what he's talking about.

fight club (1)

LordMyren (15499) | more than 9 years ago | (#11786451)

what, ah, fight club style? obliterate all records?

did they loose the financial info too? seems like that'd be, um, a problem.

Myren

Re:fight club (1)

kunwon1 (795332) | more than 9 years ago | (#11786463)

Guarantee:

Regardless of the amount and magnitude of data lost, all of the end-of-month invoices will make it out to cardholders on-time and intact.

Re:fight club (1)

t_allardyce (48447) | more than 9 years ago | (#11786521)

I think they lost the backups? they still have the data but now so does someone else.. unless it was encrypted on the tapes.. unlikely knowing US data handling practices.

Why were the tapes on a plane to begin with? (1)

L.Bob.Rife (844620) | more than 9 years ago | (#11786461)

The article doesn't really explain why this confidential data was being moved in the first place.

Why were they flying tapes around?
Shouldn't backup tapes be kept in secure offsite storage?
Were they moving their data center?
Do they regularly fly customer information around the world rather than use something mundane like SSL?

This article leaves a lot of unanswered questions about who in their right mind gave a bunch of tapes to freaking baggage handlers. Seems like they lost somebodys luggage, and somebody just happened to be carrying around a huge database of federal employee banking information. Brilliant.

Re:Why were the tapes on a plane to begin with? (1)

PedanticSpellingTrol (746300) | more than 9 years ago | (#11786471)

Well, as the old adage goes, nothing has more bandwidth than a van full of media.

Except a cargo plane full of media.

Re:Why were the tapes on a plane to begin with? (1)

game kid (805301) | more than 9 years ago | (#11786517)

Except a cargo plane full of media.

Yeah. I can imagine the Beowulf clusters of hard drives flying over us at the moment. If it's actually possible to make a Beowulf cluster of those things.

I wonder how many GBs will be flying through the air if one of those new Airbus A380 [airbus.com] s were cleared out and filled with 100GB HDs.

Re:Why were the tapes on a plane to begin with? (2)

ebrandsberg (75344) | more than 9 years ago | (#11786477)

Either you didn't read the article very well, or it just didn't sink in, given the questions. Quote " lost in shipment to a backup center", to to answer the second question, chances are it WAS a secure offsite storage that it was going to. This also answers the first question. Third question too. And finally, for the fourth one, it is routine to make tape backups of large quantities of data and ship to an offsite storage. In the article, it didn't say anything about flying, nor baggage handlers, unless they modifed the article from when I read it.

Re:Why were the tapes on a plane to begin with? (1)

kunwon1 (795332) | more than 9 years ago | (#11786480)

Highly classified information is carried on commercial flights on a daily basis. Diplomatic pouches going to and from embassies and consulates around the world are handed to a plainclothes gov't employee, he/she gets on a plane and goes where he needs to go, makes his delivery, and flies back.

Makes you wonder what kind of security Bank of America employs in guarding this information.

at odds (4, Insightful)

underworld (135618) | more than 9 years ago | (#11786484)

These two statements seem to be at odds with each other:

"We deeply regret this unfortunate incident," Barbara Desoer, who is in charge of technology, service and fulfillment for the Charlotte-based bank, said in a statement. "The privacy of customer information receives the highest priority at Bank of America, and we take our responsibilities for safeguarding it very seriously."

Sen. Charles Schumer, a New York Democrat, told Reuters that he had been informed by the Senate Rules Committee that the data tapes were likely stolen off a commercial plane by baggage handlers.

So - they are so concerned about maintaining the security of their data that they gave it (in a very non-descript way mind you) to a group of people outside of their organization who have a history of struggling with integrity.

yippee...

Re:at odds (1)

Jah-Wren Ryel (80510) | more than 9 years ago | (#11786568)

they are so concerned about maintaining the security of their data that they gave it (in a very non-descript way mind you) to a group of people outside of their organization who have a history of struggling with integrity.

Wait, are you talking about the baggage handlers or the Managemenet of BofA?

Wonder if they were using Windows? (1, Funny)

Kentsusai (837912) | more than 9 years ago | (#11786501)

Look on the bright side of things! In a previous slashdot post it was said that...
"Microsoft will reimburse direct damages up to $5 for problems associated with the new downloadable tool that wards off spyware, adware and any other "potentially unwanted software."
Bank of America will be so pleased! ;-)

Re:Wonder if they were using Windows? (1)

Legion303 (97901) | more than 9 years ago | (#11786576)

Except the tapes were physically lost, and...well, I have no idea what you're trying to say.

Crypto (0)

Anonymous Coward | more than 9 years ago | (#11786524)

Those back-up tapes should have been encrypted if they carried such important information on them. The way that that should have been done is typical to PK crypto systems: encrypt the key for a symetric cipher used to encrypt the data using the public keys of the people allowed access to the data. That way even if someone snagged the raw medium, the information would still have been safe[r].

So I now ask, why don't corps come standard with a PKI? The tech has been around for a decade or more.

- Nolan

My Blog [semanticgap.com]

Aftereffects (2, Interesting)

YrWrstNtmr (564987) | more than 9 years ago | (#11786528)

As this also includes some senators records, maybe now something will be done about this type of thing.

about yay high (2, Interesting)

nmec (810091) | more than 9 years ago | (#11786535)

For the ignorant amoung us does anyone know exactly big a magnetic tape(s) containing 1.2 million customer records are? Are they say, big enough to fit in a breifcase or are they more on the truckload size?

Re:about yay high (1)

pe1chl (90186) | more than 9 years ago | (#11786579)

It will fit in a shirtpocket.

Re:about yay high (1)

Satirev (794385) | more than 9 years ago | (#11786589)

My guess would be that 1.2 million records backup file would be able to fit in a briefcase. A truckload would indicate years worth of backups being moved from one place to another.

Simple solution (1)

Snarfangel (203258) | more than 9 years ago | (#11786538)

Every time this happens, everyone in upper management at the company involved gets their personal information released to the public. A time or two with people seeing how a CEO couldn't play nicely with others in grade school or was arrested for shoplifting at 19, and we'd see a bit tighter security.

Damn it! (0)

Anonymous Coward | more than 9 years ago | (#11786539)

Why couldn't they lose *MY* records?!

Balance Beginning 02/10/2005: -$494.43
Balance Ending 02/10/2005: -$560.43
Available Balance as of Today: $0.00

Re:Damn it! (1)

JNighthawk (769575) | more than 9 years ago | (#11786682)

I feel ya brothah. I just started college, and I expect I'll be seeing enough red soon enough.

Time to fight fire with fire! (3, Funny)

gearmonger (672422) | more than 9 years ago | (#11786549)

Since I'm apparently so at risk of having my online identity stolen, I guess it's time to go steal a few myself -- never hurts to have some backup indentities!

Data loss is not acceptable (3, Interesting)

t_allardyce (48447) | more than 9 years ago | (#11786557)

In Europe this bank would be in major trouble. Does the US seriously not have any laws what-so-ever regarding personal information? even for banks and medical records!? I know there are some states where you have to be told if its lost but thats pretty pathetic.

Re:Data loss is not acceptable (1)

Class Act Dynamo (802223) | more than 9 years ago | (#11786630)

For medical records, there is the Health Information Portability and Accountability Act(HIPAA). There are actually some consequences to exposing private medical data. I don't know what the laws are for banking, though.

Re:Data loss is not acceptable (1)

mbaciarello (800433) | more than 9 years ago | (#11786649)

True, and we're not talking about just civil lawsuits you can settle out of courts.

EU laws in general see this kind of malpractice as felonies. In Italy, in particular, there has to be a company official in charge of data security, and s/he can be charged with one or more criminal offences in such cases.

How could this be reduced to a lawsuit, presumably ending in a settlement? It's not just a matter of money...

most aggravating thing (0, Insightful)

Anonymous Coward | more than 9 years ago | (#11786558)

These records were stolen during transfer on a *commercial airliner*. Why the hell would you put something that important on something you have no control over?

Sure, the senators are outraged that this happened. But they should be even more outraged that BoA chose to use a method so cheap to transfer critical data.

Look guys - until you put regulations in to make people responsible for properly securing and transporting private data, the principals involved won't worry that much, beyond PR, about taking the right steps for the future.

Re:most aggravating thing (3, Insightful)

YrWrstNtmr (564987) | more than 9 years ago | (#11786674)

These records were stolen during transfer on a *commercial airliner*. Why the hell would you put something that important on something you have no control over?
Sure, the senators are outraged that this happened. But they should be even more outraged that BoA chose to use a method so cheap to transfer critical data.

Quite a lot of 'critical data' and other items is moved on commercial airlines every day. Backup data such as this, organ transplants, diplomatic pouches, etc.

The airline is merely a subcontrator of BoA, charged with moving the stuff from A to B. An organization cannot handle everything inhouse. Quite a lot of functions are subcontracted out. The only more secure way would be for BoA to own and operate their own fleet of transport aircraft, with their own baggage handlers, and the data moved from the data center to the airport by their own security personnel, in their own armored trucks.

Same for a hospital. If they have to send your records somewhere, should the have to do it on their own aircraft?

Not suprising (1, Informative)

Anonymous Coward | more than 9 years ago | (#11786572)

For years Bank of America has shown their incompetence and utter lack of respect for their customers. My personal ordeal with them happened back in 2000. I was in the process of moving to another bank due to all of the past problems I had with them and had left a few hundred dollars in my account to cover several outstanding checks written for small amounts. Normally this would be ok but somehow BofA decided that they would reorder checks for me 27 times *AND* charge me for them. Well the charges for the "reorder" caused the account to be overdrawn when outstanding checks were cashed causing about $400 in so called "overdraft charges". Although they took care of the charges for the reorder glitch they absolutely refused to take care of the overdraft charges that resulted from THEIR goof. After about 6 months I finally had to file suit in order to get the matter resolved. During the 6 months of fighting with them I found out that a lot of the people I worked with had similar issues with them and that problems like that were not all that uncommon. At least BofA seems to be moving up in the world. Instead of screwing one customer at a time they've moved up to doing it in batches. Must be one of their new money saving moves!

Conspiracy? (1)

Agent R (684654) | more than 9 years ago | (#11786575)

Another goofy conspiracy theory, but... Has anyone ever theorized that banks may think they can profit from ID theft in some manner? (Taking into account the losses these banks have to swallow when a fraud alert is raised.)

It's hard to imagine that with the money these banks generate in profit, why they heck aren't they more pro-active with security? First ChoicePoint now Bank of America. Does anyone know what shipping company BoA used to ship the tapes?

The value of Data (2, Interesting)

cowboy76Spain (815442) | more than 9 years ago | (#11786612)

I have browsed through the comments and I am shocked to see that people comments show that the only thing that should worry BoA about this issue is the PR problem or if they piss off some VIP by revealing its data. One of them even claimed that the bank could benefit from this.

The data of a company is one of its most important actives, and forever (long before the computers hage) the companies have tried to lock it, because it shows everything about its costumers, but also it shows everything about the companies themselves.

Now if a bank gets hold of that data, they can browse and find out which are the good customers(a lot of transactions, no problems with payment or delays, big benefits) and try to offer them better conditions than their current ones and which one are the bad customers (little movement, debts, bad financial situation) and must be rejected if they go to their bank.

Aside from the legal and PR stances, the companies own interest is to protect its data, and it is enough to make me sure that some heads have been already cut...

My bank (2, Informative)

commo1 (709770) | more than 9 years ago | (#11786619)

My bank (a big chartered bank here in Canada) lost "a number of documents" in their branch renovation move - across the street! My documents were in the "number" that they had lost. I have a letter on bank letterhead to prove it, even if it took me over a month to get it. The bank seemed unconcerned.

What are they going to monitor? (1)

pe1chl (90186) | more than 9 years ago | (#11786625)

Bank of America said it will continue to monitor the accounts on the data tapes and will contact the government cardholders if any unusual activity is observed.

Earilier in the article they said there are 2.1 million accounts and 1.2 million of those have been compromised.
How will it be possible to monitor for "unusual activity" on half of your accounts? Unusual when compared to the other half?
Not very realistic, I think.

Outraged (1)

Tufriast (824996) | more than 9 years ago | (#11786628)

I'm very upset over this, and I take it as a signal that our information handling will only generate more problems as time progresses. I am a bank of america customer, and yeah I have them deal with my credit. If I can't even trust my bank not to lose my data, then what the hell...why am I living in a civilized society then? Why am I not better off fending for myself on some remote island, using a 100% cash based system? The more I ponder, the more I get the feeling big corporations, and government agencies could give two shits about the American Citzens these days. In fact, I bet it is to their benefit that they do not.

Whats the problem here folks? (1)

krbvroc1 (725200) | more than 9 years ago | (#11786677)

Come on folks, don't you know that Information wants to be Free? I read that all the time on here. I welcome our new information freeing baggage handling overloards.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>