Several hundred thousand People's United Bank customers in Connecticut have been hit by a data breach that potentially exposed their personal information, state Attorney General Richard Blumenthal said Wednesday.
Blumenthal said The Bank of New York Mellon lost an unencrypted backup tape provided by Bridgeport-based People's Bank, resulting in the data breach involving about 4.5 million accounts. The tape included bank account information, Social Security numbers and other data about depositors and investors tied to the bank, he said.
This security breach seems highly dangerous, indeed possibly devastating in light of the identity theft threat,” Blumenthal said in a statement. People's Bank has 10 locations in southeastern Connecticut, including five at local Stop & Shops. The bank has more than 150 locations throughout the state.
A People's Bank spokesman denied any knowledge of the data breach Wednesday afternoon before the official announcement at a Hartford press conference. He and a spokesman for Bank of New York Mellon could not be reached after the announcement.
Blumenthal was particularly concerned with the amount of time that elapsed between the discovery of the data breach and the reporting of it. Bank of New York lost the information in February but didn't start informing consumers until six weeks ago, he said.
Blumenthal first heard about the breach earlier this week, he said
Blumenthal said the Bank of New York Mellon on Feb. 27 gave an unencrypted backup tape as well as nine other tapes to a storage firm, Archive Systems Inc. of Fairfield, N.J., which was assigned to store the information. But when a storage company vehicle arrived at the storage facility, one of the tapes could not be found.
According to a letter from Blumenthal to the Bank of New York, a lock on the truck was broken, and the truck had been left unattended several times.
”The loss of this tape - so far unrecovered and unremedied - is inexplicable and unacceptable,” Blumenthal said. “It must be addressed by protective measures to forestall identity theft immediately.”
The banks are cooperating with Blumenthal's office to determine exactly how many Connecticut residents are affected by the breach.
Blumenthal, in a letter dated Wednesday, asked the Bank of New York to respond to a series of questions about the data breach. He requested detailed information about what was lost and how the bank has notified consumers about the loss. He also asked the bank to detail other instances in which it had lost back-up tapes.
This is not the first time that loss of personal information has affected People's Bank customers.
He termed as inadequate the Bank of New York's offer to pay customers for one year of credit monitoring. He said two years of monitoring and $25,000 in identity theft insurance as well as free credit freezes would be more appropriate.
In January 2006, the company revealed that a computer tape with information about 90,000 customers had been lost in transit by United Parcel Service. The tape was bound for TransUnion, a credit-reporting bureau in Woodlyn, Pa.
The state itself was hit by a data breach last year when a laptop containing information about more than 100,000 taxpayers was stolen. Other breaches last year with strong local ties included more than 54,000 records released during a series of lapses at Pfizer Inc. as well as another incident affecting 2,000 patients at The Westerly Hospital.
But none of these breaches comes close to a record for the release of personal information. That dubious distinction belongs to TJX Co., parent firm of T.J. Maxx and other retailers, which had more than 94 million credit- and debit-card numbers stolen by a hacker last year.
Other major breaches have involved Visa, MasterCard and American Express, which released data on 40 million customers in June 2005; Citigroup, 30 million just a few days earlier; America Online, 30 million in June 2004; the U.S. Department of Veterans Affairs, 26.5 million in May 2006; and HM Revenue & Customs, 20 million in November 2007.
After a previous breach last year, Blumenthal sued a company for negligence, unauthorized use of state property and breach of contract in connection with data involving 58 taxpayers, hundreds of state bank accounts and other information. The company, Accenture, said its procedures were not followed because of human error.
Last year, fewer data breaches were reported in the United States than in the year before, but the lapses were more severe. While 346 incidents were reported two years ago resulting in about 50 million record breaches, last year's totals were 310 incidents and a whopping 162 million exposures, according to the Privacy Rights Clearinghouse.
Five of the top 10 data breaches of all time occurred last year.
Before the People's Bank incident, the two biggest data breaches of the year involved the University of Miami in Florida, with the records of 2.1 million people released; and Hannaford Bros. Supermarket chain in Portland, Maine, 4.2 million.
l.howard@theday.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment