The Bank of New York Mellon says sensitive data of more than 4 million people owning shares in public companies was exposed after a box of back-up data storage tapes went missing in February. The data included names, addresses, and Social Security numbers.
In a separate incident in April, a back-up data storage tape containing images of scanned checks and other documents relating to payments made to nearly 50 institutional clients went missing.
An unnamed national courier was transporting one back-up storage tape from the Philadelphia office of BNY Mellon Working Capital Solutions to Pittsburgh, Penn. The tape never arrived. BNY Mellon Working Capital Solutions processes payments on behalf of its institutional clients.
In the other incident, an unnamed storage vendor was transporting 10 boxes of back-up data storage tapes with shareholder information from BNY Mellon Shareowner Services' facility in New Jersey to an off-site storage facility when one box was discovered missing. BNY Mellon Shareowner Services is a stock transfer agent and stock plan administrator for public companies.
The bank is cooperating with law enforcement agencies and offering customers two years of free credit monitoring and identity theft insurance up to $25,000. More information and a hotline number is at a special Web site BNY Mellon created related to the security breach.
Customers have been receiving letters in the mail and contacting the hotline for at least three weeks.
The company also is reviewing its policies and procedures. It is requiring that confidential data be transferred in encrypted form when possible to minimize the need for data storage tapes and requiring that confidential data on tapes or CDs be encrypted or transported with added controls.
"Although there is no indication that the data on these tapes has been misused, we are working with our clients to notify individuals who may be affected" and offering fraud protection, Todd Gibbons, chief risk officer at The Bank of New York Mellon, said in a statement issued late last week.
In contrast to the bank's offer to aid its affected customers, LendingTree, which has been sued over a data breach involving its customers, did not offer to pay for any credit monitoring for its affected customers.