Bank of New York Mellon says customer data exposed

The Bank of New York Mellon says sensitive data of more than 4 million people owning shares in public companies was exposed after a box of back-up data storage tapes went missing in February. The data included names, addresses, and Social Security numbers.

In a separate incident in April, a back-up data storage tape containing images of scanned checks and other documents relating to payments made to nearly 50 institutional clients went missing.

In both instances, the tapes were being transported by outside vendors, a company spokesman told CNET News.com on Wednesday.

An unnamed national courier was transporting one back-up storage tape from the Philadelphia office of BNY Mellon Working Capital Solutions to Pittsburgh, Penn. The tape never arrived. BNY Mellon Working Capital Solutions processes payments on behalf of its institutional clients.

In the other incident, an unnamed storage vendor was transporting 10 boxes of back-up data storage tapes with shareholder information from BNY Mellon Shareowner Services' facility in New Jersey to an off-site storage facility when one box was discovered missing. BNY Mellon Shareowner Services is a stock transfer agent and stock plan administrator for public companies.

The bank is cooperating with law enforcement agencies and offering customers two years of free credit monitoring and identity theft insurance up to $25,000. More information and a hotline number is at a special Web site BNY Mellon created related to the security breach.

Customers have been receiving letters in the mail and contacting the hotline for at least three weeks.

The company also is reviewing its policies and procedures. It is requiring that confidential data be transferred in encrypted form when possible to minimize the need for data storage tapes and requiring that confidential data on tapes or CDs be encrypted or transported with added controls.

"Although there is no indication that the data on these tapes has been misused, we are working with our clients to notify individuals who may be affected" and offering fraud protection, Todd Gibbons, chief risk officer at The Bank of New York Mellon, said in a statement issued late last week.

In contrast to the bank's offer to aid its affected customers, LendingTree, which has been sued over a data breach involving its customers, did not offer to pay for any credit monitoring for its affected customers.

[BenjaminWright]

Firms are too quick to announce breaches based on lost backup tapes. Usually, the likelihood that these breaches will lead to identity theft is low. Meanwhile, the announcements confuse the public. --Ben http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html

[johnfranks1234]

Identity theft should not be taken lightly. Prevention is simple enough with the right workplace culture - an eCulture. I urge every business person and IT person, management or staff, to get hold of a copy of "I.T. Wars: Managing the Business-Technology Weave in the New Millennium." Our project managers are on their second reading. Our vendors are required to read it (they can borrow our copies if they don't want to purchase it). Any agencies that wish to partner with us: We ask that they read it. Do yourself a favor and read this book - then ask your boss to read it - then ask your staff and co-workers to read it.

[mbridge]

Identify theft will continue to grow as more data is stored and transmitted digitally. It is a fact that companies and individuals need to do a better job coping with.

[mbridge]

Companies should disclose this type of security breach the moment it happens. That's the though behind laws such as SB1386. The public has a right to know about a data breach - even if the breach's specific damages cannot be 100% confirmed or verified.

When it comes to identity theft, time is one of the key elements to protecting yourself post-incident. As more and more data is stored digitally (1TB Hard Drives are a glaring example) there will continue to be data losses. It is up to the companies to be open and honest about such occurrences. It is also up to these companies to use readily-available security measures such as encryption to help ensure the loss of data breach.

Of course people should also take pro-active measures such as credit monitoring to minimize the chances of one of these data losses causing harm.

www.MBridge.com
http://www.mbridge.com

[tldryan]

I received a letter yesterday (June 5) advising me of the Feb 27 security breach. It is clear to me that BNY Mellon has little regard for the people affected - notice 3 months after the failure is unacceptable! A responsible, customer centric business would encrypt sensitive personal data and oops if there?s a problem advise people sooner than 90 days after the fact. Clearly BNY Mellon is neither. By the way, 2 years of credit monitoring alone is pretty useless - provide free and frequent access to credit reports along with monitoring ? well, then it might look like BNY Mellon cares.

[MECDAN]

I recieved my letter the same day-June 5-and all I would add is "How about a 10 year subscription to LifeLock?"

[looneyg612]

i got hired to work for BYN mellons customer service for this situation and its crazy how they only offer 2 years of credit monitoring and was only 1 year a week ago...i get yelled at all day and i understand why they would be mad cause its ******** , and another tape got stolen not lost STOLEN i thinks its a inside job

[looneyg612]

besides i quit a week ago i feel like im lying to everyone who calls

[mgboling]

I just received a letter. I have learned that BNY Mellon bank had my information from stock options from my previous employer that I sold around 2000 or 2001. People who still work for that company have reported fraudulent activity-opening of credit card accounts and online purchases of vehicles. Perhaps there weren't any misuses of the information until recently, but BNY needs to own up to the fact that this is being used and step up what they are going to do on our behalf. I shouldn't have to do all the work that will be involved in protecting myself. What they are offering is not sufficient. This information could be out there for YEARS...Apparently there is a potential class action lawsuire under Chimicles & Tikellis.

[liz11660]

I just received a letter my letter today. And I am a former employee. I worked there until the end of May and this is the first I have heard of it. It was not until I started to search the internet that I learn of the April breach and how much it was kept a secret. However it does not surprise me. I cannot wait to talk to a former co-workers to see what they are being told.

[mikedtroit]

I just received my letter.
As a direct-mail writer, I have to admit this seems so terribly terribly fraudulent. Dear Sir or Madam? -Seriously? using words like "Free" the registration and trade marks after the company names? Only having 90 days to register?
I have been snooping around, called the company in which I owned stock, they confirmed the loss of the tape(s)/box. I now feel this is legitimate. Now my worries of being scammed have turned to worries of becoming an innocent victim if this/these tapes is/are actually out in the world. I would love to learn more about any class action.

[Whitigger]

Well, I'm still nervous about signing up. BNY Mellon sends me a letter to sign up for 12 mos of Triple Alert service. I go to the webpage that is specially setup for folks with an "activation code". The first page of the form is asking for info already on the letter, so I fill it in. Now the second page is asking for DOB, SS# and things that they should not need. If they setup an "Activation Code" then why are they asking for all this other sensitive data? After all, my personal information was already exposed to potential fraudulant use and now they want me to enter this info over the internet? Why not simply ask for my "Activation Code" and derive the data??? With all the scams out there today, I guess I just a little paranoid about revealing any personal data where i clearly do not have to.

[benjaminstraight]

Great. Another security breach.

I just received the letter from BNY Mellon about my account. I agree that I do not like having to give my information again on a web site that I am not sure is what it is supposed to be. I went to the web page BNY listed as a help page and as that page loaded a pop-up ad came up. That doenot seem professional. If the page is legit then they may be using the ad in exchange for the Triple Alert coverage. Since the tapes have been gone so long I decided to send BNY an email to have them varify the letter sent to me. It is to easy to make a copy with an inserted web address, send them out and then rake in the information.

[kfgeorge]

I am afraid to claim the free credit monitoring because they are asking for personal information. I would like to participate, but am afraid to enter the info on the internet. It is hard to know when you are being scammed. When they supplied the activation code, it should be enough.

[smellslikeascam]

This sure smells like a scam to me...wanna know why? Both my wife and I received letters seperately on the same day and neither of us has any investments. So, why would they have her info or mine in the first place. Sounds like somebody bought a mailing list and is up to no good. (Especially with the economic timing of investors freaking out anyway.)

[musicalgardener]

My husband and I both received letters separately on the same day. We both thought right away it was a scam. It does not say what investments - and our investments are not shared accounts; the information was supposedly lost in Feb 08 - it's Oct 08 and they are now getting around to informing us, and then they are advising to go online to enter critical information? Thanks, but no thanks.

[bcdar]

I just received my letter but with no personalized information about what data may have been lost. I'm reluctant to answer the personal questions required to sign up for the protection service. Has anyone trusted this process enough to give it a try? Is this on the up and up or is it just a way to get my SS#?

[Lurvin]

It is a legit letter ... look at the link below for BBB report and at the end of that article is a link to CT Attny General Press release. There are also plenty of articles in legit papers if you search far enought -just in case you don't trust CNet news ;-)

http://www.bbbconsumereducation.com/?p=690

[rdunn]

I'm one of those who BNY Mellon had to find a more recent address to contact me... so I just got a letter dated Jan. 13th, 2009. It's been almost a year since the initial 'loss' of data... and they don't offer any information whatsoever about what stock, what plan, what entity that involves me with BNY Mellon. Corporate conscience at its finest. If they have my name (and supposedly additional info to find me among the many others with my name)... they should have the stock, plan, entity which involves me with this 'loss'... and should have provided the name of such. This is really the least offer necessary approach to mollifying the customer. And it -is- resemblant of a scheme of some kind to get our info or customers for Triple Alert. I suppose it's necessary to call the contact number, or better yet, the actual public number for BNY Mellon, and hope and badger for more specific information, if any would be forthcoming. Why not be paranoid, when 'they' can't even encrypt customer information that they cart around willy nilly with such fine archiving vendors? Maybe the bank itself should deliver data directly to the archive vaults... and none of this national courier stuff... but then it's just a job to them anyway. Ooops.

[4043315]

Hi,

Thanks for the information ..!


Regards,
LTO4
AT4B3