12.5 Million Records Go Missing in Data Breach - HotHardware
12.5 Million Records Go Missing in Data Breach

12.5 Million Records Go Missing in Data Breach

Earlier this week we reported on Scotland's Sunday Herald's claim that the Best Western hotel group was hit with the world's largest known data breach of eight million people's sensitive information, as well as Best Western's adamant denial. Even if the Sunday Herald story turns out to be true, the Best Western data breach would no longer hold the title of the world's largest known data breach. That record now goes to the Bank of New York (BNY) Mellon, which "lost" the sensitive information of 12.5 million customers.

The BNY Mellon data breach itself is not new news. As documented in the Identity Theft Resource Center's ITRC Breach Report 2008, on February 27, 2008, BNY Mellon gave "an unencrypted backup tape as well as nine other tapes to a storage firm, Archive Systems Inc. of Fairfield, N.J., which was assigned to store the information." Between when the vehicle picked up the tapes and when it arrived at the storage facility, the vehicle had been left unattended several times. When the vehicle arrived at the storage facility, it was discovered that a lock on the truck was broken and one of the tapes was missing.

Fast forward to May, and as VNUNET reported, BNY Mellon informed its customers that "4.5 million customer account details, including names, addresses, dates of birth and Social Security numbers, had been compromised after two sets of tape backups went missing from a third party courier." (Obviously some of the information about the incident is not clear, as the ITRC states it was one tape, while VNUNET reports it was two tapes.)

At the time, this was looking to be the largest known data breach to date--only to be potentially overtaken by the alleged Best Western breach last week. SC Magazine reported in late May that a significant number of the affected individuals were Connecticut residents, and as such, Connecticut Governor M. Jodi Rell directed the state's Consumer Protection Commissioner, Jerry Farrell Jr., to issue a number of subpoenas in order to "determine the scope of the breach and whether any laws were violated when the tape went missing."

As a result of the subpoenas, a forensic review of the breach was conducted, and it was discovered that the number of people affected by the data breach was not 4.5 million as BNY Mellon had stated in May, but was in fact 12.5 million.

"It is simply outrageous that this mountain of information was not better protected and it is equally outrageous that we are hearing about a possible six million additional individuals and businesses six months after the fact... We fear a substantial number Connecticut residents are among this latest group." -- Connecticut Governor M. Jodi Rell

"Nothing in the data we were given in May and June by BNY Mellon indicated in any way that these additional six million individuals and businesses were involved... This certainly raises serious additional questions about how secure personal identifying data is at the Bank of New York Mellon and widens the scope of our investigation." -- Consumer Protection Commissioner Jerry Farrell, Jr

As the state's investigation continues, Governor Rell has directed Commissioner Farrell to work with Connecticut Attorney General Richard Blumenthal to "pursue 'all remedies available' under Connecticut law against BNY Mellon, including seeking a substantial fine, restitution to consumers, and other penalties." Rell is also insisting that BNY Mellon extend the same identity protection to the newly discovered larger group as it did for the initial affected group. A press release on Governer Rell's Website also states:

"The Governor also called upon the federal government to tighten steps to prevent security breaches and enforce existing laws against violators."

This year was already shaping up to set new records for data breaches. It looks like that record is now going to be set even higher.
0
+ -

Looks like your info isn't really safe anywhere

0
+ -

That's why I always register for everything with the name and SSN of LifeLock CEO Todd Davis. :)

0
+ -

For months I have posted a question on my blog: Has there ever been a documented example of identity theft committed as the result of lost backup tapes? So far, no one has shown me an example. As we saw with TJX and Best Western, it is easy to blow apparent data breaches out of proportion. --Ben http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html

0
+ -

You're begging the question, does every case of identity theft have a known instant of compromise.

I would imagine that if someone got my data from a backup tape and used it only once - leaving me with the bill, they might never be caught and we would never be sure how they did it. Give me a tape with millions of names, and I'd never need to use the same one twice.

That aside, I actually agree that most of these losses are entirely overblown and probably do not result in any identity theft.

0
+ -

First, welcome, Ben. However, I'd have to vehemently disagree with you that security breaches are blown out of proportion. First, as you stated 3vi1, you're talking about millions of records (names) here and it will likely take a long time for things like credit card purchase theft and other uses of that data, to manifest themselves. Do you think a crook that stole this private data is going to run right out and do something with it when the heat is on and folks are investigating? Do you think they'd even try to so much as traffic that data elsewhere or sell it? No, this is a long term deal, folks. Victims of these breaches need to put those credit history checks in place for years and cancel credit cards etc. You never know it might hit sometime down the line.

0
+ -

I agree there not blown out of proportion. However I disagree with the rest of what you say Dave_HH. This may be a long term deal but that tapes probably already been sold out of the country. People will pay a lot of money for that many ID's then hit bank accounts social security cards etc. There was an incident of 3 houses within 20 miles of me. They were rented in one subdivision all three by one individual but under 3 identities. He put a bunch of old furniture in them even had a car sitting in the garage of one . Either way he had them rented for a long time. From what I understand but he built grow houses in the basements, and grew high quality marijuana in them. I am not sure of the length of time but I am positive it was over a year. The neighbors almost never saw anyone in them and sooner or later got suspicious thats how he got busted. But what I'm saying is intelligent criminals if you can call them that don't work like we'd think. But i'd say long term is a mistake if those ID's were'nt already sold for a couple million at least . But the effects will be long term your right on that.

0
+ -

It's just an aweful situation for so many people. I have helped a few people who have had their identity comprimised and can tell you that post id theft is actually terrifing for those folks whom are hooked by chain to their credit.

0
+ -

Someone deserves to lose their nuts over this, IMO. 

Login or Register to Comment
Post a Comment
Username:   Password: