12.5 Million Records Go Missing in Data Breach

Earlier this week we reported on Scotland's Sunday Herald's claim that the Best Western hotel group was hit with the world's largest known data breach of eight million people's sensitive information, as well as Best Western's adamant denial. Even if the Sunday Herald story turns out to be true, the Best Western data breach would no longer hold the title of the world's largest known data breach. That record now goes to the Bank of New York (BNY) Mellon, which "lost" the sensitive information of 12.5 million customers.

The BNY Mellon data breach itself is not new news. As documented in the Identity Theft Resource Center's ITRC Breach Report 2008, on February 27, 2008, BNY Mellon gave "an unencrypted backup tape as well as nine other tapes to a storage firm, Archive Systems Inc. of Fairfield, N.J., which was assigned to store the information." Between when the vehicle picked up the tapes and when it arrived at the storage facility, the vehicle had been left unattended several times. When the vehicle arrived at the storage facility, it was discovered that a lock on the truck was broken and one of the tapes was missing.

Fast forward to May, and as VNUNET reported, BNY Mellon informed its customers that "4.5 million customer account details, including names, addresses, dates of birth and Social Security numbers, had been compromised after two sets of tape backups went missing from a third party courier." (Obviously some of the information about the incident is not clear, as the ITRC states it was one tape, while VNUNET reports it was two tapes.)

At the time, this was looking to be the largest known data breach to date--only to be potentially overtaken by the alleged Best Western breach last week. SC Magazine reported in late May that a significant number of the affected individuals were Connecticut residents, and as such, Connecticut Governor M. Jodi Rell directed the state's Consumer Protection Commissioner, Jerry Farrell Jr., to issue a number of subpoenas in order to "determine the scope of the breach and whether any laws were violated when the tape went missing."

As a result of the subpoenas, a forensic review of the breach was conducted, and it was discovered that the number of people affected by the data breach was not 4.5 million as BNY Mellon had stated in May, but was in fact 12.5 million.

"It is simply outrageous that this mountain of information was not better protected and it is equally outrageous that we are hearing about a possible six million additional individuals and businesses six months after the fact... We fear a substantial number Connecticut residents are among this latest group." -- Connecticut Governor M. Jodi Rell

"Nothing in the data we were given in May and June by BNY Mellon indicated in any way that these additional six million individuals and businesses were involved... This certainly raises serious additional questions about how secure personal identifying data is at the Bank of New York Mellon and widens the scope of our investigation." -- Consumer Protection Commissioner Jerry Farrell, Jr

As the state's investigation continues, Governor Rell has directed Commissioner Farrell to work with Connecticut Attorney General Richard Blumenthal to "pursue 'all remedies available' under Connecticut law against BNY Mellon, including seeking a substantial fine, restitution to consumers, and other penalties." Rell is also insisting that BNY Mellon extend the same identity protection to the newly discovered larger group as it did for the initial affected group. A press release on Governer Rell's Website also states:

"The Governor also called upon the federal government to tighten steps to prevent security breaches and enforce existing laws against violators."

This year was already shaping up to set new records for data breaches. It looks like that record is now going to be set even higher.