The Bank of New York Mellon is beefing up its security policies and implementing encryption after third-party couriers lost backup storage tapes twice this year, potentially exposing the data of approximately 4.5 million people.
The unencrypted backup tapes were lost in two separate incidents on Feb. 27 and April 29. In a statement released May 30, the financial-services firm said there is no indication that the data on the tapes has been accessed or misused. The tapes were being transported by outside vendors for the bank's Shareholder Services business and its Working Capital cash payment business.
Officials at BNY Mellon said they are notifying individuals who may be affected by the breach and offering them two years of free credit monitoring, $25,000 worth of identity theft insurance, and other fraud protection services.
"We deeply regret that this occurred and sincerely apologize to all of those impacted," Todd Gibbons, the company's chief risk officer, said in a prepared statement.
The organization is conducting a "top-to-bottom review" of its security policies and procedures, particularly those related to its vendors and outside contractors, he said.
In addition to the review of its policies and procedures, BNY Mellon said it will require, when technically feasible, direct encrypted transmission of confidential data that's sent outside the company in order to reduce the need for data storage tapes.
It also will require that confidential data that must be written on tapes or CDs for transport be encrypted or transported with added controls, and boost enforcement of employee compliance with its data security policies.
Jonathan Gossels, president and CEO of security consulting firm SystemExperts, said the company is taking all the right steps.
"The most important one is they're making an organizational commitment to be the best in security," he said. "They're undertaking a top-to-bottom review of existing procedures. That is far and beyond what most companies we've seen that have experienced this type of breach have done."
He also commended BNY Mellon's moves to implement encryption and reduce the data that's shipped manually. "The only question you could ask is why weren't they using encryption on tapes before?" Gossels said.
When his firm conducts ISO 17799 reviews for organizations, it's common to have a finding that they need to encrypt their backup tapes, he said. The task is generally on someone's list of things to do, but not at the top of the list.
"There are a lot of moving parts in a modern IT shop, and in this case they had third parties involved," Gossels said. "It's one thing to encrypt when you're the one decrypting. It's harder when you have key management with business partners. It's very doable, it just takes work."
According to Connecticut state officials, nearly 500,000 Connecticut residents were affected by the February breach, most of them depositors of People's United Bank or shareholders of John Hancock, Walt Disney Corp., and TD Bank Financial Group.
The BNY Mellon incidents are the latest breaches involving lost backup tapes. In March, computer tapes containing confidential information belonging to University of Miami patients was stolen when thieves took a case out of a van used by a private off-site storage company, according to the Privacy Rights Clearinghouse. Over two million records were exposed.