Bank boosts security after couriers lose backup tapes

By Marcia Savage, Features Editor, Information Security magazine 03 Jun 2008 | SearchFinancialSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The Bank of New York Mellon is beefing up its security policies and implementing encryption after third-party couriers lost backup storage tapes twice this year, potentially exposing the data of approximately 4.5 million people.

They're undertaking a top-to-bottom review of existing procedures. That is far and beyond what most companies we've seen that have experienced this type of breach have done. Jonathan Gossels, president and CEO, SystemExperts

The unencrypted backup tapes were lost in two separate incidents on Feb. 27 and April 29. In a statement released May 30, the financial-services firm said there is no indication that the data on the tapes has been accessed or misused. The tapes were being transported by outside vendors for the bank's Shareholder Services business and its Working Capital cash payment business.

Officials at BNY Mellon said they are notifying individuals who may be affected by the breach and offering them two years of free credit monitoring, $25,000 worth of identity theft insurance, and other fraud protection services.

"We deeply regret that this occurred and sincerely apologize to all of those impacted," Todd Gibbons, the company's chief risk officer, said in a prepared statement.

The organization is conducting a "top-to-bottom review" of its security policies and procedures, particularly those related to its vendors and outside contractors, he said.

In addition to the review of its policies and procedures, BNY Mellon said it will require, when technically feasible, direct encrypted transmission of confidential data that's sent outside the company in order to reduce the need for data storage tapes.

It also will require that confidential data that must be written on tapes or CDs for transport be encrypted or transported with added controls, and boost enforcement of employee compliance with its data security policies.

Jonathan Gossels, president and CEO of security consulting firm SystemExperts, said the company is taking all the right steps.

"The most important one is they're making an organizational commitment to be the best in security," he said. "They're undertaking a top-to-bottom review of existing procedures. That is far and beyond what most companies we've seen that have experienced this type of breach have done."

He also commended BNY Mellon's moves to implement encryption and reduce the data that's shipped manually. "The only question you could ask is why weren't they using encryption on tapes before?" Gossels said.

When his firm conducts ISO 17799 reviews for organizations, it's common to have a finding that they need to encrypt their backup tapes, he said. The task is generally on someone's list of things to do, but not at the top of the list.

"There are a lot of moving parts in a modern IT shop, and in this case they had third parties involved," Gossels said. "It's one thing to encrypt when you're the one decrypting. It's harder when you have key management with business partners. It's very doable, it just takes work."

According to Connecticut state officials, nearly 500,000 Connecticut residents were affected by the February breach, most of them depositors of People's United Bank or shareholders of John Hancock, Walt Disney Corp., and TD Bank Financial Group.

The BNY Mellon incidents are the latest breaches involving lost backup tapes. In March, computer tapes containing confidential information belonging to University of Miami patients was stolen when thieves took a case out of a van used by a private off-site storage company, according to the Privacy Rights Clearinghouse. Over two million records were exposed.

Tags: Data breaches and prevention strategies,  Information security awareness training,  Secure data disposal and destruction,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data breaches and prevention strategies Bank computer technician indicted in identity theft scheme Survey: Consumers don't trust banks to keep their data secure ChoicePoint settles with FTC over second data security breach Data breach lawsuit puts spotlight on bank's security measures Google ordered to deactivate Gmail account after bank email error Threat of insider fraud growing with bad economy Data breach protection: Implementing vendor breach safeguards Zeus Trojan hitting banking customers hard TJX settles with banks for $525,000 RBS WorldPay agrees to market VeriFone end-to-end encryption Information security awareness training Social engineering tests should make sense, not headlines Laid off workers likely to steal company data, survey warns Phishing, malware to strain banks in 2009 How to make information security a company-wide effort The Societe Generale fraud story: Keith White on fraud Rogue activity thwarted by early warning systems An overview of the FFIEC IT Examination Handbooks How to use PCI to your (budgetary) advantage Security survival skills critical to weathering shrinking budgets Online tax firm seeks exemption from hackers Secure data disposal and destruction Lessons learned: The Texas Insurance Claims Services case State Street breach highlights encryption limits, vendor due diligence Best practices for implementing a data disposal policy A path to destruction Week 11: Are you throwing out company secrets? Talking trash: Secure information disposal Discarded hard drives can be dangerous The TJX data security breach: 10-K filing shows IAM and compliance mistakes

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Governance, Risk and Compliance  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary