22.03.2010

20 Banking Breaches So Far in 2010

There have been 171 reported data breaches so far in 2010, and 20 of these involve financial services companies.

This means that in less than one quarter of the year, we already have seen nearly one-third of the 62 banking-related breaches reported in all of 2009.

The numbers are slightly skewed, says Linda Foley of the Identity Theft Resource Center (ITRC), the organization that tracks data breaches, because some of the 20 incidents actually occurred in 2009 but are just now being brought to light - particularly in Maryland, where the state's attorney general's office reported a slew of 2009 incidents on March 1 of this year. "I suspect there will be more [reports] coming," Foley says, "so the trend thus far is we're finally finding out about breaches that are just coming out."But the new year's breaches are enough to convince observers that last year's trends are continuing. "2010 could be a tough year for everyone," Foley says.

2010 Trends

If the breach trends do continue as they did in 2009, then financial service companies will continue to experience malicious hacking and insider theft. The challenge for organizations such as the ITRC is that many organizations fail to report their breaches. "The problem is: We're not trying to embarrass a company, but inform everyone of what is happening out there."
Based on what Foley says she's seen so far in 2010, much information has been lost, "so there's a real need for businesses to adopt policies to protect data."

Despite the Federal Trade Commission's work in promoting the ID Theft Red Flags Rule, Foley says many businesses still don't want to comply with the requirements. "If you don't want to protect it, then don't collect the data," she advises these organizations.

For those organizations that do buy into data protection, they must deputize their employees to take the responsibility seriously. "You should be telling your employees why it is important, so they buy into the wanting to actively protect data, and so they don't see it as another chore," Foley says.

Of the breaches reported thus far in 2010, financial services breaches add up to 11.7 percent of the 171 incidents -- the second lowest percentage on the list. The remaining incidents break down as:

Business/Retail - 44%
Medical/healthcare -- 23%;
Government/military --15 %;
Education - 7%
List of Reported Breaches

Editor's Note: The following is a list of data breaches that have affected U.S. financial institutions in 2010. The information was compiled from the 2010 Data Breach Report by the Identity Theft Resource Center (ITRC), based in San Diego, CA.

John Hancock Financial
Boston, MA
Records Taken: Unknown
Type of Breach: Stolen or missing hardware

John Hancock, a Boston, MA insurer owned by Toronto insurer Manulife Financial, reported on March 13 that a partner could not locate a CD containing customer information, including names, dates of birth, and Social Security numbers of 1,085 Massachusetts residents. The company said the CD was password-protected and encrypted, but has offered credit monitoring to customers whose information may have been compromised. The company did not disclose how many persons' data was on the disk.

TD Bank
Mount Laurel, NJ
Records Taken: 13
Type of Breach: Insider Theft

A former switchboard operator for TD Bank in Mount Laurel, NJ took customer information and gave it to accomplices who in turn withdrew more than $200,000 from 13 bank customers' accounts, says the U.S. Attorney's Office in Philadelphia. Talayah Little, 26, of Hainesport, NJ, has been fired by the bank and was indicted by federal agents on March 13.

US Bank
Richmond Heights, OH
Records Taken: Unknown
Type of Breach: Stolen or missing hardware

A financial advisor at US Bank in Richmond Heights, OH reported on March 1 that a laptop was missing from his desk. The advisor told police the laptop contained sensitive customer data.

Securities and Exchange Commission
Philadelphia, PA
Records Taken: Unknown
Type of Breach: Stolen or missing hardware

TD Bank, N.A. and T.D. Wealth Management Services reported to the Maryland Attorney General's office that a laptop stolen on June 11, 2009 from the office of the Securities and Exchange Commission in Philadelphia contained customer account information, names, and Social Security numbers. The letter was posted to the Maryland OAG site on March 1. Although the data were encrypted, the letter states, "it is possible that security access information may also have been stolen with the computer."

Assurity Financial Services
Englewood, CO
Records Taken: 487
Type of Breach: Outside Network intrusion

Colorado-based Assurity Financial Services reported to the Maryland Attorney General's office the unauthorized use of their database of clients in March 2009, among which were 487 Maryland clients. The letter was posted to the OAG website on March 1. The company did not state how many customers were affected nationwide. Assurity told affected customers that an unauthorized individual used customer information to either apply for payday loans or to setup bank accounts to accept the funds from the payday loan.

Virgin Money USA Inc.
Waltham, MA
Records Taken: Unknown
Type of Breach: Outside Network intrusion

Virgin Money USA reported to the Maryland Attorney General's office that a former employee had accessed Virgin Money USA customer information on its network. The letter was published on the OAG website on March 1. The former employee accessed names, social security numbers from mortgage applications. The former employee told investigators his intent was to generate business for himself and his new employer. The employee was fired by his new employer when the crime was revealed.

Ally Bank
Philadelphia, PA
Records Taken: Unknown
Type of Breach: Outside Network intrusion

According to the Maryland Attorney General's website, Ally Bank, an online bank based in Philadelphia, PA, informed the AG on August 27, 2009 that a former employee stole bank customers' names, addresses, dates of birth and social security numbers. There was no notification letter available on the OAG website.

Wells Fargo/Wachovia Bank
Charlotte, NC
Records Taken: 953
Type of Breach: Stolen or missing hardware

A backup hard drive containing the names, social security numbers and bank account information for 953 Wachovia customers was stolen from a law office in Irvine, CA used by Wachovia Dealer Services. In a notification letter to the Maryland Attorney General, the bank says the drive was stolen on June 11, 2009. The letter was posted to the OAG website on March 1 and did not state how many bank customers were exposed nationwide.

Partnership Federal Credit Union
Washington, DC
Records Taken: 22
Type of Breach: Accidental breach

The Partnership Federal Credit Union reported to the Maryland Attorney General on July 22, 2009 that an internal data file had been discovered on a computer outside of the secured network earlier in the summer. This may have potentially exposing personal and financial information. The letter was posted to the OAG website on March 1.

Telhio Credit Union
Columbus, OH
Records Taken: Unknown
Type of Breach: Insider Theft

Telhio Credit Union reported to the Maryland Attorney General in a December 22, 2009 letter that a former employee had downloaded a report with customer personal and financial information before leaving his employment in early August 2009. One Maryland resident's information was in that report. It was not stated how many others may have been affected nationwide.

M&T Bank
Baltimore, MD
Records Taken: 39
Type of Breach: Missing Paper Documents

M&T Bank reported to the Maryland Attorney General in a letter dated December 18, 2009 that a courier carrying work for a Baltimore branch was robbed on December 15, 2009. In the courier's bag were 39 customers' checks.

BlackRock
New York, NY
Records Taken: 61
Type of Breach: Accidental breach

BlackRock, a global investment firm, reported to the Maryland Attorney General in a letter dated October 29, 2009 that a third party (PNC Global Investment Servicing) delivered CDs containing personal shareholder information to another financial institution client in December 2008. At least a few of that client's employees accessed the data. The info included names, address, tax identification numbers, or social security numbers. No total breach number was given.

Citi Group
New York, NY
Records Taken: 600,000
Type of Breach: Accidental breach

About 600,000 Citigroup customers got a shock in February when they received their annual tax documents - with their Social Security numbers printed on the outside of the envelope. CitiGroup states that the numbers were surrounded by other numbers and letters "that resembled a mailing routing number." At least 50 of the customers have complained about the gaffe to Citi.

SunTrust Banks,
Hillsborough, FL
Records Taken: Unknown
Type of Breach: Skimming

According to a federal complaint filed in Florida four Bulgarian men put "skimmers" on ATM machines at SunTrust banks in Hillsborough and Pinellas counties last summer and skimmed identifying information on hundreds of bank accounts. One of the men has been arrested, the other three are still at large, say police.

ING Fund
Scottsdale, AZ
Records Taken: 106
Type of Breach: Exposure of data on Web

On January 25, an ING customer discovered that she could access client information on the ingfunds.com web site and notified her stockbroker. In investigating the situation, ING discovered that since August 2008, a file containing the names, addresses, Social Security numbers, and account numbers of 106 ING shareholders had been available on the web through a search engine. The company notified the New Hampshire Attorney General on February 3 that 17 residents of the state were affected.

Ameriquest Mortgage
Minneapolis, MN
Records Taken: 100
Type of Breach: Insider Theft

A man who worked for Ameriquest Mortgage Company for 6 weeks stole enough mortgage application information to steal nearly 100 people's identities. According to the federal indictment against him, Jason Tauer, a Robbinsdale, MN resident worked for Ameriquest from March 15 through April 29, 2005. Only a few months later, money began disappearing from Ameriquest customers' bank accounts and credit card accounts. In all, Tauer stole $150,000 from his victims.

First Interstate Mortgage Corp.
Las Vegas, NV
Records Taken: 230
Type of Breach: Missing paper documents

Gregory Navone, a mortgage broker in Las Vegas who discarded consumers' personal financial records in a publicly- accessible dumpster paid a $35,000 civil penalty to
settle Federal Trade Commission charges according to a FTC statement on January 21. According to an FTC, the defendant improperly disposed of about 40 boxes of sensitive consumer records collected by companies he had owned, including tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers' licenses, and at least 230 credit reports.

Lincoln National Financial Securities
Radnor, PA
Records Taken: 1,200,000
Type of Breach: Exposure of data on Web

A vulnerability in the portfolio information system for broker-dealer subsidiaries of Lincoln National Corporation potentially exposed the records of 1,200,000 people; 18,900 were New Hampshire residents. Lincoln National notified the Attorney General of New Hampshire on January 4, that although an outside forensic review found no reason to believe that client data were actually accessed or misused, "information such as names, addresses, Social Security numbers, account numbers, account registration, transaction details, account balances, and in some cases, dates of birth and email addresses had been potentially exposed."

Suffolk County National Bank
Long Island, NY
Records Taken: 8,300
Type of Breach: Outside Network intrusion

Hackers stole the login credentials for more than 8,300 customers of Suffolk County National Bank after breaching its security starting on Nov. 18, 2009 and accessing a server that hosted its online banking system. The intrusion happened over a six-day period and was discovered on December 24 during an internal security review. In all, credentials 8,378 online accounts were pilfered, a number that represents less than
10 percent of the bank's total accounts.

Eastern Bank Corp.
Lynn, MA
Records Taken: 2,500
Type of Breach: Accidental breach

Eastern Bank Corp. of Lynn, MA disclosed in September 2009 that it mailed financial data regarding about 2,500 customers to the wrong addresses. Bank spokesperson Joe Bartolotta, says the bank welcomed the new Massachusetts state law requiring strong data security measures.
Source