Security's Everyman

Security's Everyman

Friday, May 30, 2008

Are they never going to learn?

Another day and another company loses unencrypted personal information on their customers. When are companies going to learn? When are they going to finally get serious about protecting their customers information?

ComputerWorld reports that the Bank of New York Mellon Corp lost back up tapes with PII on 4.5 million customers. The PII includes names, social security numbers, birth dates and other information on their customers. All the good things that a hacker needs to steal an identity or commit financial crimes in the name of innocent people.

Things such as encryption of backup tapes should not be an issue in today's world. Especially when you are dealing with peoples personal information. There is no excuse for this continuing to happen time and again. What is it going to take for companies to take this kind of thing seriously? Obviously the pain that they experience isn't enough to make them take note. The "myth" that a breach cost companies close to $200 per record can't be true or companies would stand up and do something proactive to prevent this. 4.5 million time $200 is  900 million dollars. If this is really what it would cost the bank do you think that they would still be shipping unencrypted tapes? No they wouldn't.

They made a decision to not adequately secure their customers information based on a risk assessment that they had done (formally or informally). They decided that the cost of the technology wasn't worth it to them because they knew that if something happened it wouldn't cost them enough to hurt. In my opinion this is irresponsible and negligent. If I were the law I'd even say criminally negligent. They aren't too concerned about the fact that their carelessness may cost a family lots of money, time and pain in trying to put the pieces of their stolen lives back together. And this bit about giving them a free year of credit monitoring is STUPID!

What makes this even worse is the fact that they waited 3 months to notify the customers. What good is a years worth of credit monitoring if your name and information has been used in the last 3 months to buy who knows what. By this time it could be too late! This is by far the most negligent part of this whole fiasco. UNBELIEVABLE!

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.