Bank of NY Mellon Breach Much Bigger than First Announced

Forensics Investigation Reveals 12.5 Million Customers Impacted The Bank of New York Mellon (BNY Mellon) has announced that the data breach that occurred back in May is much bigger than the 4.5 million records originally announced. The bank now says that another 8 million customers were affected by the breach, bringing the total figure to 12.5 million, which may make it the largest data breach of the year.

Back in May the bank informed customers that 4.5 million customer account details, including names, addresses, dates of birth and Social Security numbers, had been compromised after two sets of tape backups went missing from a third-party courier.

After the initial review of the event, the bank says in a prepared statement, "A subsequent re-examination by an industry-leading forensic investigation firm of the analysis applied to the lost tapes led to the identification of additional individuals."

Ron Sommer of Bank of New York Mellon's Corporate Communications Department confirms the re-examination found 8 million more names.

Reactions
This news brought quick reaction from Connecticut Governor Jodi Rell. "It is simply outrageous that this mountain of information was not better protected, and it is equally outrageous that we are hearing about a possible [eight] million additional individuals and businesses six months after the fact," Rell says in a statement on the Connecticut Governor's website. "We fear a substantial number of Connecticut residents are among this latest group."

One Bridgeport, CT bank, People's United Bank, had 556,000 customers affected by the May announcement. The tapes went missing in February.

BNY Mellon says it has begun to notify these additional customers. Under Connecticut state law, banks are required to immediately notify customers when such information is lost. "Had the hundreds of thousands of Connecticut residents affected been notified immediately that their data had been compromised, they could have taken steps to protect themselves," Rell notes. The governor has told her consumer protection office and the state's attorney general to pursue "all remedies available" under Connecticut law against the bank, including a substantial fine, customer restitution and other penalties. Connecticut's consumer protection department has subpoenaed the bank to get details on the extent of the breach, timeline and conditions of the tape loss and copies of law enforcement and security reports field and the names and addresses of all Connecticut customers whose data was on the missing tapes.

Since May, the bank says it has hired a leading independent consultant to review its security policies and procedures, and has implemented a companywide program "when technically feasible" to require confidential data be transferred within the bank via electronic encryption to "minimize the need for data storage tapes and their transport." It also says it has started stringent standards for confidential data transport and a bank-wide awareness and training program on data security for all employees.

The bank set up a web site (www.bnymellon.com/tapequery) with additional information for customers, as well as offering two years of free credit monitoring, $25,000 worth of identity theft insurance, and a free credit freeze on all three national credit bureaus, despite saying that there is no evidence that the missing tapes' data has been used or sold.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.