Well, that didn’t take long. Just after ChoicePoint Inc.’s identity theft problems came the announcement that Bank of America Corp. had a problem of its own.
The company lost some back-up tapes containing personal information for a large number of federal employees. Now that its members have been affected personally, maybe Congress actually will get tough with the businesses that toss around our personal information like so much used dog food.
Bank of America announced that some tapes had gone missing while being shipped to a back-up data centre in December. The tapes contained information, including Social Security numbers (SSN), on 1.2 million accounts. Press accounts said Sen. Charles Schumer (D-N.Y.) was told that baggage handlers likely stole the tapes. The bank’s press release said it hadn’t seen any unusual activity in the accounts so far. It also said it would send letters to everybody whose information might have been on the tapes.
A couple of things are kind of funny about this story. I don’t know any baggage handlers, but I find it hard to imagine that computer back-up tapes would be the first things a thieving one would go after. Also, the bank’s press release said “the privacy of customer information receives the highest priority at Bank of America, and we take our responsibilities for safeguarding it very seriously.” If that was true, the tapes would, at the very least, have been encrypted. If the tapes were encrypted using a good algorithm, I would expect the bank to have quickly said that. So maybe the bank wasn’t doing all it could to safeguard the information. This should be a lesson to all who ship unencrypted private data via insecure transport.
Schumer also complained that the Westlaw’s People Finder commercial service easily could be exploited to get personal information, including SSNs, for more than 160 million people. He said his staff used the service to get SSNs for Vice President Dick Cheney and Internet video star Paris Hilton.
Bradner is a consultant with Harvard University’s University Information Systems. He can be reached at firstname.lastname@example.org.