Installing encryption and fraud-detection software on computers seemed like a good idea to Bank Rhode Island’s CEO after a laptop containing the names, addresses and Social Security numbers of about 43,000 customers was stolen last December from its principle data-processing provider, Fiserv Inc.
“We are making certain what limited information is on [the laptops] is encrypted. We don’t think there’s any sensitive information on them, but we’re acting in an abundance of caution with respect to those laptops,” BankRI president and CEO Merrill Sherman said at the time.
The theft of the laptop from Fiserv also prompted BankRI to install fraud-detection software on computers at its Providence, R.I., headquarters and branch offices, Sherman said.
“This has reinforced heightened scrutiny around security. We’re pretty comfortable with our policies and procedures,” said Sherman, adding that she is also comfortable with measures Fiserv is taking to ensure that customer data theft doesn’t happen again.
Les Muma, president and CEO of Brookfield, Wis.-based Fiserv, said the data on the laptop was password-protected but not encoded. Muma said the theft was a result of a single employee not following company policy regarding the storage of unencrypted data on laptops. The data was being used in a test scenario.
“Our internal policies are damn tight. It was a terrible mistake, and the individual has been reprimanded,” Muma said, adding that law enforcement authorities investigating the crime are confident that it was simply a petty theft and the thief was unaware of the data.
Sherman said that the laptop didn’t contain personal identification numbers, account passwords, debit or ATM card information, or other financial data, and that fewer than 100 of its customers’ account numbers were on the computer’s hard drive.
The wholly owned subsidiary of Bancorp Rhode Island Inc. sent letters to customers who could be affected by the theft, telling them that there is no risk to their bank accounts and giving them a hotline number to call if they discover any identify theft.
Jerry Silva, a senior analyst at TowerGroup in Needham, Mass., said more enterprises are trusting mission-critical data to third-party outsourcers and they haven’t stopped to consider security issues around that decision. He said banks must begin thinking about data security in the same way the semiconductor industry treats cleanliness around the making of chips. In that industry, concentric rings of cleanliness become more stringent as people come closer to the room where silicone wafers are actually turned into chips.
“Banking and ATM networks are very sensitive production resources. It’s not the same as someone attacking your Outlook server,” he said. “The bottom line is that we have to stop blaming Microsoft and the technology itself. Things are just open out there. Even a high-schooler can program something at home and have it run on a bank’s networks.”