19 more financial sector breaches from 2009
Maryland has updated its web site to provide breach notifications that it has received since its last update. The newly posted notifications are for the period ending December 31, 2009, so there will likely be more to come for 2010.
Some of the breaches described in the notifications were reported in the media at the time, but I spotted a number from the banking/credit/financial sector that had not been reported in the media or on this site at the time. So here is a brief roundup on another 19 breaches from this sector last year:
- Ally Bank reported that a former employee had stolen information, including SSN, of two Maryland residents. This notification was not made publicly available.
- Ameriprise Financial reported three breaches. In the first, an unnamed third party mailing vendor lost a client’s paperwork containing personal and financial account information. In the second report, Ameriprise Financial reported that they believe that a named former employee had sensitive customer information in his possession and that they were trying to retrieve it through legal processes. In the third incident, Ameriprise Financial reported that client data for two individuals had been mailed to a third client in error.
- Assurity Financial Services reported unauthorized use of their database, affecting 487 clients. In a letter to those affected, Assurity writes: This unauthorized individual used customer information to either apply for payday loans or to setup bank accounts to accept the funds from the payday loan.”
- BB&T Financial, FSB reported a stolen laptop contained names, addresses, and SSN of two Maryland residents, but that notification is not available on the site at this time.
- BlackRock reported that a third party delivered CDs containing personal shareholder information to another financial institution client in December 2008. At least a few of that client’s employees accessed the data. The client realized the mistake, secured the CDs, purged the data from their system, and returned the CDs to the third party. They also provided an affidavit that none of the data had been copied, printed, used, or further disseminated. Under the circumstances, BlackRock determined that this was not a reportable breach but decided to notify anyway.
- Erisa Pension Systems reported that 330 participants of the First NLC Financial Services, LLC (401)K Plan had their personal and pension information disclosed in an email attachment sent to to all 330 participants.
- Evan Capital Management reported, on behalf of Weatherlow Fund I L.P. that Citco (Canada), the fund’s administrative services provider, had mailed one investor’s Schedule K-1 to another investor by mistake.
- Experian reported in December that “consumer information was recently accessed online after methods to authenticate their identity were completed successfully by unknown individuals.” In July, and as previously reported here, they had reported a similar incident, and in February, there had been another incident involving an Experian client accessing consumer data without authorization.
- GMAC Bank reported that its vendor eLynx made a change in its system. As a result of the software error, the vendor misdelivered document packages to Ally and GMAC customers, resulting in a third party viewing at least some customer’s personal information that included SSN, financial information, and other personal information. In a second incident, GMAC Mortgage reported that following a systems change, two individuals were improperly allowed to access mortgage information on two customers.
- M&T Bank reported that a courier carrying work for a Baltimore branch was robbed. In the courier’s bag were customers’ checks.
- Accounting firm Moses, Phillips, Young, Brannon, and Henninger reported that a backup device was stolen by “an opportunistic criminal while in transit.” Well, that is what the letter to those affected said. In a cover email to the state, the firm more bluntly stated that the device was stolen from a car. None of the correspondence, however, indicates precisely what types of client information were on the storage device.
- The Partnership Federal Credit Union reported that an internal data file had been discovered on a computer outside of the secured network, potentially exposing personal and financial information. The file had been inadvertently left on a computer that was no longer in use.
- TD Bank, N.A. and T.D. Wealth Management Services reported that a laptop stolen from the office of the Securities and Exchange Commission in Philadelphia contained customer account information, names, and Social Security numbers. Although the data were encrypted, “it is possible that security access information may also have been stolen with the computer.” TD was notified of the burglary on June 15, but did not send notices to affected customers until August 31.
- Telhio Credit Union in Ohio reported that a former employee had downloaded a report with customer personal and financial information before leaving his employment. The credit union believed that his purpose was to be able to contact his prior clients in furtherance of his career.
- Virgin Money USA reported that a former employee had accessed personal and financial information from those researching mortgages. Virgin Money believes that the employee’s intention was to generate business for himself and his new employer. Virgin Money had the computers seized, reported the matter to law enforcement, and notified the new employer, who terminated the employee. It is not clear, however, from the notification whether the employee accessed the information while still in Virgin Money’s employ or if he was still able to access information after his termination.
- Wells Fargo reported that backup hard drive used by its subsidiary Wachovia Dealer Services was stolen from Wachovia’s unnamed law firm’s office. Data from 953 Maryland residents were on the drive.