OneWest Bank has been notifying customers of a breach that occurred back in 2011.
According to their letter, a copy of which they submitted to California under the state’s breach reporting requirements, the bank
recently learned that one of our service providers, was the victim of an illegal and unauthorized intrusion into its network (“Network Intrusion”) during the first quarter of 2011. In response, the service provider enhanced the security of its network systems, cooperated with law enforcement including the United States Secret Service (“USSS”), and investigated using leading outside security firms.
Information that was accessed included customer information such as name, address, birthdate, phone number, drivers license number, passport number, and Social Security Number. The bank does not believe that the data were downloaded or copied, but offered customers free credit monitoring services.
The letter does not state when the unnamed vendor first learned of the breach or how it learned of it. I emailed the bank on Wednesday to inquire, and although they indicated they would get back to me with information, I have not heard back from them with answers to those questions. So… did the vendor know about this years ago or months ago and first informed them now, or did the vendor first learn of the breach now, and in any event, how did the vendor learn of the intrusion?
Somewhat surprisingly – particularly in light of the delayed discovery and notification – I do not see any apology from the bank in their notification letter or even recognition that customers might be dismayed or angry about the delayed notice.