Lost backup tape prompts IT changes at NY bank

Officials at Bank of New York Mellon late last week said it has launched a new policy to encrypt data held on all storage devices and to limit the amount of confidential client data stored on tape drives. The policy was launched after unencrypted backup data tapes were twice lost by third party couriers this year.

The bank would not disclose its past storage policies.

The company announced the new policy just days after disclosing that one of 10 boxes of storage tapes being delivered to an off-site facility by storage firm Archive America was lost in February and that another courier, which it did not identify, lost a storage tape during transit in April.

In the February incident, the tapes were being transported from the bank's Mellon Shareowner Services facility in Jersey City. Those missing backup tapes include names, birth dates, Social Security numbers, and other information from customers of BNY Mellon and the People's United Bank.

The tape lost in April was in transit from BNY Mellon's Working Capital Solutions operations in Philadelphia to a branch office in Pittsburgh. That backup tape included images of scanned checks and other documents relating to payments made by BNY Mellon clients, said company officials.

Combined, the two data breaches exposed sensitive information of more than 4.5 million people and 747 companies, according to BNY Mellon officials.

The company late last week also announced that it will provide those whose data was stored on the missing tapes with two years of free credit monitoring, credit freeze benefits and a US$25,000 identity theft insurance policy.

"We deeply regret that this occurred and sincerely apologize to all of those impacted," said Todd Gibbons, chief risk officer at BNY Mellon, in a statement. Gibbons said there is no indication that data on the missing tapes has been misused or inappropriately accessed.

To bolster its security controls, the bank said it will now require that any confidential data written on tapes or CDs for transport must be encrypted or transported with undisclosed additional data protections. Further, when "technically feasible" the bank will demand that encrypted confidential data be delivered to off-site facilities electronically, noted Gibbons.

BNY Mellon has ended its relationship with Archive America and is cooperating with law enforcement agencies, state and federal officials in the investigation of the incident. A spokesman for the financial institution refused to comment on any details surrounding the circumstances of how the tapes disappeared. Archive America officials declined comment.

Connecticut Attorney General Richard Blumenthal said that the missing BNY Mellon computer tapes have put the personal identities of 497,333 state residents at risk. In a statement released late last week, Blumenthal and the state's Department of Consumer Protection listed 25 companies with Connecticut-based customers affected by the breach. The list includes People's United Financial, John Hancock Financial Services, The Walt Disney Company, and TD Bank Financial Group.

Blumenthal said he is still waiting for answers about how the data breach occurred, who is responsible for the crime and why BNY waited months to notify customers about the incident. "We haven't completed our investigation and there are still some important questions that have to be answered," he remarked.