Saturday, December 7, 2013
TD Bank made procedural errors when it lost computer tapes containing sensitive personal data, including Social Security numbers, and risked exacerbating potential problems by waiting more than six months to notify customers of the breach, security experts said Wednesday.
"It doesn't sound like they were using proper controls. It's not good practice to ship unencrypted backup tapes. It has become a lot less common for financial institutions to lose data these days," said Robert Richardson, an independent computer-security analyst and former director of the San Francisco-based Computer Security Institute, an association of computer security professionals.
TD Bank, which has 54 branches in Maine, began notifying customers last week that tapes including names, addresses, Social Security numbers, account numbers and debit or credit card numbers were lost in March while being transferred between bank locations. The bank said it was not aware of any misuse of the information, but did not explain how the tapes were lost.
TD Bank, which has more than 7.4 million customers and more than 1,275 retail locations, also would not say how many customers were affected. TD Bank lost the tapes in Massachusetts, but said customers on the East Coast from Maine to Florida may have been affected.
"You can understand why a bank doesn't want to disclose the number, but as a security professional, you have to assume the worst," Richardson said. "There could be thousands of records on a backup tape. It could be an enormous number."
Under Maine law, companies must disclose information about data breaches or losses "as expediently as possible and without unreasonable delay," but no formal timetable dictates how or when companies must notify customers.
Some customers said Wednesday they were going to cancel their TD Bank accounts.
"It makes you think twice about the bank. I'll probably change banks," said Caleb Gannon of Yarmouth, who received a letter last week from TD Bank about the loss of his personal data.
One Scarborough customer, who declined to be named because she did not want to draw attention to her lost personal information, said she and her husband would be closing their joint account as soon as possible.
"The bank said it apologizes for any inconvenience. It's way more than an inconvenience. It's insulting," the customer said. "The fact that it took so long generates more concerns and more questions."
Liz Donnelly of Bangor said she had not been notified of any problems with her account, but was concerned about TD Bank's lack of speed in informing customers.
"It definitely makes you nervous, but it's been kind of happening to a lot of companies. But alerting people shouldn't be a problem like that. TD Bank has become a big institution and I don't know if that's better," Donnelly said.
Maine's Bureau of Consumer Credit Protection said it has received complaints from some TD Bank customers.
"Sometimes," Richardson said, "there's good reason for the delay -- such as working with law enforcement -- or other times they're just dragging their feet."
TD Bank has offered free credit monitoring and identity theft protection to customers who were affected.
The bank said it did an internal investigation and notified law enforcement, but said there was no criminal investigation.
"We worked diligently to find the tapes and conduct a thorough investigation. Since this was not a data breach of any kind, there is no criminal investigation," said TD Bank spokeswoman Rebecca Acevedo.
(Continued on page 2)