Laptop stolen from Butte Community Bank
Technorati Tag: Security Breach
Date Reported:
11/06/07
Organization:
Butte Community Bank (Chico, CA)
Contractor/Consultant/Branch:
None
Victims:
Butte Community Bank customers
Number Affected:
Unknown*
*"Butte Community Bank is state-chartered with 15 branches in 11 cities including Anderson, Chico, Colusa, Corning, Magalia, Marysville, Oroville, Paradise, Red Bluff, Redding and Yuba City."
Types of Data:
Names, addresses, Social Security numbers, and account numbers.
Breach Description:
A laptop computer containing sensitive personal information about Butte Community Bank customers was stolen from an employee who travels to each of the bank's fifteen (15) branch offices. The theft occurred in mid-October, 2007.
Reference URL:
The Paradise Post Story
Chico Enterprise Record Story
Report Credit:
Jennifer Barker, Staff Writer for the Paradise Post
Response:
From the online articles cited above:
"Chico-based Butte Community Bank notified an undisclosed number of customers this week that a laptop computer probably containing their names, addresses, Social Security numbers and account numbers was stolen in mid-October."
"Bank officials refused to say how many customer were mailed the notice, which was dated Oct. 24."
"They said the laptop was stolen from a bank employee who carries it from branch to branch, but declined to say exactly where it went missing."
[Comfyllama] This is the type of behavior that screams "BREACH"! Someone thought it would be alright to carry a laptop from branch to branch containing sensitive personal details without encryption.
"The notice tells customers the computer database is protected by a password, which should keep the information from being accessed."
[Comfyllama] A password by itself does not provide assurance that information is secure. This fact has been proven over and over. This is a false assumption on the part of the bank.
"Bank officials said they believe the thief was after the laptop, and not the information it contained. They concede, however, that a sophisticated computer hacker might get past the security system."
[Comfyllama] A "sophisticated computer hacker"? How about a simpleton that knows how to type on a keyboard into a Google search?
"The bank doesn't allow employees to take computers with personal banking information out of the building. The bank did not say which branch the employee was working from or where he was traveling to when the laptop was stolen. The employee who was responsible for the laptop was held accountable, according to the bank representative."
[Comfyllama] So is it safe to assume that there is a policy stating such?
"We have a right to know how this happened," said Stirling City resident Madelyn Henry. She received three notices on three different accounts.
[Comfyllama] You absolutely do have the right to know! This information belongs to the victims, NOT the bank. People have a right to know what a company does with their information throughout the entire life-cycle with the company.
"Henry said she was told the bank will assume liability for any missing funds reported by customers within a month after they discover the loss. She said she wasn't sure that included losses through identity theft or other financial scams, and intended to call the bank for clarification."
[Comfyllama] A month?! The more I read, the more I am disgusted.
"She said a bank representative told her Butte is no longer putting sensitive information on laptop computers."
[Comfyllama] This conflicts with the earlier statement about how the bank does not allow it already. We might be able to chalk this up to hearing it second-hand through news reports.
Katie "Stecher said she asked the bank representative if she should be worried, the representative replied on a scale from one to 10 it would be two, though she suggested monitoring accounts for the next year."
[Comfyllama] This would be humorous if we weren't talking about peoples' lives. Do you suppose the this bank representative has conducted a thorough analysis of the situation and is well versed in such things as risk and probability? I doubt it.
"In the notice, customers are directed to call a toll-free number, 1-, with questions."
"Officials advise customers to monitor their accounts for the next year or two, and promptly report any incident of attempted or suspected identity theft to Butte Community Bank."
Victim Reactions:
"We have a right to know how this happened,"
"I called the number they put in the notice, but I pretty much got stonewalled,"
"I used to trust my bank. Now I don't trust it so much,"
Commentary:
The responses in the articles referenced above are so "off-the-wall", and I don't know if this is because the bank is this poor at securing information or if this is because we are hearing the information second hand through the two news outlets. Based solely on the information in the reports this breach resulted from poor information security management, but the responses take "poor" to another level.
Past Breaches:
Unknown
Date Reported:11/06/07
Organization:
Butte Community Bank (Chico, CA)
Contractor/Consultant/Branch:
None
Victims:
Butte Community Bank customers
Number Affected:
Unknown*
*"Butte Community Bank is state-chartered with 15 branches in 11 cities including Anderson, Chico, Colusa, Corning, Magalia, Marysville, Oroville, Paradise, Red Bluff, Redding and Yuba City."
Types of Data:
Names, addresses, Social Security numbers, and account numbers.
Breach Description:
A laptop computer containing sensitive personal information about Butte Community Bank customers was stolen from an employee who travels to each of the bank's fifteen (15) branch offices. The theft occurred in mid-October, 2007.
Reference URL:
The Paradise Post Story
Chico Enterprise Record Story
Report Credit:
Jennifer Barker, Staff Writer for the Paradise Post
Response:
From the online articles cited above:
"Chico-based Butte Community Bank notified an undisclosed number of customers this week that a laptop computer probably containing their names, addresses, Social Security numbers and account numbers was stolen in mid-October."
"Bank officials refused to say how many customer were mailed the notice, which was dated Oct. 24."
"They said the laptop was stolen from a bank employee who carries it from branch to branch, but declined to say exactly where it went missing."
[Comfyllama] This is the type of behavior that screams "BREACH"! Someone thought it would be alright to carry a laptop from branch to branch containing sensitive personal details without encryption.
"The notice tells customers the computer database is protected by a password, which should keep the information from being accessed."
[Comfyllama] A password by itself does not provide assurance that information is secure. This fact has been proven over and over. This is a false assumption on the part of the bank.
"Bank officials said they believe the thief was after the laptop, and not the information it contained. They concede, however, that a sophisticated computer hacker might get past the security system."
[Comfyllama] A "sophisticated computer hacker"? How about a simpleton that knows how to type on a keyboard into a Google search?
"The bank doesn't allow employees to take computers with personal banking information out of the building. The bank did not say which branch the employee was working from or where he was traveling to when the laptop was stolen. The employee who was responsible for the laptop was held accountable, according to the bank representative."
[Comfyllama] So is it safe to assume that there is a policy stating such?
"We have a right to know how this happened," said Stirling City resident Madelyn Henry. She received three notices on three different accounts.
[Comfyllama] You absolutely do have the right to know! This information belongs to the victims, NOT the bank. People have a right to know what a company does with their information throughout the entire life-cycle with the company.
"Henry said she was told the bank will assume liability for any missing funds reported by customers within a month after they discover the loss. She said she wasn't sure that included losses through identity theft or other financial scams, and intended to call the bank for clarification."
[Comfyllama] A month?! The more I read, the more I am disgusted.
"She said a bank representative told her Butte is no longer putting sensitive information on laptop computers."
[Comfyllama] This conflicts with the earlier statement about how the bank does not allow it already. We might be able to chalk this up to hearing it second-hand through news reports.
Katie "Stecher said she asked the bank representative if she should be worried, the representative replied on a scale from one to 10 it would be two, though she suggested monitoring accounts for the next year."
[Comfyllama] This would be humorous if we weren't talking about peoples' lives. Do you suppose the this bank representative has conducted a thorough analysis of the situation and is well versed in such things as risk and probability? I doubt it.
"In the notice, customers are directed to call a toll-free number, 1-, with questions."
"Officials advise customers to monitor their accounts for the next year or two, and promptly report any incident of attempted or suspected identity theft to Butte Community Bank."
Victim Reactions:
"We have a right to know how this happened,"
"I called the number they put in the notice, but I pretty much got stonewalled,"
"I used to trust my bank. Now I don't trust it so much,"
Commentary:
The responses in the articles referenced above are so "off-the-wall", and I don't know if this is because the bank is this poor at securing information or if this is because we are hearing the information second hand through the two news outlets. Based solely on the information in the reports this breach resulted from poor information security management, but the responses take "poor" to another level.
Past Breaches:
Unknown
Posts Atom 1.0
Recently, I wrote a letter to Butte Community Bank's General Counsel. The letter was sent by certified letter return receipt requested. In response, I received a boilerplate letter which they cut and pasted the same tired excuses they gave to the local newspaper.
The local newspaper frequently carries the bank's advertisements and like most local papers acts as an extension of the Chamber of Commerce and dutifully accepted and slavishly printed the bank's every word without question. Hence, their business reporting is more lapdog than watchdog. Like a White House press conference, the local paper never asks the (obvious) tough follow-up questions that are thankfully asked here on BreachBlog.
My response letter was signed by Beverly Brinker Administrative Vice President Audit/Compliance department. What is really frightening is the fact that they blew off my (modest) request to provide credit monitoring. Credit Monitoring, as we all know, is commonly offered by companies who have had their outdated personal information policies exposed as weak, non-existent, or just plain illegal.
Folks I even directed their attention to the fact that I'm experienced a pro-per litigant in Federal Consumer Law and went so far as to provide them with the PACER citation to look up what happened to the last corporation that decided tried to mess with my rights guaranteed under federal consumer protection statutes. (The settlement terms are protected by a non-disclosure agreement hee, hee,)
I might add that I could not be more happy banking with their bank but just wished I did not have to school the higher ups who obviously suffer from a severe learning disability and a frightening lack of empathy for their customers legitimate concerns.
Oh well, the filing fee in the U.S. District Court for the Eastern District of California is only $250.00 and pro-per litigants cases are routinely assigned to just one judge:
Senior District Judge Lawrence K. Karlton (Jimmy Carter Appointee).LOL
He is, without a doubt, the ideal judge to hear a consumer law case.
Reply to this