Commerce Bancorp employee gives out customer info
Technorati Tag: Security Breach
Date Reported:
11/13/07
Organization:
Commerce Bancorp
Contractor/Consultant/Branch:
None
Victims:
Certain Commerce Bancorp customers
Number Affected:
Unknown*
*"It's a matter that impacting a small number of our three million customers in a relatively small geographic area," Commerce spokesman David Flaherty said. "small number" and "small geographic area" have not been defined.
Types of Data:
"personal information as names, addresses, social security numbers and account numbers"
Breach Description:
On November 12th, 2007 Commerce Bancorp Inc. confirmed that an employee may have given sensitive personal information to an unnamed outside party and has warned some customers of the potential for identity fraud.
Reference URL:
The TradingMarkets Story
The Philadelphia Business Journal
Story at phillyburbs.com
Report Credit:
The Philadelphia Inquirer - McClatchy-Tribune Information Services
Response:
From the various sources cited above:
Some Commerce Bank customers are being told their personal information may have been leaked to people outside the Cherry Hill-based financial services company.
Commerce spokesman David Flaherty wouldn't say how many customers are in danger of having their data used fraudulently or where those customers bank.
It's a small segment of our customer base, which is 3 million people, and it covered a limited portion of our footprint, Flaherty said Tuesday. He declined to elaborate.
[Comfyllama] I think this statement requires some elaboration! What the H-E double hockey sticks does "footprint" (implying geography) have to do with it? Philadelphia does not take up a very large geographic area, but has 1,517,550 residents.
The lending institution mailed letters Friday to the affected customers, warning them that their personal data could be used for identity theft. Those who don't receive letters in the next few days should be in the clear, Flaherty said.
[Comfyllama] Sorry, but "should be" is not good enough.
They're also providing affected customers a year's worth of credit monitoring services -- something that goes beyond what's required by state laws in New Jersey, Delaware and Pennsylvania.
Flaherty wouldn't identify the Commerce Bank employee who is accused of forwarding customers' personal information to one or more people who weren't affiliated with the company. He also wouldn't say what the woman's job was or reveal where she worked. He also wouldn't say if she has been fired.
We're working with our internal security folks and working with federal and state law enforcement officials on this said Flaherty. The appropriate authorities have been notified.
Commerce, which is the second-biggest bank in the Philadelphia region by deposits, discovered the breach through an internal investigation and sent letters to affected customers. Those letters started arriving Saturday, Flaherty said.
Commentary:
There isn't much information floating around about this breach and Commerce Bank isn't offering much. I can only assume that the employee gave the information out on accident or because she was duped into it. In order for this breach to affect more than just a couple of people you would think that technology must have been involved, such as a phish, email or inadvertent file transfer. I'm going to place my bet on a phish and I am going to further speculate that this happened as a result of poor training and awareness.
This breach reminds me of a time I was told by the CIO of a major bank that "we don't have to be secure, we just have to be more secure than the next guy." This same CIO could not understand why it was important to encrypt data between ATMs and the bank. Believe it or not, this guy is still employed at the same bank. I'm not sure why I am reminded of these encounters.
Past Breaches:
Unknown
Date Reported:11/13/07
Organization:
Commerce Bancorp
Contractor/Consultant/Branch:
None
Victims:
Certain Commerce Bancorp customers
Number Affected:
Unknown*
*"It's a matter that impacting a small number of our three million customers in a relatively small geographic area," Commerce spokesman David Flaherty said. "small number" and "small geographic area" have not been defined.
Types of Data:
"personal information as names, addresses, social security numbers and account numbers"
Breach Description:
On November 12th, 2007 Commerce Bancorp Inc. confirmed that an employee may have given sensitive personal information to an unnamed outside party and has warned some customers of the potential for identity fraud.
Reference URL:
The TradingMarkets Story
The Philadelphia Business Journal
Story at phillyburbs.com
Report Credit:
The Philadelphia Inquirer - McClatchy-Tribune Information Services
Response:
From the various sources cited above:
Some Commerce Bank customers are being told their personal information may have been leaked to people outside the Cherry Hill-based financial services company.
Commerce spokesman David Flaherty wouldn't say how many customers are in danger of having their data used fraudulently or where those customers bank.
It's a small segment of our customer base, which is 3 million people, and it covered a limited portion of our footprint, Flaherty said Tuesday. He declined to elaborate.
[Comfyllama] I think this statement requires some elaboration! What the H-E double hockey sticks does "footprint" (implying geography) have to do with it? Philadelphia does not take up a very large geographic area, but has 1,517,550 residents.
The lending institution mailed letters Friday to the affected customers, warning them that their personal data could be used for identity theft. Those who don't receive letters in the next few days should be in the clear, Flaherty said.
[Comfyllama] Sorry, but "should be" is not good enough.
They're also providing affected customers a year's worth of credit monitoring services -- something that goes beyond what's required by state laws in New Jersey, Delaware and Pennsylvania.
Flaherty wouldn't identify the Commerce Bank employee who is accused of forwarding customers' personal information to one or more people who weren't affiliated with the company. He also wouldn't say what the woman's job was or reveal where she worked. He also wouldn't say if she has been fired.
We're working with our internal security folks and working with federal and state law enforcement officials on this said Flaherty. The appropriate authorities have been notified.
Commerce, which is the second-biggest bank in the Philadelphia region by deposits, discovered the breach through an internal investigation and sent letters to affected customers. Those letters started arriving Saturday, Flaherty said.
Commentary:
There isn't much information floating around about this breach and Commerce Bank isn't offering much. I can only assume that the employee gave the information out on accident or because she was duped into it. In order for this breach to affect more than just a couple of people you would think that technology must have been involved, such as a phish, email or inadvertent file transfer. I'm going to place my bet on a phish and I am going to further speculate that this happened as a result of poor training and awareness.
This breach reminds me of a time I was told by the CIO of a major bank that "we don't have to be secure, we just have to be more secure than the next guy." This same CIO could not understand why it was important to encrypt data between ATMs and the bank. Believe it or not, this guy is still employed at the same bank. I'm not sure why I am reminded of these encounters.
Past Breaches:
Unknown
Posts Atom 1.0
Comments