BNY Mellon Shareowner Services loses backup tape
Posted by Evan Francen at 3/27/2008 2:54 PM and is filed under Lost Tape,BNY Mellon Shareowner Services,The Bank of New York Mellon Corporation 
Technorati Tag: Security Breach
UPDATED on May 7th, 2008
Date Reported:
3/26/08
Organization:
Science Applications International Corp. (Current and former shareholders of SAIC are reported as victims on May 7th, 2008)
The Bank of New York Mellon Corporation
Contractor/Consultant/Branch:
BNY Mellon Shareowner Services
Victims:
Clients
Number Affected:
~3,500
Types of Data:
"personal information including names, Social Security numbers and possibly bank account numbers"
Breach Description:
BNY Mellon Shareowner Services "has notified about 3,500 individuals -- some of them Maryland residents -- that the company lost a box of computer data tapes last month storing personal information including names, Social Security numbers and possibly bank account numbers".
Reference URL:
The Baltimore Sun
San Diego Union-Tribune (UPDATE)
Report Credit:
Liz F. Kay, Baltimore Sun reporter
Response:
From the online source cited above:
A Pittsburgh-based shareholder services firm has notified about 3,500 individuals -- some of them Maryland residents -- that the company lost a box of computer data tapes last month storing personal information including names, Social Security numbers and possibly bank account numbers
BNY Mellon Shareowner Services, which assists clients such as MetLife, sent letters to affected shareholders of such clients offering them 12 months of free credit monitoring and other assistance
[Evan] It's not "free". Somebody pays for it. So with credit monitoring, affected persons would be notified AFTER they become an identity theft victim, IF they become an identity theft victim. The monitoring lasts for 12 months, at which time what happens?
"We have received no indications that there's been any inappropriate use of the data on the tapes,"
The company backs up its computer database every day and sends the tapes to a secure storage facility
On Feb. 27, a courier told them that one box could not be found.
BNY Mellon investigated to determine what kind of information the tapes held and notified its clients.
It then sent a letter to the shareholders.
The company estimates that less than 1 percent of its 35 million clients nationwide have been affected
[Evan] So? Is this statement meant to minimize the impact of this breach, or what?
Commentary:
Was the information on the tape(s) encrypted? There was no mention, so I assume that it was not. Continuing with this assumption, this means that BNY Mellon Shareowner Services sends unencrypted customer database back-up tapes offsite every day. Does anyone else see an unnecessary risk here? Unnecessary and likely unacceptable.
Now let's assume that the information was encrypted and the keys are managed well. Risk of exposure is minimal. In most states there isn't even a requirement to go through the expense of notification.
Past Breaches:
Unknown
UPDATED on May 7th, 2008
Date Reported: 3/26/08
Organization:
Science Applications International Corp. (Current and former shareholders of SAIC are reported as victims on May 7th, 2008)
The Bank of New York Mellon Corporation
Contractor/Consultant/Branch:
BNY Mellon Shareowner Services
Victims:
Clients
Number Affected:
~3,500
Types of Data:
"personal information including names, Social Security numbers and possibly bank account numbers"
Breach Description:
BNY Mellon Shareowner Services "has notified about 3,500 individuals -- some of them Maryland residents -- that the company lost a box of computer data tapes last month storing personal information including names, Social Security numbers and possibly bank account numbers".
Reference URL:
The Baltimore Sun
San Diego Union-Tribune (UPDATE)
Report Credit:
Liz F. Kay, Baltimore Sun reporter
Response:
From the online source cited above:
A Pittsburgh-based shareholder services firm has notified about 3,500 individuals -- some of them Maryland residents -- that the company lost a box of computer data tapes last month storing personal information including names, Social Security numbers and possibly bank account numbers
BNY Mellon Shareowner Services, which assists clients such as MetLife, sent letters to affected shareholders of such clients offering them 12 months of free credit monitoring and other assistance
[Evan] It's not "free". Somebody pays for it. So with credit monitoring, affected persons would be notified AFTER they become an identity theft victim, IF they become an identity theft victim. The monitoring lasts for 12 months, at which time what happens?
"We have received no indications that there's been any inappropriate use of the data on the tapes,"
The company backs up its computer database every day and sends the tapes to a secure storage facility
On Feb. 27, a courier told them that one box could not be found.
BNY Mellon investigated to determine what kind of information the tapes held and notified its clients.
It then sent a letter to the shareholders.
The company estimates that less than 1 percent of its 35 million clients nationwide have been affected
[Evan] So? Is this statement meant to minimize the impact of this breach, or what?
Commentary:
Was the information on the tape(s) encrypted? There was no mention, so I assume that it was not. Continuing with this assumption, this means that BNY Mellon Shareowner Services sends unencrypted customer database back-up tapes offsite every day. Does anyone else see an unnecessary risk here? Unnecessary and likely unacceptable.
Now let's assume that the information was encrypted and the keys are managed well. Risk of exposure is minimal. In most states there isn't even a requirement to go through the expense of notification.
Past Breaches:
Unknown
I received BNY Mellon's notice - I was a former UPS employee and Mellon is the transfer agent for the Employee Stock program. Ironically, I don't have anything in the account, but my records were obviously still being maintained. The offer for 'free' credit monitoring is a load of junk - and seems to be the big fix for these losses. Also, it seems as though UPS has been the 'carrier' for alot of records loss that I have seen over the last few years...no sour grapes, just a fact. The article doesn't mention who the carrier was in this instance...I'm betting UPS...
Reply to this
I posted previously (I don't know if it is up yet) and was looking for correlations between people involved. I missed the one right in front of me! It was you mentioning UPS stock.
I wonder if the lost box contained all past and present UPS shareholders. I am a current UPS employee and shareholder. Like you mentioned, BNY Mellon is the transfer agent for the Employee Stock Ownership program.
Is there anyone else out there that received a breach letter and is a past or present UPS employee that used BNY Mellon as a transfer agent for the Employee Stock program?
Reply to this
Accusing UPS as the carrier that lost this box of tapes without facts to back it up is an extremely reckless act. As you know, there are many other carriers out there as well as storage companies that have their own private fleets handling these type of shipments.
Reply to this
I also received a letter informing me that my personal information was compromised due to the mishandling of information by BNY Melon.
At the risk of being hyper-critical I ask: Was there a motive behind the loss of the box of tapes or was it purely a mistake by the archive services vendor? We will be sure of a motive if anyone involved becomes a victim of identity theft. I will report back promptly if that happens to me.
Also, I am curious if there might be a correlation between the 35,000 individuals who were lumped together in the same box that was lost.
My credit score is fantastic (hope it still is) and my last name starts with a K. Do these two facts correlate with anyone else who received the letter?
Reply to this
I am a retired UPS employee and rec'd a letter today also. I am wondering if anyone else is fearful of putting "all" their personal info on the Triple Alert Website in order to get the "free" monitoring!!!!!
Reply to this
I got the letter today and I couldn't figure out what info was compromised until I found this blog--I am a retired UPS employee and my last name starts with A--What about my spouse??? his name and ss# is on my account--I am mad and I am calling Mellon tomarrow
Reply to this
I got a letter as well...
Reply to this
My husband(UPS) just received this letter yesterday (4/14). More than ONE month after the files went missing?? The letter wasnt certified, so who's to say we even received it?? Very lax of Mellon in my opinion....Who even knows for sure if this letter of from MELLON??
Reply to this
I called today by broker suggested making them send a letter stating that no personal info was compromised...Ups said they would---we will see--I also complained about the looks of the letter(ie Junk mail look) here is the direct #888-663-8325 this is UPS call center..
Reply to this
I tried to verify if the letter really is from Mellon. Their address for Mellon Shareowner Services online is listed as: PO Box 358016 Pittsburgh, the addresson the letter is: PO Box 358630. The phone# listed online for MSS is: 800-522-6645. The letter says: 877-277-2069. When I checked Experian's website, they offer something called "Triple Advantage." The letter says it's Triple Alert. Has anyone been able to verify if the letter is really from Mellon? My husband got the letter for a now-defunct 401k account. We put a credit freeze out on both our names.
Reply to this