Drama surrounds People's United Bank breach
Technorati Tag: Security Breach
Date Reported:
4/6/08
Organization:
People's United Bank
Contractor/Consultant/Branch:
Various branches
Victims:
Customers
Number Affected:
"hundreds"
Types of Data:
"confidential financial data" and "private information, including customers' Social Security numbers and account information"
Breach Description:
"For four months, James Hastings dove into Dumpsters outside People's United Bank branches throughout Fairfield County, pulling out bags of paperwork containing private information, including customers' Social Security numbers and account information."
Reference URL:
The Connecticut Post
Newsday/Associated Press
Report Credit:
The Connecticut post
Response:
From the online sources cited above:
For four months, James Hastings dove into Dumpsters outside People's United Bank branches throughout Fairfield County, pulling out bags of paperwork containing private information, including customers' Social Security numbers and account information.
Bank employees didn't know what Hastings was doing until the Fairfield resident told them and delivered a video depicting him digging through the Dumpsters and sitting in front of a wall in his home he had papered with the documents.
[Evan] People's Bank would have had no idea that confidential documents were taken from dumpsters had Mr. Hastings not approached them. How long could the practice of discarding confidential information in the garbage have gone on before someone else noticed? How long has this practice been accepted, and is it still occurring?
The bank got a restraining order against Hastings on March 20, and detectives from the State Police, on a search-and-seizure warrant, raided his home. He is scheduled to appear in Bridgeport Superior Court Monday and he said he could face prison for violating the order the bank secured from the court to stop Hastings from discussing or distributing any of the material.
[Evan] Judging from what I read, Mr. Hastings is appearing in court to faces charges of violating the restraining order, not for taking the documents from the dumpster. I don't think it's against the law to rummage through dumpsters. If it were, how could you enforce it well?
The restraining order also came into play Wednesday when Hastings tried to turn over the remaining boxes of documents to Attorney General Richard Blumenthal.
The AG's office late Wednesday refused to talk to him until lawyers there investigated the restraining order. It had not made a determination on how it can proceed.
[Evan] This is sad. I think it is in the public's and the victims' best interests to have the Attorney General investigate fully.
In a series of interviews, Hastings says he's not an identity thief. He says he wants the bank to react to what he calls a serious lapse in security.
[Evan] The bank has reacted, but obviously not in the way Mr. Hastings had preferred.
On Tuesday, he displayed two boxes filled with documents he says he culled from bags of garbage People's United Bank threw away.
People's, however, doesn't see it that way, and said Hastings is attempting to extort money from the bank. It is also demanding the information be turned over to the bank.
Brent DiGiorgio, a People's spokesman, says the bank's primary concern is protecting the customers' information that Hastings has taken.
[Evan] If "protecting customers' information" were the bank's primary concern, then should they have done more to disallow these documents to be thrown in the garbage? Should they address the root issue more aggressively? The information that Mr. Hastings found does not belong to the bank, the information belongs to the victims.
"We're going to provide one year of free credit monitoring for customers whose information was taken when this gentleman rummaged through our trash," DiGiorgio said.
[Evan] Big deal. Broken record... Credit monitoring helps to alert a person only after they have become an identity theft victim. A one year time frame is insufficient for information that has a life span which far exceeds this limit.
He said the bank notified police immediately when it found out what Hastings had. That notification resulted in a search of Hastings home and the seizure of documents.
Letters are being mailed out to affected customers, DiGiorgio said.
About four months ago, Hastings says he was driving out of a People's branch parking lot in Fairfield when he saw a Dumpster brimming with garbage bags. When he looked more closely, he saw the clear garbage bags were stuffed with financial documents.
[Evan] An opportunist.
Hastings says he wanted to try to determine the extent of the problem, so he says he worked nights and weekends digging into Dumpsters at People's and other financial institutions.
"I'm disgusted by what I've pulled out of those bags," Hastings says, adding that the paperwork contains information on how much money individuals have in their accounts and where they live. He's got Social Security numbers and more on customers.
"I've got a guy in here that's got $8 million in gold," Hastings says.
He turned over a lot of those documents to police during the raid, but retained some in boxes, he says, that he hoped Blumenthal's office would accept.
During trips to People's branches from Stratford to Stamford, he made a video to, he claims, to protect himself from the charge of extortion. "It needs editing," he said, before turning one of the many discs over to the Connecticut Post.
There are applications for credit cards, reports on bank deposit and account information.
Hastings says after several months he contacted People's and the bank set up a meeting with him. On March 19, he met with People's Director of Corporate Security William A Gniazdowski.
Gniazdowski's affidavit of the meeting is on file with the court.
In it, he says Hastings went to the bank's headquarters at Main Street in Bridgeport, met with executives and dropped off DVDs and toy handcuffs. In the video the bank saw, and Hastings confirms, he wears an orange jumpsuit to indicate People's employees should face criminal charges if any of this private information is made public.
[Evan] I can think of a more tactful way for Mr. Hastings to present the information.
Gniazdowski says Hastings asked People's to hire him as a "fraud consultant." When Gniazdowski asked what would happen if the bank didn't comply, Hastings allegedly said he'd take "great pleasure shoving it up their nose."
[Evan] Thus the charge of extortion.
Hastings said the bank's security chief trapped him in the room and wouldn't let him leave, so Hastings got mad and told the security officer to take the DVDs and shove them up his nose.
[Evan] Thus the defense.
As for the charge of extortion, Hastings says, that's the bank trying to protect its reputation.
The fact that the police didn't arrest him when they searched his house shows that it's clear he wasn't trying to extort anything, he says. He adds that if he were a criminal he would have never gone to the bank because he could be living off the information he found. He noted the bank didn't know he was out there until he came to People's.
[Evan] More defense.
Hastings, who admits he's concerned about his freedom and reputation, says he wishes he'd never started this, but now that he has he's not going to just roll over.
He volunteered that he has a record. He was arrested and served a two-year probation for trying to secure drugs from a pharmacy by impersonating a doctor, but that was for a painkiller he needed, and he was convicted of drunken driving. The Post confirmed he has a small criminal record.
As for what he offered the bank, Hastings says, "What I said is you need a consultant. You don't need to hire me."
The bank disagrees, and a law professor says he would tend to side with the bank.
[Evan] Interesting choice of words. I assume that the professor is basing his assumptions on past experiences and not necessarily on the detailed facts of this case.
Jeffrey Meyer, a Quinnipiac University Law School associate professor and former assistant U.S. attorney, says he's heard of situations like this, but they usually involve computer hackers.
In those scenarios, a hacker finds a weakness in a corporation's Web site, exploits it and sabotages the site. The hacker will do it several times, Meyer says, before contacting the company to suggest it hire him or her as a consultant.
This has resulted in prosecution for extortion, Meyer says.
"It's the quid pro quo," Meyer said, which makes it a problem.
If the person demands payment not to damage the company, "it certainly crosses the legal line," he said.
This is not the first time Hastings says he's investigated a company's procedures and asked to be hired as a consultant. He says he found a problem with a cell phone company and it paid him $10,000 as a consultant in the late 1990s.
Hastings said the bank's Dumpsters aren't properly secured and it isn't shredding documents, he says.
[Evan] Yes, the ROOT of the problem. We shouldn't lose sight of the fact that the bank did not adequately secure the personal information of some of it's customers. If the documents had been destroyed appropriately, we would have no story, no search warrant, no restraining order, no court case, no victims, etc., etc. This is all a waste of valuable resources due to poor security (business) practices.
"We believe this is an isolated incident to the greater Bridgeport and greater Stamford," DiGiorgio said. "It's unfortunate."
[Evan] It is more than "unfortunate"!
DiGiorgio says the bank has training on how to safeguard customer information and takes that obligation very seriously. It is reviewing its policies, he said when asked if People's will still throw documents into Dumpsters.
"We do have a policy of how to dispose of customer information," DiGiorgio says, but security reasons prevented him from revealing what those policies are.
[Evan] Why do people state that they cannot disclose a security policy for "security reasons"? There is no "confidential" information in any one of the security policies I write for companies. Maybe "internal" information on occasion. Sometimes there is "confidential" information and processes in procedures, but never in policies. I share my information security policies openly with colleagues and partners.
DiGiorgio says that since Hastings went to the bank it has posted "no trespassing" signs and has installed locks on the Dumpsters it controls. But some of those receptacles, the bank shares with other companies and therefore cannot lock
[Evan] No trespassing signs and locks are a deterrent to the casual opportunist, but do not stop criminals. I'm not saying it is or is not a good practice (I don't have enough detail), but proper shredding is optimal.
While the bank is reviewing its procedures, DiGiorgio said it does not believe that Hastings has a right to take the documents to "extort money from the bank."
[Evan] The question is his motive I suppose. I don't think he broke the law by taking the documents out of the garbage, but the legal questions surround what he intended to do with the information.
Blumenthal said Thursday his office is still investigating the matter and attempting to verify Hastings' story.
But he said in an earlier interview banks have a legal responsibility to secure customers' financial information.
[Evan] Amen.
Blumenthal questioned how People's could be securing customers' information by throwing it away unshredded or even shredded in a state that could be pieced together.
[Evan] Wait. Now, Amen.
The bank "might have an explanation," Blumenthal says. "But then again it might want to change its current practices or buy a new shredder."
Commentary:
Another interesting story. The circumstances and drama that surround this breach should not take away from the original cause. It seems as though the bank broke the law by not adequately securing customer information and Mr. Hastings may or may not have broken the law in the way he handled the disclosure. I guess the lawyers will have to haggle and the court will ultimately have to decide.
Past Breaches:
Unknown
Date Reported:4/6/08
Organization:
People's United Bank
Contractor/Consultant/Branch:
Various branches
Victims:
Customers
Number Affected:
"hundreds"
Types of Data:
"confidential financial data" and "private information, including customers' Social Security numbers and account information"
Breach Description:
"For four months, James Hastings dove into Dumpsters outside People's United Bank branches throughout Fairfield County, pulling out bags of paperwork containing private information, including customers' Social Security numbers and account information."
Reference URL:
The Connecticut Post
Newsday/Associated Press
Report Credit:
The Connecticut post
Response:
From the online sources cited above:
For four months, James Hastings dove into Dumpsters outside People's United Bank branches throughout Fairfield County, pulling out bags of paperwork containing private information, including customers' Social Security numbers and account information.
Bank employees didn't know what Hastings was doing until the Fairfield resident told them and delivered a video depicting him digging through the Dumpsters and sitting in front of a wall in his home he had papered with the documents.
[Evan] People's Bank would have had no idea that confidential documents were taken from dumpsters had Mr. Hastings not approached them. How long could the practice of discarding confidential information in the garbage have gone on before someone else noticed? How long has this practice been accepted, and is it still occurring?
The bank got a restraining order against Hastings on March 20, and detectives from the State Police, on a search-and-seizure warrant, raided his home. He is scheduled to appear in Bridgeport Superior Court Monday and he said he could face prison for violating the order the bank secured from the court to stop Hastings from discussing or distributing any of the material.
[Evan] Judging from what I read, Mr. Hastings is appearing in court to faces charges of violating the restraining order, not for taking the documents from the dumpster. I don't think it's against the law to rummage through dumpsters. If it were, how could you enforce it well?
The restraining order also came into play Wednesday when Hastings tried to turn over the remaining boxes of documents to Attorney General Richard Blumenthal.
The AG's office late Wednesday refused to talk to him until lawyers there investigated the restraining order. It had not made a determination on how it can proceed.
[Evan] This is sad. I think it is in the public's and the victims' best interests to have the Attorney General investigate fully.
In a series of interviews, Hastings says he's not an identity thief. He says he wants the bank to react to what he calls a serious lapse in security.
[Evan] The bank has reacted, but obviously not in the way Mr. Hastings had preferred.
On Tuesday, he displayed two boxes filled with documents he says he culled from bags of garbage People's United Bank threw away.
People's, however, doesn't see it that way, and said Hastings is attempting to extort money from the bank. It is also demanding the information be turned over to the bank.
Brent DiGiorgio, a People's spokesman, says the bank's primary concern is protecting the customers' information that Hastings has taken.
[Evan] If "protecting customers' information" were the bank's primary concern, then should they have done more to disallow these documents to be thrown in the garbage? Should they address the root issue more aggressively? The information that Mr. Hastings found does not belong to the bank, the information belongs to the victims.
"We're going to provide one year of free credit monitoring for customers whose information was taken when this gentleman rummaged through our trash," DiGiorgio said.
[Evan] Big deal. Broken record... Credit monitoring helps to alert a person only after they have become an identity theft victim. A one year time frame is insufficient for information that has a life span which far exceeds this limit.
He said the bank notified police immediately when it found out what Hastings had. That notification resulted in a search of Hastings home and the seizure of documents.
Letters are being mailed out to affected customers, DiGiorgio said.
About four months ago, Hastings says he was driving out of a People's branch parking lot in Fairfield when he saw a Dumpster brimming with garbage bags. When he looked more closely, he saw the clear garbage bags were stuffed with financial documents.
[Evan] An opportunist.
Hastings says he wanted to try to determine the extent of the problem, so he says he worked nights and weekends digging into Dumpsters at People's and other financial institutions.
"I'm disgusted by what I've pulled out of those bags," Hastings says, adding that the paperwork contains information on how much money individuals have in their accounts and where they live. He's got Social Security numbers and more on customers.
"I've got a guy in here that's got $8 million in gold," Hastings says.
He turned over a lot of those documents to police during the raid, but retained some in boxes, he says, that he hoped Blumenthal's office would accept.
During trips to People's branches from Stratford to Stamford, he made a video to, he claims, to protect himself from the charge of extortion. "It needs editing," he said, before turning one of the many discs over to the Connecticut Post.
There are applications for credit cards, reports on bank deposit and account information.
Hastings says after several months he contacted People's and the bank set up a meeting with him. On March 19, he met with People's Director of Corporate Security William A Gniazdowski.
Gniazdowski's affidavit of the meeting is on file with the court.
In it, he says Hastings went to the bank's headquarters at Main Street in Bridgeport, met with executives and dropped off DVDs and toy handcuffs. In the video the bank saw, and Hastings confirms, he wears an orange jumpsuit to indicate People's employees should face criminal charges if any of this private information is made public.
[Evan] I can think of a more tactful way for Mr. Hastings to present the information.
Gniazdowski says Hastings asked People's to hire him as a "fraud consultant." When Gniazdowski asked what would happen if the bank didn't comply, Hastings allegedly said he'd take "great pleasure shoving it up their nose."
[Evan] Thus the charge of extortion.
Hastings said the bank's security chief trapped him in the room and wouldn't let him leave, so Hastings got mad and told the security officer to take the DVDs and shove them up his nose.
[Evan] Thus the defense.
As for the charge of extortion, Hastings says, that's the bank trying to protect its reputation.
The fact that the police didn't arrest him when they searched his house shows that it's clear he wasn't trying to extort anything, he says. He adds that if he were a criminal he would have never gone to the bank because he could be living off the information he found. He noted the bank didn't know he was out there until he came to People's.
[Evan] More defense.
Hastings, who admits he's concerned about his freedom and reputation, says he wishes he'd never started this, but now that he has he's not going to just roll over.
He volunteered that he has a record. He was arrested and served a two-year probation for trying to secure drugs from a pharmacy by impersonating a doctor, but that was for a painkiller he needed, and he was convicted of drunken driving. The Post confirmed he has a small criminal record.
As for what he offered the bank, Hastings says, "What I said is you need a consultant. You don't need to hire me."
The bank disagrees, and a law professor says he would tend to side with the bank.
[Evan] Interesting choice of words. I assume that the professor is basing his assumptions on past experiences and not necessarily on the detailed facts of this case.
Jeffrey Meyer, a Quinnipiac University Law School associate professor and former assistant U.S. attorney, says he's heard of situations like this, but they usually involve computer hackers.
In those scenarios, a hacker finds a weakness in a corporation's Web site, exploits it and sabotages the site. The hacker will do it several times, Meyer says, before contacting the company to suggest it hire him or her as a consultant.
This has resulted in prosecution for extortion, Meyer says.
"It's the quid pro quo," Meyer said, which makes it a problem.
If the person demands payment not to damage the company, "it certainly crosses the legal line," he said.
This is not the first time Hastings says he's investigated a company's procedures and asked to be hired as a consultant. He says he found a problem with a cell phone company and it paid him $10,000 as a consultant in the late 1990s.
Hastings said the bank's Dumpsters aren't properly secured and it isn't shredding documents, he says.
[Evan] Yes, the ROOT of the problem. We shouldn't lose sight of the fact that the bank did not adequately secure the personal information of some of it's customers. If the documents had been destroyed appropriately, we would have no story, no search warrant, no restraining order, no court case, no victims, etc., etc. This is all a waste of valuable resources due to poor security (business) practices.
"We believe this is an isolated incident to the greater Bridgeport and greater Stamford," DiGiorgio said. "It's unfortunate."
[Evan] It is more than "unfortunate"!
DiGiorgio says the bank has training on how to safeguard customer information and takes that obligation very seriously. It is reviewing its policies, he said when asked if People's will still throw documents into Dumpsters.
"We do have a policy of how to dispose of customer information," DiGiorgio says, but security reasons prevented him from revealing what those policies are.
[Evan] Why do people state that they cannot disclose a security policy for "security reasons"? There is no "confidential" information in any one of the security policies I write for companies. Maybe "internal" information on occasion. Sometimes there is "confidential" information and processes in procedures, but never in policies. I share my information security policies openly with colleagues and partners.
DiGiorgio says that since Hastings went to the bank it has posted "no trespassing" signs and has installed locks on the Dumpsters it controls. But some of those receptacles, the bank shares with other companies and therefore cannot lock
[Evan] No trespassing signs and locks are a deterrent to the casual opportunist, but do not stop criminals. I'm not saying it is or is not a good practice (I don't have enough detail), but proper shredding is optimal.
While the bank is reviewing its procedures, DiGiorgio said it does not believe that Hastings has a right to take the documents to "extort money from the bank."
[Evan] The question is his motive I suppose. I don't think he broke the law by taking the documents out of the garbage, but the legal questions surround what he intended to do with the information.
Blumenthal said Thursday his office is still investigating the matter and attempting to verify Hastings' story.
But he said in an earlier interview banks have a legal responsibility to secure customers' financial information.
[Evan] Amen.
Blumenthal questioned how People's could be securing customers' information by throwing it away unshredded or even shredded in a state that could be pieced together.
[Evan] Wait. Now, Amen.
The bank "might have an explanation," Blumenthal says. "But then again it might want to change its current practices or buy a new shredder."
Commentary:
Another interesting story. The circumstances and drama that surround this breach should not take away from the original cause. It seems as though the bank broke the law by not adequately securing customer information and Mr. Hastings may or may not have broken the law in the way he handled the disclosure. I guess the lawyers will have to haggle and the court will ultimately have to decide.
Past Breaches:
Unknown
Posts Atom 1.0
Comments