First State Bank of Pinedale lost a data tape
Technorati Tag: Security Breach
Date Reported:
9/23/08 (notification letter dated 8/20/08)
Organization:
Wells Fargo & Company*
*"In 2006, First National Bank Of Pinedale became part of The United Bancorporation Of Wyoming" (Source: Customer Service) and "Wells Fargo & Company (NYSE:WFC) and United Bancorporation of Wyoming Inc. said today they have signed a definitive agreement for Wells Fargo to acquire United Bancorporation of Wyoming’s five banking operations in Wyoming and eastern Idaho." (Source: Wells Fargo News Release dated January 15, 2008)
Contractor/Consultant/Branch:
First State Bank of Pinedale
Location:
Pinedale, Wyoming
Victims:
Adult and minor customers
Number Affected:
Unknown
Types of Data:
"name, address, Social Security number, and information, including account numbers, about your current First State Bank of Pinedale accounts and any First State Bank of Pinedale accounts you have closed since June 2005"
Breach Description:
A "bag" containing a data tape used by the First State Bank of Pinedale was lost in transit between processing sites. The lost tapes contained sensitive personal information belonging to customers of the bank.
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
At First State Bank of Pinedale we value the relationship we have with you and the trust you have in us.
[Evan] As well they should! They have their customers' money (and personal information).
Regretfully, we have learned that a bag containing a data tape, which had information about you and your First State Bank of Pinedale account(s) on it, was lost while being transported between processing sites.
[Evan] I presume that the data tape was not encrypted.
The tape included your name, address, Social Security number and information, including account numbers, about your current First State Bank of Pinedale accounts and any First State Bank of Pinedale accounts you have closed since June 2005.
[Evan] Three plus years of very sensitive, poorly protected personal information on a lost backup tape. Ugh.
As soon as we learned that the bag did not arrive at its destination, we immediately contacted law enforcement and began our own thorough investigation.
Because we believe the lost bag may have been discarded and because special equipment is needed to retrieve the tape's contents, it is highly unlikely that you information will be misused.
[Evan] Was the lost bag lost or thrown away, meaning what leads the bank to believe that the bag may have been discarded? I don't buy into the "special equipment" argument because I don't believe that requiring "special equipment" is an adequate control. Without knowing details, I would guess that the "special equipment" is a tape drive which really isn't very "special".
Nevertheless, we continue to work with the authorities to locate the bag and tape.
At this time there is no indication that your information has been misused, but we encourage you to take steps outlined in this letter and enclosed information sheet to reduce any potential risk to you.
To further protect you, we have arranged for a free one-year membership to Identity Guard CreditProtectX3.
If you have any questions, please call .
Phone Bankers are available to assist you Monday through Friday between 10:00 a.m. and 4:00 p.m., Mountain Time.
Thank you for your attention in this matter.
We apologize that this situation has occurred and for any concern it may cause you.
Commentary:
There is no mention as to whether or not the facts surrounding this incident were a violation of policy. There is no mention of policy at all. There is no mention about what the bank's plans are to reduce future, similar incidents (if anything). I get no sense of information security from the breach notification. What does The First State Bank of Pinedale do to protect customer information exactly? I don't necessarily need to know, but the customers do.
There is little excuse for not encrypting backup tapes containing information as sensitive as that which was included on this tape. Unfortunately GLBA does NOT require financial institutions to encrypt non-public customer information, but this should not prevent an institution from doing the right thing anyway.
Past Breaches:
Unknown
Date Reported:9/23/08 (notification letter dated 8/20/08)
Organization:
Wells Fargo & Company*
*"In 2006, First National Bank Of Pinedale became part of The United Bancorporation Of Wyoming" (Source: Customer Service) and "Wells Fargo & Company (NYSE:WFC) and United Bancorporation of Wyoming Inc. said today they have signed a definitive agreement for Wells Fargo to acquire United Bancorporation of Wyoming’s five banking operations in Wyoming and eastern Idaho." (Source: Wells Fargo News Release dated January 15, 2008)
Contractor/Consultant/Branch:
First State Bank of Pinedale
Location:
Pinedale, Wyoming
Victims:
Adult and minor customers
Number Affected:
Unknown
Types of Data:
"name, address, Social Security number, and information, including account numbers, about your current First State Bank of Pinedale accounts and any First State Bank of Pinedale accounts you have closed since June 2005"
Breach Description:
A "bag" containing a data tape used by the First State Bank of Pinedale was lost in transit between processing sites. The lost tapes contained sensitive personal information belonging to customers of the bank.
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
At First State Bank of Pinedale we value the relationship we have with you and the trust you have in us.
[Evan] As well they should! They have their customers' money (and personal information).
Regretfully, we have learned that a bag containing a data tape, which had information about you and your First State Bank of Pinedale account(s) on it, was lost while being transported between processing sites.
[Evan] I presume that the data tape was not encrypted.
The tape included your name, address, Social Security number and information, including account numbers, about your current First State Bank of Pinedale accounts and any First State Bank of Pinedale accounts you have closed since June 2005.
[Evan] Three plus years of very sensitive, poorly protected personal information on a lost backup tape. Ugh.
As soon as we learned that the bag did not arrive at its destination, we immediately contacted law enforcement and began our own thorough investigation.
Because we believe the lost bag may have been discarded and because special equipment is needed to retrieve the tape's contents, it is highly unlikely that you information will be misused.
[Evan] Was the lost bag lost or thrown away, meaning what leads the bank to believe that the bag may have been discarded? I don't buy into the "special equipment" argument because I don't believe that requiring "special equipment" is an adequate control. Without knowing details, I would guess that the "special equipment" is a tape drive which really isn't very "special".
Nevertheless, we continue to work with the authorities to locate the bag and tape.
At this time there is no indication that your information has been misused, but we encourage you to take steps outlined in this letter and enclosed information sheet to reduce any potential risk to you.
To further protect you, we have arranged for a free one-year membership to Identity Guard CreditProtectX3.
If you have any questions, please call .
Phone Bankers are available to assist you Monday through Friday between 10:00 a.m. and 4:00 p.m., Mountain Time.
Thank you for your attention in this matter.
We apologize that this situation has occurred and for any concern it may cause you.
Commentary:
There is no mention as to whether or not the facts surrounding this incident were a violation of policy. There is no mention of policy at all. There is no mention about what the bank's plans are to reduce future, similar incidents (if anything). I get no sense of information security from the breach notification. What does The First State Bank of Pinedale do to protect customer information exactly? I don't necessarily need to know, but the customers do.
There is little excuse for not encrypting backup tapes containing information as sensitive as that which was included on this tape. Unfortunately GLBA does NOT require financial institutions to encrypt non-public customer information, but this should not prevent an institution from doing the right thing anyway.
Past Breaches:
Unknown
Posted by Evan Francen at 9/24/2008 8:27 AM 
Categories: Lost Tape, First State Bank of Pinedale, Wells Fargo and Company
Categories: Lost Tape, First State Bank of Pinedale, Wells Fargo and Company
Posts Atom 1.0
You mention "Do the right thing...". What seems to be a pattern in corporate America, they continue to not do the right thing util a law is written forcing them. Similar to when SOX compliancy was brought into existence. Laws have to be written to make them responsible. Rediculous!
Reply to this
You are absolutely right!
The end result is a lot of wasted money by organizations attaining and maintaining compliance. It seems to me that many regulations are meant to force companies to do what they were supposed to have been doing all along. The problem is that many organizations are run poorly and the executives who run these organizations do not intimately understand the environment in which they operate. Many executives understand "the market", "the bottom line", "margins" and other revenue generating/accounting-type dynamics, but a relative few understand how to manage the risks involved with the business. Executives should not only be able to explain to shareholders what the company will do to attain market share, but also be able to explain what they intend to do in order to protect it. The problems will not vanish.
Of course you have the flat out criminals too, but these people will still flourish, just in a different manner.
Reply to this
Hi Evan,
Pinesdale was one of five Wells Fargo banks that had data on that lost tape. The other affected banks were Shoshone First Bank in Cody and Powell, Jackson State Bank & Trust, Sheridan State Bank, and United Bank of Idaho in Driggs.
Why lose just one bank's data when you can lose 5, right?
What gets me is that these organizations never seem to know for sure what's on lost tapes (aka BNY Mellon). I used to handle customs documentation and international shipments for a large firm years ago. They had this amazing little concept called a "bill of lading" that specified all of the contents in a shipment. Shouldn't these backup tapes also have a bill of lading of sorts that specifies exactly what's on them, etc. "Of course!" you say, stunned by my brilliance.
Gah....
Reply to this