The time is October 2012. TD Bank was sending out notifications to their customers to let them know that two backup tapes had been missing since March. The contents of said tapes: personal customer data. The bank claimed that these tapes were shipped to one of their locations, but got lost along the way and they’d been unable to find them.
The bank said at the time that there was no proof that the tapes were being used inappropriately and that it was an “isolated incident that is being internally investigated and reported to law enforcement.” Those customers affected were offered credit monitoring and identify theft protection.
Fast forward two years and the bank have agreed to pay $850000 to settle suits across multiple states. Those states included are New Jersey, New York, Florida, Maine, Maryland, North Carolina, Pennsylvania and Connecticut.
According to prosecutors, 1.4 million files and 1800 different file types that had been collected over 10 years were lost in the data breach. Shockingly, the data on the backup tapes was unencrypted, meaning that it could be viewed by anyone who possessed the tapes.
The bank stood by the statement that they had not detected any unusual incidents of fraud in those customers impacted by the incident and they continue to monitor the accounts to ensure there is no suspicious activity taking place.
“Since first reporting this issue in fall 2012, TD Bank has been continually enhancing our technologies and processes to better protect the personal information of our customers,” said the bank in a statement.
The settlement’s terms state that the bank must reassess and change its practices in order to make sure that nothing like this incident ever happens again in the future. Part of these changes means that backup tapes will not be transported unless they’re encrypted. The firm will bi-annually review their policies on collection, storage and transfer of user data. Employees will also receiving training.
“This agreement highlights our efforts to evolve our security controls to further benefit our customers,” the bank said. “TD Bank has settled with the Attorneys General in an effort to resolve this issue. To date, the bank has not detected any unusual incidents of fraud related to customers who were impacted by this incident, nor has any customer reported any to us, and we continue to monitor customer accounts for fraud.”
For some, this may be too late. It is far easier to destroy trust in a company than it is to build it and the likelihood is that a lot of customers may simply wish to no longer bank with TD Bank. The fact that a bank was not even encrypting their backup dates, let alone while they were in transportation, is truly shocking. All good businesses should practice good encryption standards, but for a bank not to do so is poor.
The agreement also notes that the bank must alert state residents of any future breaches or loss of personal data much sooner than they did two years ago.
TD Bank Fined After Losing User Data Backups
No comments yet. Sign in to add the first!