Bank of NY Mellon Breach Much Bigger than First AnnouncedForensics Investigation Reveals 12.5 Million Customers Impacted The Bank of New York Mellon (BNY Mellon) has announced that the data breach that occurred back in May is much bigger than the 4.5 million records originally announced. The bank now says that another 8 million customers were affected by the breach, bringing the total figure to 12.5 million, which may make it the largest data breach of the year.
Back in May the bank informed customers that 4.5 million customer account details, including names, addresses, dates of birth and Social Security numbers, had been compromised after two sets of tape backups went missing from a third-party courier.
After the initial review of the event, the bank says in a prepared statement, "A subsequent re-examination by an industry-leading forensic investigation firm of the analysis applied to the lost tapes led to the identification of additional individuals."
Ron Sommer of Bank of New York Mellon's Corporate Communications Department confirms the re-examination found 8 million more names.
This news brought quick reaction from Connecticut Governor Jodi Rell. "It is simply outrageous that this mountain of information was not better protected, and it is equally outrageous that we are hearing about a possible [eight] million additional individuals and businesses six months after the fact," Rell says in a statement on the Connecticut Governor's website. "We fear a substantial number of Connecticut residents are among this latest group."
One Bridgeport, CT bank, People's United Bank, had 556,000 customers affected by the May announcement. The tapes went missing in February.
BNY Mellon says it has begun to notify these additional customers. Under Connecticut state law, banks are required to immediately notify customers when such information is lost. "Had the hundreds of thousands of Connecticut residents affected been notified immediately that their data had been compromised, they could have taken steps to protect themselves," Rell notes. The governor has told her consumer protection office and the state's attorney general to pursue "all remedies available" under Connecticut law against the bank, including a substantial fine, customer restitution and other penalties. Connecticut's consumer protection department has subpoenaed the bank to get details on the extent of the breach, timeline and conditions of the tape loss and copies of law enforcement and security reports field and the names and addresses of all Connecticut customers whose data was on the missing tapes.
Since May, the bank says it has hired a leading independent consultant to review its security policies and procedures, and has implemented a companywide program "when technically feasible" to require confidential data be transferred within the bank via electronic encryption to "minimize the need for data storage tapes and their transport." It also says it has started stringent standards for confidential data transport and a bank-wide awareness and training program on data security for all employees.
The bank set up a web site (www.bnymellon.com/tapequery) with additional information for customers, as well as offering two years of free credit monitoring, $25,000 worth of identity theft insurance, and a free credit freeze on all three national credit bureaus, despite saying that there is no evidence that the missing tapes' data has been used or sold.