In late December, Bank of America (Charlotte, N.C., $736 billion in assets) lost computer data tapes containing information about 1.2 million federal employees, including their names, Social Security numbers, addresses and account numbers for SmartPay travel cards administered by the bank.
The tapes included information about both open and closed accounts. Of the 1.2 million people affected, 900,000 are members of the Department of Defense (DoD), which has about 700,000 active civilian employees.
The bank acknowledged the loss last Friday in a press release. "We deeply regret this unfortunate incident," said Barbara Desoer, global technology, service and fulfillment executive for Bank of America. "The privacy of customer information receives the highest priority at Bank of America, and we take our responsibilities for safeguarding it very seriously."
Heading up the investigation is the Secret Service, with assistance from the Defense Criminal Investigative Service (DCIS), which is the investigative arm of the Inspector General of the DoD. The DoD also indicated that it had no plans to discontinue the use of Bank of America for its charge card accounts, but is currently assessing program requirements with regard to security.
No use of the information for fraudulent activity has been detected, according to the DoD. Bank of America will continue to monitor all affected accounts, coordinate with credit bureaus on said monitoring and notify by mail all affected cardholders.
Tales From the Unencrypted
The incident raises concerns about the level of protection of data in transit, and about the threat to the financial networks and even to national security.
John Pironti, a security consultant at Unisys (Blue Bell, Pa.), was reminded of the security breach at Los Alamos National Labs last year. "All of the data was un-encrypted," he said. "[At Los Alamos,] they went down the path [that] in an emergency situation, they couldn't manage the key management around the encryption -- which I don't buy."
"It is possible," Pironti adds. "It just requires change."
In the case of the banks, problems of this nature can arise when arranging data transfers to outsourcing providers. Thus, it's not necessarily mergers and acquisitions that cause the problem. "In a merger, you can work a plan that says, 'Were going to be compatible,'" said Pironti. "They do this stuff because they have incompatible systems [with another company]."
The impact of the lost data has yet to be determined. Since the lost data included Social Security numbers, addresses and other information that might be used to create false identification or to open bank accounts for money laundering, it is plausible that the incident was the result of a targeted theft. "Information regarding travel card program accounts for individual card holders has been lost, and it is possible that that information has been compromised, though we don't believe that that is the case," said Teresa McKay, the Defense Department's deputy chief financial officer, in a press release.