January 12, 2006

Here we go again.

On the heels of a string of high-profile customer data breaches that have consumers scrambling and privacy advocates saying "I told you so," People's Bank says that a backup tape containing personal information on 90,000 customers was lost while being transported by UPS to credit reporting bureau TransUnion.

The tapes, which are the focus of a joint investigation by People's Bank, TransUnion, and UPS, contained names, addresses, and bank account and Social Security numbers for customers who have a form of checking account overdraft protection called personal credit lines. The bank says that information is not sufficient to gain unauthorized access to customer accounts, and that data such as account balances, debit card numbers, passwords, PINs and birthdates were not on the tape. People's Bank has sent letters to affected customers alerting them to the data loss, and it's offering them a year's worth of credit-monitoring services free, a step that has become customary when such breaches occur.

The bank also says that the data on the tapes can't be accessed without sophisticated mainframe equipment and specialized software. A bank spokeswoman says the bank will begin shipping data to credit-reporting agencies via encrypted electronic transmissions later this month, and that backup tapes no longer will be sent. That move was not spurred by the lost tape incident. "We had seen that some of these instances were occurring, so we started making plans in 2005," says the spokeswoman.

A UPS spokesman says that although the whereabouts of the tape are still unknown, there is no reason to believe it was stolen. UPS is conducting physical searches and crunching internal data in an effort to locate the tape. "We have not seen any evidence of tampering, fraudulent behavior, or theft of the tape," the spokesman says. "We're confident that a third party hasn't gotten hold of it."

The incident comes two weeks after Marriott Corp. disclosed that it lost a backup tape containing credit card data and Social Security numbers on 206,000 customers and employees of its Marriott Vacation Club International timeshare unit. A week before that, InformationWeek learned that the Department of Justice had mistakenly exposed the Social Security numbers of several people involved in department-related cases. And earlier in December, customer data breaches were disclosed by ABN Amro Mortgage Group, Ford Motor Co., and Wal-Mart Stores Inc. division Sam's Club. That string of incidents capped a year in which customer data breaches hit companies such as Ameritrade Holding Corp., Bank of America Corp., CardSystems Solutions Inc., Citigroup Inc., Choicepoint Inc., HSBC North America, and Time Warner Inc., as well as several universities.

ABOUT THE AUTHOR
Tony Kontzer may have spent the past 11 years of his life writing about business and technology, but there's so much more to his complex existence. He's the soon-to-be-divorced father of ...