This is unbelieveable. Check out the official comment about how they "hoped it fell into a garbage can."
ABN Amro loses tape with data on 2 million mortgage customers; claims no customer identities compromised
By Tom Henderson Dec. 16, 2005 11:09 AM
ABN Amro Mortgage Group Inc., a subsidiary of Chicago-based LaSalle Bank Corp., admitted Friday that it had lost a computer tape nearly a month ago containing data for about 2 million residential-mortgage customers.
Data on the tape included the names of the customers, payment histories, account information and Social Security numbers.
About 320,000 are customers of Troy-based LaSalle Bank Midwest, which changed its name from Standard Federal Bank in September.
The company said the tape was lost while being transported by DHL from the mortgage company’s data-processing center in Chicago to a center in Allen, Texas, operated by Experian, one of the national credit-reporting agencies.
A package containing the tape was picked up Nov. 18 and never arrived at the Experian site. In the news release issued by ABN Amro Mortgage, no explanation was given for the delay between the time the tape was sent and the acknowledgment that it was missing.
“There have been no reports of anybody’s identity being compromised. Our hope is when it was lost, it fell into a garbage can or something,” said Robert Darmanin, vice president and director of corporate relations for LaSalle Bank Midwest. “We couldn’t be more disappointed.”
Thomas Goldstein, chairman and CEO of ABN Amro Mortgage, said in a statement, “We understand that this incident may cause concern for our customers, and we deeply regret that it has occurred. We have been notifying our customers and are dedicating resources to assist them and to answer any questions they have.”
Goldstein said the company is offering to enroll its mortgage customers in a credit-monitoring service of their choice for 90 days at no cost to them. He also said the company no longer delivers physical copies of data but transmits them by encrypted electronic means.
Darmanin said the tape was a copy and said the bank has lost no information.
Users like you can add images, links and other relevant information about this topic.
posted: Dec. 16, 2005 @ 10:44a
unknownshopper
Senior Member<br>6K
posted: Dec. 16, 2005 @ 10:54a
Yeah. So much for the whole idea of being safe by not showing your id to the cashier, eh?
Why did they delay? Hmmmm, partly the old "bury bad news on Friday" and a desire to avoid for as long as possible those pesky new reporting requirements.
BankruptThem
Senior Member - 4K
posted: Dec. 16, 2005 @ 11:09a
unknownshopper said: Yeah. So much for the whole idea of being safe by not showing your id to the cashier, eh?
Why did they delay? Hmmmm, partly the old "bury bad news on Friday" and a desire to avoid for as long as possible those pesky new reporting requirements.
1) The delay pisses me off. You are absolutely right.
2) I want to know why they are transporting such highly sensitive data (account numbers with social security numbers) in such a casual, sloppy way.
3) I want to know if the data was encrypted or not.
4) The following quote caused me to literally see red after reading it: “There have been no reports of anybody’s identity being compromised. Our hope is when it was lost, it fell into a garbage can or something,” said Robert Darmanin, vice president and director of corporate relations for LaSalle Bank Midwest.
ss315
Senior Member
posted: Dec. 16, 2005 @ 11:13a
Somehow I doubt it's in the garbage can. I wonder if the DHL guy is running a business on the side? Sounds suspicious.
dweick
Senior Member - 1K
posted: Dec. 16, 2005 @ 11:27a
unknownshopper said: Yeah. So much for the whole idea of being safe by not showing your id to the cashier, eh?
Why did they delay? Hmmmm, partly the old "bury bad news on Friday" and a desire to avoid for as long as possible those pesky new reporting requirements.
I don't think anyone has argued you are "safe" if you don't show your ID to a cashier. I think you are safer. Kind of like wearing a seatbelt, it doesn't make you safe but I think it adds to your safety.
Sending unencrypted tapes around the country by mail is just asking for trouble. How long is it going to be before the banks start being held responsible for the damage they cause thru their careless disregard for their customer's personal information?
News articles like this should be printed and saved for the day you have fraudulent activity on one of your accounts and the bank tries to say it must have been your fault because their have such wonderful security measures in place.
BankruptThem
Senior Member - 4K
posted: Dec. 16, 2005 @ 11:33a
dweick said: unknownshopper said: Yeah. So much for the whole idea of being safe by not showing your id to the cashier, eh?
Why did they delay? Hmmmm, partly the old "bury bad news on Friday" and a desire to avoid for as long as possible those pesky new reporting requirements.
I don't think anyone has argued you are "safe" if you don't show your ID to a cashier. I think you are safer. Kind of like wearing a seatbelt, it doesn't make you safe but I think it adds to your safety.
Sending unencrypted tapes around the country by mail is just asking for trouble. How long is it going to be before the banks start being held responsible for the damage they cause thru their careless disregard for their customer's personal information?
News articles like this should be printed and saved for the day you have fraudulent activity on one of your accounts and the bank tries to say it must have been your fault because their have such wonderful security measures in place.
Absolutely.
The banks might as well strap your data on the leg of a carrier pigeon, in the form of writings on napkin, and send the pigeon on its way. It's totally unacceptable and ridiculous.
I hope there is a severe and swift market punishment of ABN AMRO/Lasalle Bank for being so stupid.
Also, if any data is used for illegal purposes, the bank should bear full responsibility for restoring ny financial losses that occur, and repairing credit damage. That's the bare minimum. Arguably, they should be financially punished just for being so sloppy and casual in the way they handled this data.
unknownshopper
Senior Member<br>6K
posted: Dec. 16, 2005 @ 11:38a
dweick said: I don't think anyone has argued you are "safe" if you don't show your ID to a cashier. I think you are safer. Kind of like wearing a seatbelt, it doesn't make you safe but I think it adds to your safety.
I agree. I was just yanking your chain.
"2) I want to know why they are transporting such highly sensitive data (account numbers with social security numbers) in such a casual, sloppy way. 3) I want to know if the data was encrypted or not."
I probably could find out the exact behind-the-scenes deatils, but I think you already know the answers to your questions.
Look at it this way. Think of how many Xbox 360's went "missing" during the launch and have disappeared in shipment. With data tapes/carts, you're talking something about the same size, but arguably worth much much more. Not to say we should ignore the issue, but to provide a similar situation which frequently is exploited.
Unfortunately, ain't nuthin gonna change until the cost of doing something is less than the cost of doing nothing.
unknownshopper
Senior Member<br>6K
posted: Dec. 16, 2005 @ 11:41a
BankruptThem said: The banks might as well strap your data on the leg of a carrier pigeon, in the form of writings on napkin, and send the pigeon on its way. It's totally unacceptable and ridiculous.
I hope there is a severe and swift market punishment of ABN AMRO/Lasalle Bank for being so stupid.
Also, if any data is used for illegal purposes, the bank should bear full responsibility for restoring ny financial losses that occur, and repairing credit damage.
1. If they could save a buck that way they would. 2. There won't be. And posting the story right before lunch on a Friday just helps to ensure that. 3. Not in this Congress.
edit: FWIW, thanks for using "loses" and not "looses" in your title.
zuttopretear
Member
posted: Dec. 16, 2005 @ 11:52a
I have mortgage account with them, and if they had notified the incident to their customers,i do not know about it. also to think that they only offer credit monitoring service for 90 days is rediculous, most crimes would occur long after that as we would loose our guard with time span, not in the first few months when the news is still so fresh to us. not long ago ameritrade also lost computer tape and they offered to monitor my credits for a year, i've since checked my accounts closely.
ss315
Senior Member
posted: Dec. 16, 2005 @ 12:21p
given the inaction of the federal regulatory agencies, is there any chance of starting a class action lawsuit? Perhaps a lawyer can weigh in. The argument would be negligence for using such sloppy mailing systems. Or is using DHL to transfer sensitive data considered industry practice? IF it is, we have a larger problem.
I do backups in my company and our offsite provider picks up the tapes once a month and signs for every single one. The bad thing is that in most cases the data is stored as UNIX tar files, which are like zip files and can be opened with a variety of free programs.
You can encrypt it, but many companies don't do it because it adds to the restore time. If a disaster happens you have people calling you every 5 minutes asking how long is it until data is restored.
1. They waited almost a month to act? 2. They are offering a lousy three months of credit monitoring as a result? 3. How on earth could something this sensitive fall into a garbage can? Did they pile up a bunch of tapes in the back of a truc, loose?
I hope they get body slammed for this.
chuzzlewit
Senior Member - 1K
posted: Dec. 16, 2005 @ 1:34p
zuttopretear said: I have mortgage account with them, and if they had notified the incident to their customers,i do not know about it
Don't worry, you'll get your letter by New Year's.
also to think that they only offer credit monitoring service for 90 days is rediculous, most crimes would occur long after that as we would loose our guard with time span
Today's thieves are very quick, they can steal 2 million identities in no time at all.
bubba111
Member
posted: Dec. 16, 2005 @ 1:48p
unknownshopper said:
edit: FWIW, thanks for using "loses" and not "looses" in your title.
Agreed. How hard is it to spell and use this word properly?
manuel
Greedy Member
posted: Dec. 16, 2005 @ 1:54p
I have this image of thousands of tapes and cartridges from the IRS and SSA lying in garbage cans and dumpsters sprinkled through the nation.
However they have even less interest in disclosure and fewer legal issues - so we'll never hear about them, even on a friday.
ciba
Member
posted: Dec. 16, 2005 @ 2:41p
BankruptThem said: 2) I want to know why they are transporting such highly sensitive data (account numbers with social security numbers) in such a casual, sloppy way.
I'm curious what you would suggest as a good way to ship sensitive data. I would not think it to be unreasonable to argue that DHL is more secure than the USPS, but how many people mail tax returns?
BankruptThem
Senior Member - 4K
posted: Dec. 16, 2005 @ 3:16p
ciba said: BankruptThem said: 2) I want to know why they are transporting such highly sensitive data (account numbers with social security numbers) in such a casual, sloppy way.
I'm curious what you would suggest as a good way to ship sensitive data. I would not think it to be unreasonable to argue that DHL is more secure than the USPS, but how many people mail tax returns?
You're joking, right?
Even a 7-11 sends a safe-load of cash by armored car.
We're talking about 2 million account numbers/social security numbers/d.o.b.'s,etc. here.
dweick
Senior Member - 1K
posted: Dec. 16, 2005 @ 3:49p
ciba said: BankruptThem said: 2) I want to know why they are transporting such highly sensitive data (account numbers with social security numbers) in such a casual, sloppy way.
I'm curious what you would suggest as a good way to ship sensitive data. I would not think it to be unreasonable to argue that DHL is more secure than the USPS, but how many people mail tax returns?
USPS Registered Mail
Encrypt the data, if you can't encrypt it then at least put it in packaging that is tamper resistant so you can tell if someone mucked with it in transit.
I've heard that the US Government sends classified info via registered mail, but not 100% sure. DHL is pretty secure since it is supposedly scanned along the way. Backup tapes are not the same as cash, but I'm surprised they don't have pickups by Iron Mountain. They are a huge player in the business.
zuttopretear said: I have mortgage account with them, and if they had notified the incident to their customers,i do not know about it. also to think that they only offer credit monitoring service for 90 days is rediculous, most crimes would occur long after that as we would loose our guard with time span, not in the first few months when the news is still so fresh to us. not long ago ameritrade also lost computer tape and they offered to monitor my credits for a year, i've since checked my accounts closely.
I haven't heard from them, either, and with 2 million identities to work with, it could take a while for folks to get around to using mine. 90 days is not enough.
I also wonder, can't they figure out with some reasonable degree of accuracy when the tape disappeared? I haven't looked into how DHL handles things, but with tracking like Fedex, they should at least be able to know that the last place it was handled was going onto flight ### or a truck at the LA distribution center, etc. That should narrow down finding where or at least who likely lost/took it.
BankruptThem
Senior Member - 4K
posted: Dec. 16, 2005 @ 5:32p
There has to be consequences for such careless handling of such sensitive data.
teplitsa said: I've heard that the US Government sends classified info via registered mail, but not 100% sure.
That's a fact, Jack! Classified info up to at least the secret level, needs only to be double wrapped. Then it's in the hands of the good ol' post office. Mr. McFeeley probably doesn't have a clearance, but he carries classified info daily.
unknownshopper
Senior Member<br>6K
posted: Dec. 16, 2005 @ 8:42p
HawkeyeNFO said: teplitsa said: I've heard that the US Government sends classified info via registered mail, but not 100% sure.
That's a fact, Jack! Classified info up to at least the secret level, needs only to be double wrapped. Then it's in the hands of the good ol' post office. Mr. McFeeley probably doesn't have a clearance, but he carries classified info daily.
Chances are Mr. McFeeley does have a low-level security clearance.
teplitsa said: DHL is pretty secure since it is supposedly scanned along the way.
Yeah sure. Check out this news item from my local news:
A POLICE investigation continues after thousands of dollars of diamonds are missing after they were delivered to a local gas station instead of a jewelry store. There are $6,000 of diamonds missing after they were delivered to Exxon gas station on 3300 Guernsey St., instead of the intended Leva's Jewelry at 3300 Belmont St.
The two stores are a block apart and the DHL delivery person mixed up the streets during the delivery, and now the diamonds are missing.
Workers from the Exxon gas station are saying they did not know what was inside the package and threw it away after the delivery. Bellaire police said there is no evidence that suggests the diamonds were stolen by anyone.
The delivery service will probably have to reimburse the jewelry store for the missing diamonds.
GoDougGo
Happy Member
posted: Dec. 16, 2005 @ 10:02p
I'm a mortgage customer of theirs, and apparently my info was on the tape (I called them when I saw this post). I told them that they took too long to tell me, and they basically advertised to whoever has the tape, that if they plan to use it maliciously, to wait 90 days before starting. I asked them for more than 90 days of credit monitoring protection, and got nothing.
If anyone has any better luck getting something other than an apology, please let me know either here, or privately.
FWIW, here's a link to their statement: http://info.mortgage.com/
Thanks.
MeLikeDeals
Member
posted: Dec. 16, 2005 @ 10:02p
Regarding the comment about showing ID to cashier and safety: I work as a bank teller and I can tell you right now that EVERYTHING is in the computer and everyone working in the bank has access to everything. So, if we were to steal ur info/identity and sell it, we would have done so a long time ago. In fact, you're safer by showing ID because no one is stealing your money. Just last month, a man stole $20,000 from his mother's savings account by forging her signature. I personally have a flag on my account every time a check is cashed, money is withdrawn or an inquiry is made (i.e. what's my account number, I forgot it) ID has to be shown and signature matched because I have seen how many times STRANGERS steal ur account info and print checks.
BankruptThem
Senior Member - 4K
posted: Dec. 16, 2005 @ 10:14p
GoDougGo said: I'm a mortgage customer of theirs, and apparently my info was on the tape (I called them when I saw this post). I told them that they took too long to tell me, and they basically advertised to whoever has the tape, that if they plan to use it maliciously, to wait 90 days before starting. I asked them for more than 90 days of credit monitoring protection, and got nothing.
If anyone has any better luck getting something other than an apology, please let me know either here, or privately.
FWIW, here's a link to their statement: http://info.mortgage.com/
Thanks.
I spoke with their Troy, Michigan HQ today (LaSalle).
They are reviewing their response to this incident and may offer longer term credit monitoring.
People who are customers of ABN AMRO, LaSalle Bank (formerly Standard Federal) need to email, write letters and call to tell them that their initial response is pathetic and inadequate.
maybe now they will have their offsite provider pick up the tapes, unless they ship all tapes to a central location in some other state and this is how this happened
unknownshopper
Senior Member<br>6K
posted: Dec. 16, 2005 @ 10:32p
BankruptThem said: People who are customers of ABN AMRO, LaSalle Bank (formerly Standard Federal) need to email, write letters and call to tell them that their initial response is pathetic and inadequate.
Actually, they need to write their lapdog congressmen/women.
This kind of exposure is not new. The only thing that's new is that there are requirements to make the exposure public, if unbelievely long after the fact. But the rules are that way because your congressmen caved.
The banks really only care about following the rules. And if it ain't in the rules, you can pound sand from now til doomsday and they ain't gonna care.
Until it costs less to do it more securely than it does to do it unsecurely and pay the fines, you ain't going to see measurable improvement.
I work for a major bank, Bank of America. The bank has lost data tapes before in the same way as ABN AMRO. We ship all of our data tapes off site to a data recovery center. There are two data recovery centers in the U.S. one in GA and one in Arizona. Each coast ships the data tapes to the nearest one. They are sent in these red hard turtle cases with a regular small masterlock that requires a key to open it. We use FEDEX to ship these turtles. Each major city has hundreds of servers and hundreds of tapes that get sent out daily to the data recovery sites. Quite a few end up "missing" or "lost." People see these turtles and probably think it's money or something of value inside, but when they get it home to break into it all they get are stupid DLT or LTO tapes that they can't do anything with it. Most people or even computer nerds couldnt get access to the data tapes if they tried. Almost everyone uses LTO tapes and more than likely they use Veritas Netbackup to do the backup of data. A common thief wouldn't have a $3-4K LTO scsi drive and they also wouldn't have the power to setup a Veritas master server to do a "restore" of the data. And on top of all of that, they would need a catalog tape from Netbackup to tell the server what serial # tape has what data from what day and from what server. So in other words, if someone stole a data tape, they would need the catalog tape that tells Netbackup what that tape contains. What does this all mean? Your average Joe, who would steal or find this data tape couldn't do shi1t with it if he or she even tried too. FYI, I bank with a credi union and not with BOA. Pretty sad.
Edit: When I say "lost." I don't mean one tape gets lost but a "red tub" will get lost. We use two different red tubs. One hold 10 tapes while the other holds 20 tapes. If some of you don't know, the LTO tape we use can hold 200 GIG of data per tape. There is no way any company can transmit that much data/info daily to an offsite data recovery center from every bank site. BOA has thought of it but the bandwidth and time involved was way to expensive to get the links big enough on both sides and to purchase data silo's to hold hundreds of terabytes of data.
I run Veritas at work and I don't think you need all that. The data is in tar format on the tape if i'm not mistaken. It's like Unix's version of Winzip and there are tons of free readers on the internet.
I haven't tried it, but may do so just for fun. I think all you need is the drive, computer connection and a way to read tar files on the tape. And then whatever way to read the data in the file. If it's SQL than something to read a SQL or Oracle database, etc.
If ABN is on LTO 2 or 3 than it's good since it will cost the thief a lot of money to buy the equipment unless they already stole it. If it's DLT tapes than they are screwed.
Where I work we are looking at a disk to disk backup system to make things like this old news. We are actually looking at Evault, and they said that BoA is a customer of theirs.
jimbobob
Addicted Member
posted: Dec. 17, 2005 @ 8:41a
dweick said: ciba said: BankruptThem said: 2) I want to know why they are transporting such highly sensitive data (account numbers with social security numbers) in such a casual, sloppy way.
I'm curious what you would suggest as a good way to ship sensitive data. I would not think it to be unreasonable to argue that DHL is more secure than the USPS, but how many people mail tax returns?
USPS Registered Mail
Encrypt the data, if you can't encrypt it then at least put it in packaging that is tamper resistant so you can tell if someone mucked with it in transit.
What good would a tamper resistant seal do if the tapes never showed up? Also, for all we know this procedure may have already been in place.
You would really consider shipping this critical data through our nation's postal service? I think we have all heard stories about envelopes/packages being lost for great deals of time, or for good.
I think a better means of transportation and encryption of data are both in order here. ABN Amro was caught with their pants down. Just my thoughts.
registered mail is shipped in locked and sealed containers and signed for every step of the way. Every time it changes hands, there is a signature and therfore a paper trail for audit purposes.
Ouch - I agree that 3 months isn't enough but they'll probably increase it if more people complain or if they see misuse of the lost info
DHL will probably take a hit with their business accounts - saw on the news that DHL said that "there was no error on our part and all procedures were followed" lol so where's the tape at then?
didYOUsearch
Cranky Member
posted: Dec. 17, 2005 @ 11:25a
unknownshopper said: The banks really only care about following the rules. And if it ain't in the rules, you can pound sand from now til doomsday and they ain't gonna care.
Until it costs less to do it more securely than it does to do it unsecurely and pay the fines, you ain't going to see measurable improvement.and this is the bottom line
Well.. it has happened to Citi and BoA this year as well, through different carriers, so undfortunately it's not uncommon.
Encrypting would only delay a determined thief, not stop them, as would using LTO tapes vs DLT. The drive may be more expensive, not not all that expensive compared to the possible rewards.
Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.
Members of our community may attach files to a post in accordance with the User Agreement. FatWallet is not responsible for the content, accuracy, completeness or validity of any information contained in any attached file. Files have *not* been scanned for viruses. Be especially wary of Excel files which may contain malicious content.
