Personal data lost -- again

July 6, 2005

By David Lazarus, San Francisco Chronicle

http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2005/07/06/BUG0TDJBN01.DTL



Today I bring news of yet another security breach involving potentially thousands of people's personal info, and this is the first anyone's hearing of it.

The latest company to drop the data ball is City National Bank, based in Los Angeles and one of the largest independent financial institutions in California.

City National, which specializes in high-end clients, became a player in Northern California when it acquired San Francisco's Pacific Bank in 2000. It has 52 offices statewide and about $14 billion in assets.

As is increasingly the norm for letters notifying people of data mishaps, City National's missive, dated June 21, is decidedly short on facts. (And the facts in this case, as you'll see, are troubling indeed.)

"City National utilizes outside computer resources to ensure premier service to you," the bank's letter says.

"Recently we learned that a leading data storage firm employed by one of these computer service suppliers lost two back-up tapes containing City National data during transport to a secure storage facility. Social Security numbers and account numbers were on these tapes."

The letter adds that "there is no evidence whatsoever that this data has been compromised or mis-used, nor do we believe it will be."

City National is apparently basing this belief on the fact that the boxes containing the tapes didn't have the bank's name on them and because the data is hard to access without "highly specialized skills, specific software and sophisticated equipment."

The letter says City National apologizes for "any inconvenience or concern" but is confident that notifying customers about the incident "is the right thing to do."

OK, let's begin.

First off, notifying California consumers of a data security breach isn't merely "the right thing to do." It's the law. And it's because of the state's disclosure law that so many other similar cases have come to light in recent months.

Second, identity theft is the fastest-growing crime in the country, affecting, according to federal officials, about 10 million people a year.

It's therefore not much of a stretch to think that would-be ID thieves might have access to highly specialized skills, specific software and sophisticated equipment.

Finally, a close reading of City National's letter indicates that the bank's data was outsourced at least twice. First the info was handed to an unspecified "computer service supplier" that was performing some unspecified task.

Then it was given to an unspecified data storage firm, which apparently lost track of the computer tapes on some unspecified date at some unspecified location under unspecified circumstances.

Tapes lost or destroyed

Linda Mueller, a City National spokeswoman, declined to discuss specifics of the lost data.

She said only that "federal law enforcement and the bank's own security team have completed extensive investigations, and they are confident that the tapes were lost or destroyed."

When I told her what I'd learned about the case from my own digging, Mueller confirmed that the incident happened in late April and that the data- storage firm involved is Iron Mountain.

Iron Mountain casts a long shadow over the little-known world of corporate data storage. The company has more than 235,000 clients worldwide, including about three-quarters of the Fortune 1000.

In March, Iron Mountain lost computer tapes containing personal info for about 600,000 current and former Time Warner employees, the two companies have acknowledged.

A month earlier, discount broker Ameritrade discovered that it had lost computer tapes containing data for about 200,000 customers. A couple of months before that, Bank of America found that it had lost tapes containing more than a million federal workers' account info.

It's unclear whether either of these other incidents involved Iron Mountain. The data-storage firm doesn't comment on individual clients, and neither Ameritrade nor BofA has disclosed where the info was to be held.

On April 21, however, Iron Mountain issued an unusual statement admitting that the company has experienced "four events of human error" since the beginning of the year.

Melissa Burman, an Iron Mountain spokeswoman, told me that the purpose of the April 21 statement was to encourage clients to be more diligent in encrypting data before turning it over for storage.

"We do 5 million pickups and deliveries a year," she said. "Only a very small percentage are unsuccessful, but, statistically speaking, this will keep happening. It's impossible to get to perfection, no matter how hard we try."

Burman agreed with City National's assessment that accessing data on backup tapes can be difficult for people lacking technical resources.

But she observed that identity thieves are becoming increasingly sophisticated.

Encryption is important

"That's why companies need to encrypt before data leave their domain," Burman said. "It would be near impossible to access if encrypted."

City National's Mueller declined to say whether the bank's tapes were encrypted.

"We don't talk about security precautions," she said, "but we can tell you that information on these tapes would be very difficult to access."

Since its founding in 1954, City National has focused on meeting the needs of wealthy customers. The bank boasts that it manages accounts for "some of the most affluent individuals and successful business executives in the West."

So why did it take about two months for City National to send out its state-mandated letters notifying customers of the lost data?

"We notified our clients as soon as we fully understood the details of what happened and the risk to our clients," Mueller said.

"We moved as quickly and thoughtfully as we could," she added, "but we also were determined not to do anything that would impede the investigations or alarm our clients unnecessarily."

Now they can be alarmed for good reason.


main page ATTRITION feedback