Data breach at New York bank possibly affecting hundreds of thousands of CT consumers

May 21, 2008

By CT Attorney General's Office

Attorney General Richard Blumenthal today announced that a storage company for a New York bank lost an unencrypted backup tape containing Social Security numbers and bank account information belonging to as many as hundreds of thousands of Connecticut consumers and personal information of millions more nationwide.

Among the Connecticut consumers are depositors and investors of People's United Bank of Bridgeport, which gave Bank of New York Mellon the information so it could offer those consumers an investment opportunity.

Blumenthal today wrote Bank of New York Mellon, which lost the information in February, demanding that it provide affected consumers with credit monitoring and other identity theft protections, as well as a full account of how the loss occurred and other information.

The banks have cooperated fully thus far with Blumenthal's office. Consumers seeking information about the breach should call a toll free number set up by Bank of New York Mellon, (877) 278-3451.

"I am alarmed and deeply concerned by a recent and serious data breach at The Bank of New York Mellon (.BNY.) involving the loss of computer backup tapes containing sensitive information of some 4.5 million consumers, including People.s United Bank account holders and shareowners," Blumenthal said in his letter. "Several hundred thousand Connecticut citizens may be affected, and possibly more, by this loss of highly significant personal information.

This security breach seems highly dangerous, indeed possibly devastating in light of the identity theft threat. You have also informed this office that BNY began notifying the affected customers six weeks ago and is offering one year of credit monitoring through Equifax. Given this extraordinarily serious security breach, this offer of protection is grossly inadequate. Connecticut agencies that have experienced data security breaches less serious in magnitude or potential damage have offered consumers two years of credit monitoring, $25,000 identity theft insurance and free credit freezes. BNY should do no less.

I am especially concerned by the delay in informing consumers, possibly heightening the risks of wrongdoing. Neither People's nor its customers were promptly notified. Even now, many may be in the dark.

The loss of this tape -- so far unrecovered and unremedied -- is inexplicable and unacceptable. It must be addressed by protective measures to forestall identity theft immediately."

On February 27, Bank of New York Mellon gave the unencrypted backup tape containing information on about 4.5 million consumers -- hundreds of thousands of them People's United Bank customers and investors -- and nine other tapes to a storage firm, Archive Systems, Inc., for transportation to a storage facility. When the storage company vehicle arrived at the storage facility, the tape was missing. The other nine tapes reached the facility safely.

People's United Bank informed Blumenthal's office of the breach earlier this week, shortly after New York Bank of Mellon informed it.

The banks are working with Blumenthal's office to provide information on exactly how many Connecticut consumers are affected and how many are People's depositors versus investors.

main page ATTRITION feedback