[ISN] ABN Amro eyes electronic data transfers after tape loss incident

[InfoSec News]

http://www.computerworld.com/securitytopics/security/story/0,10801,107239,00.html

By Lucas Mearian 
DECEMBER 20, 2005
COMPUTERWORLD

ABN Amro Mortgage Group Inc. has decided it will no longer send data 
tapes to its credit reporting bureaus after one of those tapes -- with 
the private information of more than 2 million customers on it -- went 
missing a month ago (see "Update: Missing ABN Amro tape with 2 million 
names found" [1]). 

Instead, according to ABN Amro Mortgage Group CEO Thomas Goldstein, 
the company will encrypt data and send it over secure networks when 
possible. Otherwise, it will use special couriers in an effort to 
avoid another tape loss. 

Those changes were announced on the same day the company said it had 
located the missing tape containing sensitive data about residential 
mortgage customers, which was lost Nov. 18 while being transported by 
a delivery service to a credit reporting company. The tape was found 
yesterday, three days after the company began notifying customers that 
it had been lost. 

On Friday, ABN Amro told customers that the tape was lost while being 
transported by DHL Worldwide Express delivery service from a data 
center run by a subsidiary of LaSalle Bank Corp. in Chicago to an 
Experian Information Solutions Inc. credit bureau facility in Allen, 
Texas. The tape contained the names, account information, payment 
histories and social security numbers for residential mortgage 
customers, according to the letter ABN Amro sent customers last week. 

Goldstein said during today.s press conference that the search for the 
tape by ABN Amro, DHL and Experian was "exhaustive," and ended last 
week, at which time they decided to notify customers. Goldstein said 
the tape was then found yesterday. He also said there is still no 
evidence that the data was misused while it was missing, but he said 
there.s no way to prove the tape wasn't read or copied while it was 
missing. 

Goldstein said that the package containing the missing tape was found 
in its original sealed container by a DHL employee without the 
original air bill and that DHL then readdressed the package back to 
ABN Amro. 

Despite the tape's recovery, the problems for ABN Amro didn't end 
today. A gift code given to customers whose information was 
temporarily lost to allow them to sign up for a free credit monitoring 
service overwhelmed a Web site run by credit reporting agency Trans 
Union LLC. ABN Amro said initially that it would enroll those 
customers in the credit monitoring service for 90 days at no cost. 
That time frame was extended to year today. 

Tens of thousands have already registered with Trans Union today, but 
"2.1 million letters going out has overwhelmed the [Trans Union] Web 
site," Goldstein said. "I feel terrible about the frustration our 
customers are having on top of just getting this notification. TU and 
we are working together to fix this". 

He said Trans Union is adding a "gateway" device to limit access to 
the service and notify customers when they can sign up. 

As for the plans to transfer data electronically rather than by 
courier, Goldstein said ABN Amro has completed about 70% of a rollout 
of a secure data network to move data to its credit-reporting bureaus. 

"The goal starting last spring was to eliminate all physical handling 
of tapes -- and any tape where we cannot eliminate the physical 
handling because the other party cannot receive [the electronic data] 
will go by special courier," Goldstein said. He cited FedEx Corp. as 
one company ABN Amro might use. 

"The tape in question was to be transferred fully electronically and 
encrypted this month. One of the really upsetting things about this is 
one more month, and this couldn't have happened," Goldstein said. 

ABN Amro plans to continue to use DHL to ship other packages. 

[1] http://www.computerworld.com/databasetopics/data/story/0,10801,107230,00.html