Chase SSN Loss Pattern?

A quick Google search of Patricia O. (O My God I've Lost Customer's Social Security Numbers) Baker came up with a similar situation to my recent SSN loss.

Click here to read the notice at Datalossdb.

Seems Chase notified the state of New York in late 2006 that a tape with customer's SSN could not be found at a vendor's off-site facility. Want to bet it's the same vendor as my loss? Want to bet that Chase didn't change any policy from 2006 to 2009?

Of interest in the 2006 notification, Chase offered $10,000 in identity theft protection to each victim. Unfortunately for the 34,266 New York residents affected, the footnote to the letter to the NY state attorney general says that the theft protection is not available to NY residents.

Chase'ing My SSN Away

When comparing Citi and JPMorganChase (Chase bank), it's not hard to see how Chase is doing better. Citi's in the hole for $45 billion of taxpayer money and Chase returned the TARP funds it never wanted in the first place. Citi's got a revolving management team and board while Jamie Dimon has led Chase for five years. Their stock tells the story as Chase (JPM) is up 17% over roughly five years since Dimon joined and Citi is down 91%. Click here for an interactive chart.

Unfortunately, my belief in Chase's attention to detail and looking out for its customers was smacked by this letter I received yesterday. In short, Chase backs up its customer information on a tape and uses a vendor to store that tape. Chase's vendor can't find the tape that includes my name, address and social security number (SSN).

Click on pages to view the letter.

While Chase might be correct that the tape can "be read only with special equipment and software", let's not kid ourselves that this is rocket science. The larger question is why Chase's data wasn't encrypted so that even if it was able to be read (which it can be) that the data would be useless without the key to un-encrypt the data.

It's not even six weeks since I was Schwab'd by Chuck who's team also lost my SSN and personal information. Like Schwab, Chase is offering to monitor my identity with an Experian product. That's standard. Their offering to monitor it with their own branded product (Chase Identity Protection) that they hope I will like and will pay for in the future. That's Priceless. Leave it to Chase to turn an internal control and process f-up into a marketing and revenue opportunity.

Chase's letter is signed by Patricia O. Baker. That's 'O' as in O' My God, I just lost customer Social Security Numbers.

Perhaps now's the time to short Chase's stock as they've once again made the Companies Acting Badly list, this time by losing my Social Security Number and ID information. Or perhaps it's time for Chase to get a new CIO who can enforce protocols with a data storage vendor. Or perhaps it's time for Chase to get a new data storage vendor. Who's in charge of this at Chase?

JPMorganChase joins Charles Schwab, IBM, Intuit and BNY Mellon as Companies Acting Badly for managing to lose my social security number and other personal information.

BNY Mellon - The Spark

Yesterday, June 21st, 2008, I received this letter from BNY Mellon. It is the latest reason and spark for starting this blog.

In short BNY (formerly Bank of New York) acts as a supplier of services to JPMorganChase (my former employer). BNY lost a storage tape in transit with my employee information including my Social Security Number (SSN). Sound familiar? Were they working with IBM?

BNY is notifying me of the loss, apologizing and offering me some identity protection services. Sound reasonable?

It's not. Here's the stupidity behind BNY's lawyer crafted letter.

1. BNY found out about their loss of my identity information on Feb 27, 2008. Their letter notifying me arrived on June 21, 2008. That's a full 115 days or almost four months. No amount of internal hand wringing at BNY Mellon or Marketing/Legal spin can explain why a company would wait 4 months to notify someone of this loss. This demonstrated lack of concern for their customers ensures that I will never knowingly do business with BNY Mellon.

2. BNY's meaningless statement of "while we have no reason to believe your information has been or will be accessed or misused" raises a lot of questions. How do they know the intent of whomever now has the tape? Does BNY know who has it? How can they predict the future on what will happen to my identity information that they lost? How does BNY know that if in the past 115 days a credit card was taken out under my name that it was truly me? They don't. The statement is meaningless and meant to make me feel better when it only raises concerns on what BNY knows and doesn't know.

3. BNY is giving me 90 days to activate the identity protection service they recommend. That's nice - you take 115 days to notify me but I only have 90 days to activate. Shouldn't my time to decide on whether to use your service be as long as your time to decide to notify me?

4. BNY didn't encrypt their data. Simple stupidity that should result in the firing of their CIO. Sensitive data that is moving outside of a company's data center (in this case on a backup tape) should be encrypted so it would be of no value if it fell into the wrong person's hands. This is not rocket science but may be at BNY Mellon.

5. BNY Mellon is downplaying the loss. Their statement of "could not account for one of several boxes of backup tapes" while accurate is not forthcoming. Did they think I wouldn't Google: BNY Mellon data loss and find out that this story was covered in the press and that BNY Mellon had lost 6 - 10 tapes in that box covering 4.5 Million customers with their SSNs? Click here for the Google search.

6. BNY says in a note at the bottom that theft insurance doesn't apply in NY state. They blame it on a regulation and have no other option for New York state customers. That's the former Bank of New York telling customers of the former Chase Manhattan Bank that their protection doesn't apply in New York. Good thing I live in CT.
   

It turns out that this loss was widely reported in the press for BNY Mellon customers of other banks (not JPMorganChase). You can read an article on this Company Acting Badly at Reuters.

Is this stupidity by BNY Mellon a one time event? Read another article at Pittsburgh Tribune-Review and see.

It also appears that BNY Mellon has been extending it's identity monitoring service from 12 months to 24 months. If BNY really has no concern about what will happen to my identity info then why would they be adding more monitoring time? Click here to see where they extended the time for 1400 brokers at SAIC who's data was on one of those tapes.

SAIC put significant effort behind crafting a FAQ for its brokers that makes the comparison to BNY Mellon telling for a Company Acting Badly. See SAIC's FAQ here. They go so far as to recommend that individuals consider changing bank accounts used with BNY Mellon.