Chuck I've Been Schwab'd

Last week I received the following letter from Charles Schwab that they had lost a computer that contained unencrypted personal information including my name, social security number and account number. Given that I've got a few accounts at Schwab all associated with my name and SSN, let's assume they lost them all.

Click the images to see the letter.

How nuts is this? Another year and another supposedly high tech firm can't handle basic technology protocols like storing customer information on a server in a data center and if they need to store it on a laptop or desktop, then encrypt it so it can't be read.

And Schwab's letter? This obviously wasn't written by the folks who do the Talk to Chuck campaign.

1. "You may have been impacted..."
   No. I was impacted. Not may have been impacted. Someone has my personal info and it's Schwab's fault. I now have to monitor my credit reports once again.
   
   
2. "... a recent data incident."
   No. This was a process incident. It was a control incident. It was a security incident. Data was involved. But it was not a data incident.
   

And the line that really puts Charles Schwab in the leagues of Companies Acting Badly:

"It doesn't appear that the theft of this computer hard drive was intended for fraudulent purposes or identity theft".

Really? How do the braniacs at Schwab know the robber's intent? Have they spoken to them? Schwab can't monitor my credit reports so how would Chuck know if someone now had fraudulently taken out credit in my name? Even if Schwab could monitor my credit (which it can't) how would they know if a new credit card was taken out by me or fraudulently by someone who had stolen my SSN off their computer? Schwab can't and this line is useless and insulting.

Perhaps Schwab hired the same brilliant lawyers who helped BNY Mellon write that "we have no reason to believe your information has been or will be accessed or misused".

I checked Schwab's site to find their policy on personal information and found that they may have violated their own rules (click here to see their policy). According to Schwab, they "take steps to protect you from identity theft", including:

• using firewalls and encryption technology to protect personal information on our computer systems;
• training our employees on privacy and security to properly handle personal information about you.

Not quite a shining Chuck moment.

I tried calling the phone number Schwab gave in the letter and it was evident that this person and their supervisor were reading a script. In short, they didn't know when the theft occurred but could tell me it was in 2009 and they offered me a key fob random number generator to make my sign on to Schwab more complicated.

E*Trade and TD Ameritrade are offering me 25,000 frequent flyer miles to move my accounts. Will they have any better security over my personal info?

Charles Schwab joins IBM, Intuit and BNY Mellon as Companies Acting Badly for managing to lose my social security number and other personal information.

BNY Mellon - The Spark

Yesterday, June 21st, 2008, I received this letter from BNY Mellon. It is the latest reason and spark for starting this blog.

In short BNY (formerly Bank of New York) acts as a supplier of services to JPMorganChase (my former employer). BNY lost a storage tape in transit with my employee information including my Social Security Number (SSN). Sound familiar? Were they working with IBM?

BNY is notifying me of the loss, apologizing and offering me some identity protection services. Sound reasonable?

It's not. Here's the stupidity behind BNY's lawyer crafted letter.

1. BNY found out about their loss of my identity information on Feb 27, 2008. Their letter notifying me arrived on June 21, 2008. That's a full 115 days or almost four months. No amount of internal hand wringing at BNY Mellon or Marketing/Legal spin can explain why a company would wait 4 months to notify someone of this loss. This demonstrated lack of concern for their customers ensures that I will never knowingly do business with BNY Mellon.

2. BNY's meaningless statement of "while we have no reason to believe your information has been or will be accessed or misused" raises a lot of questions. How do they know the intent of whomever now has the tape? Does BNY know who has it? How can they predict the future on what will happen to my identity information that they lost? How does BNY know that if in the past 115 days a credit card was taken out under my name that it was truly me? They don't. The statement is meaningless and meant to make me feel better when it only raises concerns on what BNY knows and doesn't know.

3. BNY is giving me 90 days to activate the identity protection service they recommend. That's nice - you take 115 days to notify me but I only have 90 days to activate. Shouldn't my time to decide on whether to use your service be as long as your time to decide to notify me?

4. BNY didn't encrypt their data. Simple stupidity that should result in the firing of their CIO. Sensitive data that is moving outside of a company's data center (in this case on a backup tape) should be encrypted so it would be of no value if it fell into the wrong person's hands. This is not rocket science but may be at BNY Mellon.

5. BNY Mellon is downplaying the loss. Their statement of "could not account for one of several boxes of backup tapes" while accurate is not forthcoming. Did they think I wouldn't Google: BNY Mellon data loss and find out that this story was covered in the press and that BNY Mellon had lost 6 - 10 tapes in that box covering 4.5 Million customers with their SSNs? Click here for the Google search.

6. BNY says in a note at the bottom that theft insurance doesn't apply in NY state. They blame it on a regulation and have no other option for New York state customers. That's the former Bank of New York telling customers of the former Chase Manhattan Bank that their protection doesn't apply in New York. Good thing I live in CT.
   

It turns out that this loss was widely reported in the press for BNY Mellon customers of other banks (not JPMorganChase). You can read an article on this Company Acting Badly at Reuters.

Is this stupidity by BNY Mellon a one time event? Read another article at Pittsburgh Tribune-Review and see.

It also appears that BNY Mellon has been extending it's identity monitoring service from 12 months to 24 months. If BNY really has no concern about what will happen to my identity info then why would they be adding more monitoring time? Click here to see where they extended the time for 1400 brokers at SAIC who's data was on one of those tapes.

SAIC put significant effort behind crafting a FAQ for its brokers that makes the comparison to BNY Mellon telling for a Company Acting Badly. See SAIC's FAQ here. They go so far as to recommend that individuals consider changing bank accounts used with BNY Mellon.