This letter says, “Some of your personal information was included on two data backup tapes that we shipped to another one of our locations in late March 2012. The tapes have been missing since then, and we have been unable to locate them despite diligent efforts... We have also notified law enforcement.”
It goes on to add that the personal information on the tapes “may have included your name or address, Social Security Number, and account, debit or credit card number.” But nowhere does it indicate why it waited six months before informing affected customers, even though the data was unencrypted.
The bank’s reaction to the lost tapes is an example of poor incident response mechanisms and is being much criticized. Even the total number of affected customers was not released in one go. “So now we have a breach that was 6-month delayed in notification and what looks like an attempt to not reveal how bad it may have been. Not a good post-incident response plan,” comments the Office of Inadequate Security (OoIS) website.
The Portland Press Herald reported on Friday, “As many as 267,000 TD Bank customers from Maine to California were affected by the loss of two data backup tapes that contained personal information such as Social Security numbers and driver’s license numbers.”
“I expect to see some state attorneys general open investigations into what is likely an unacceptable delay in consumer notification,” warned OoIS in a separate post on Wednesday. Some slight explanation for the delay was reported by the Ottawa Citizen today. It said that TD Bank spokeswoman Maria Saros Leung said in an email “that the bank is not classifying the incident as a breach since there’s no evidence of criminal activity.”
Nevertheless, the fact remains that customer data was lost. “If you can’t protect the data wherever it goes, then it shouldn’t be on vulnerable systems that can put thousands of people’s identities at risk if compromised, lost or stolen,” said Mark Bower, data protection expert and VP at Voltage Security. “If the data itself had been protected at the source - as many leading companies are now doing with great success - then the loss of a mobile storage device or the breach of a network, servers, etc., would mean nothing.”