TD Bank made procedural errors when it lost computer tapes containing sensitive personal data, including Social Security numbers, and risked exacerbating potential problems by waiting more than six months to notify customers of the breach, security experts said Wednesday.
“It doesn’t sound like they were using proper controls. It’s not good practice to ship unencrypted backup tapes. It has become a lot less common for financial institutions to lose data these days,” said Robert Richardson, an independent computer-security analyst and former director of the San Francisco-based Computer Security Institute, an association of computer security professionals.
TD Bank, which has 54 branches in Maine, began notifying customers last week that tapes including names, addresses, Social Security numbers, account numbers and debit or credit card numbers were lost in March while being transferred between bank locations. The bank said it was not aware of any misuse of the information, but did not explain how the tapes were lost.
TD Bank, which has more than 7.4 million customers and more than 1,275 retail locations, also would not say how many customers were affected. TD Bank lost the tapes in Massachusetts, but said customers on the East Coast from Maine to Florida may have been affected.
“You can understand why a bank doesn’t want to disclose the number, but as a security professional, you have to assume the worst,” Richardson said. “There could be thousands of records on a backup tape. It could be an enormous number.”
Under Maine law, companies must disclose information about data breaches or losses “as expediently as possible and without unreasonable delay,” but no formal timetable dictates how or when companies must notify customers.
Some customers said Wednesday they were going to cancel their TD Bank accounts.
“It makes you think twice about the bank. I’ll probably change banks,” said Caleb Gannon of Yarmouth, who received a letter last week from TD Bank about the loss of his personal data.
One Scarborough customer, who declined to be named because she did not want to draw attention to her lost personal information, said she and her husband would be closing their joint account as soon as possible.
“The bank said it apologizes for any inconvenience. It’s way more than an inconvenience. It’s insulting,” the customer said. “The fact that it took so long generates more concerns and more questions.”
Liz Donnelly of Bangor said she had not been notified of any problems with her account, but was concerned about TD Bank’s lack of speed in informing customers.
“It definitely makes you nervous, but it’s been kind of happening to a lot of companies. But alerting people shouldn’t be a problem like that. TD Bank has become a big institution and I don’t know if that’s better,” Donnelly said.
Maine’s Bureau of Consumer Credit Protection said it has received complaints from some TD Bank customers.
“Sometimes,” Richardson said, “there’s good reason for the delay — such as working with law enforcement — or other times they’re just dragging their feet.”
TD Bank has offered free credit monitoring and identity theft protection to customers who were affected.
The bank said it did an internal investigation and notified law enforcement, but said there was no criminal investigation.
“We worked diligently to find the tapes and conduct a thorough investigation. Since this was not a data breach of any kind, there is no criminal investigation,” said TD Bank spokeswoman Rebecca Acevedo.
Sam Imandoust, a legal analyst with the Identity Theft Resource Center, a nonprofit organization in San Diego, said customers should carefully monitor their credit report and look for any suspicious activity on their accounts.
“It’s dangerous to have all that information out there. Was it unreasonable that it took seven months to disclose? What’s reasonable and prompt? Was it as expedient as possible?” Imandoust said. “I hope nobody gets a nasty surprise on their credit report.”
Identity Theft Resource Center, which tracks data breaches and lost information, said there have been 324 breaches of data nationally with more than 9 million financial records, including bank and credit card accounts, exposed so far this year. That compares with 419 data breaches with 22.9 million records exposed in 2011, the center said.
Since TD Bank is a federally chartered bank, state regulators don’t have much control over how customers get treated. The Massachusetts Attorney General’s Office declined to comment, and the Maine Attorney General’s Office did not return calls.
The Federal Trade Commission also declined to comment. The Office of the Comptroller of the Currency, which oversees federally chartered banks, said it couldn’t comment on any specific bank or situation. TD Bank is a subsidiary of Toronto-Dominion Bank of Canada.
Other companies in Maine have also been affected by data breaches.
The biggest case involved Hannaford Bros. grocery chain, in which computer hackers stole the credit and debit card numbers of Hannaford shoppers from Dec. 7, 2007 to March 10, 2008. More than 4 million card numbers were exposed. About 1,800 fraudulent charges had been made by the time Hannaford announced the breach on March 17, 2008.
The other major data breach was reported in January 2007 and involved TJX, a retail chain that owns T.J. Maxx, Marshall’s and other stores.
Staff Writer Jessica Hall can be contacted at 791-6316 or at: