TD Bank made procedural errors when it lost computer tapes containing sensitive personal data, including Social Security numbers, and risked exacerbating potential problems by waiting more than six months to notify customers of the breach, security experts said Wednesday.
“It doesn’t sound like they were using proper controls. It’s not good practice to ship unencrypted backup tapes. It has become a lot less common for financial institutions to lose data these days,” said Robert Richardson, an independent computer security analyst and former director of the San Francisco-based Computer Security Institute, an association of computer security professionals.
TD Bank, which has 54 branches in Maine, began notifying customers last week that information including names, addresses, Social Security numbers, account numbers and debit or credit card numbers were lost in March. The bank said it was not aware of any misuse of the information, but did not explain how the tapes were lost.
TD Bank, which has more than 7.4 million customers and more than 1,275 retail locations, also would not say how many customers were affected. TD Bank lost the tapes in Massachusetts, but said customers on the East Coast from Maine to Florida may have been affected.
“You can understand why a bank doesn’t want to disclose the number, but as a security professional, you have to assume the worst,” Richardson said. Under Maine law, companies must disclose information about data breaches or losses “as expediently as possible and without unreasonable delay” but no formal timetable dictates how or when companies must notify customers.
Maine’s Bureau of Consumer Credit Protection said it has received complaints from some TD Bank customers.
“Sometimes,” Richardson said, “there’s good reason for the delay — such as working with law enforcement — or other times they’re just dragging their feet.”
TD Bank has offered free credit monitoring and identity theft protection to customers who were affected.
The bank said it did an internal investigation and notified law enforcement, but said there was no criminal investigation.
“We worked diligently to find the tapes and conduct a thorough investigation. Since this was not a data breach of any kind, there is no criminal investigation,” said TD Bank spokeswoman Rebecca Acevedo.
Send questions/comments to the editors.
Success. Please wait for the page to reload. If the page does not reload within 5 seconds, please refresh the page.
Enter your email and password to access comments.
Hi, to comment on stories you must . This profile is in addition to your subscription and website login.
Already have a commenting profile? .
Invalid username/password.
Please check your email to confirm and complete your registration.
Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.
Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.