by Michael Peters
Bookmark

Easiest way to breach a bank? Just hold-em-mop!

On July 29, 2011, Massachusetts Attorney General Martha Coakley announced a $7,500 settlement with Belmont Savings Bank following a May 2011 data breach involving the names, Social Security numbers and account numbers of more than 13,000 Massachusetts residents.  The bank has stated that it has no evidence of unauthorized access to or use of consumers’ personal information in connection with this breach.

According to Coakley’s press release, a Belmont Savings Bank employee violated the bank’s policies and procedures by failing to secure an unencrypted backup computer tape containing personal information.  Surveillance footage suggests that the tape most likely was incinerated by the bank’s waste disposal company after it was discarded inadvertently by an overnight cleaning crew.

In addition to paying a civil penalty of $7,500, Belmont Savings Bank must ensure proper transfer, inventory and storage of backup computer tapes containing personal information and must effectively train members of its workforce on the bank’s information security policies and procedures.

It is truly amazing just how messy people can be. I’ll use “people” as a generic term to describe the individual, the employee and the corporation. To clean up our messes, we employ cleaning crews in the corporate world but also in the private one. I had performed an access audit as the CISO to a large bank and was amazed that the number of people who had badge access to the inner sanctum of information security were predominantly janitorial crews. The people who held mops outnumbered my staff. I wondered what did these people do after hours aside from help themselves to the candy dish? Any one of those people could have the opportunity to steal information given the opportunity. I did my best to not give them the opportunity, but there is always opportunity. The same principle applies in our homes. How much personal information do we leave in plain sight, unprotected in our homes? Online account information near the office computer? Credit statements in the trash? Credit offers in the mail? These are just as tempting to criminals as any other tangible valuable you possess.

The best practice to take is one that is preventive in nature. Do your best to eliminate unnecessary risks both in the office and at home.  The penalty Belmont Savings Bank paid is grossly trivial in my opinion. The simple preventive measures would have been to first, encrypt storage media and two, provide security storage and handling of data in general. This is something that does happen more frequently unfortunately, but not on my watch. Like I always say, “No Data, No Company.”

If you are interested in contacting us for more information about the content and services offered by Your Personal CXO, LLC or for media interview inquiries or aggregation requests, please use the following contact methods:

By phone: 1-762-822-4174
By email: retainme@yourpersonalcxo.com