With real war brewing in the Middle East, the ongoing ugliness of Washington’s narcissism, and with Europe in deepening recession — do consumers really need to worry about security breaches at inept banks? Yes they do.
Consumers know security breaches can burden them for years with legal difficulties and costs. Consumers have heard about types of online scams they must avoid. Most have installed virus protection on their computers. Most know how to triage spam from useful email. They are wary of tracking cookies and those who sell based on profile information for target marketing. And many have adjusted how they participate and what they reveal on social media sites. Generally, consumers are savvy about behaviors that make them vulnerable. Apparently some banks did not get the message.
In 2010, an insider at Bank of America (BoA) sent confidential details about hundreds of depositors to a team of check cashers outside. Victims saw their deposits drained within hours. BoA apologized for the fraudulent losses and offered credit monitoring for 2 years. (Credit card monitoring costs $8 per person at wholesale). Name, account number, mailing address and email for 200,000 of Citibank’s credit card customers were stolen in 2011. Citi replaced cards as needed, and all were relieved that social security, date of birth, etc… was not revealed.
In March 2012, TD bank misplaced backup tapes containing name, social security and other highly sensitive personal information of 260,000 customers. No fraud from this incident has been reported, yet. In the Fall of 2012, the state of South Carolina’s Department of Revenue site suffered a cyber “incursion” that left 3.6 million filers’ social security numbers exposed and information for 387,000 credit cards (albeit encrypted). South Carolina is still piecing together which specific filers’ information was downloaded and when.
“Insider job” is the leading cause of cyber theft and fraud. In the BoA case, it was intentional, and in the TD bank case unintentional. In the SC and Citi cases, the “perp” is still unidentified.
Corporations need complex security arrangements, but two of the most productive are: training employees in safe practices while on any mobile or computer technology; and installing filters that block access to the usual spyware and drive-by downloader sites. When insiders fail in security, they can let criminals into the company’s IT system – and into customer account information. Unfortunately there is no cookie-cutter formula for IT safety. Consumers should take note of which companies fail and then vote with their feet. Certainly there is nothing simplistic for government to impose on companies as “the answer.”
Alan Daley is a retired businessman living in Florida and following public policy from a consumer’s perspective.