An unusual data breach: One without actual theft and that hasn’t caused harm…yet!
A well-known New York-based financial institution is the most recent financial services firm to report a pair of data breaches to its brokers, clients, and Offices of States’ Attorneys General. The kicker here is that while they know some data has undoubtedly been lost, it is nearly impossible to identify what and how much data we’re talking about.
Here is what we understand about the breach:
In 2016, the firm had contracted with a third-party service provider to wipe (remove any trace evidence of) data from storage devices, such as hard drives, contained within two of its data centers it decommissioned that year, before selling these storage devices to a computer hardware recycling company. It appears the vendor did not remove all of the data from the storage devices before the transfer of ownership to the recycling company, and certain data remained stored in an unencrypted format on certain of these devices at the time of transfer. To be clear, the vendor was hired to wipe the data from the storage devices with the intention that they be used or sold again by the hardware recycling vendor.
Additionally, in 2019, one of the firm’s branch offices replaced an onsite server, which it later could not account for in inventory. Subsequent to decommissioning this server, and after learning that it could not be located, the server’s manufacturer informed the firm that a software flaw existed that could have allowed certain data to have been stored unencrypted on the server’s hard drives.
In short, due to a vendor’s failure to completely wipe data from old storage devices before re-use and a software flaw existing within a misplaced, decommissioned server, there are now multiple storage devices with unencrypted, unprotected personal information somewhere in the world. The number of devices in question and still in existence is unknown at this point.
Sensitive and confidential information, such as account numbers, account balances, social security numbers, and other personally identifiable information (PII), is generally stored encrypted. Encryption is the means of securing data by which plain text is converted into a scrambled ciphertext that can only be read by those with appropriate permissions. Sensitive and confidential data is typically stored encrypted because even if an unauthorized party were to gain access, without the decryption key the text would just look like a garbled mess. The data at issue on the missing storage devices is believed to have been stored unencrypted, meaning that anyone with access to any of these storage devices can potentially read the information stored on them.
A troublesome part of this particular breach is that it is very difficult (if not impossible) to know if or when any of the unencrypted information has been or will ever be accessed. Online account breaches can be pinpointed and confirmed because there are systems in place to log every action. There are no such systems to detect if one of these devices is connected to a computer system.
The firm appears to have known about both of these issues for over a year. Public commentary on the matter suggests many clients were not aware they had an account with the firm, as some had closed their accounts years ago and were questioning why the firm continued to maintain any of their information. Situations like this present compelling arguments for the existence of regulations such as General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), which afford individuals the right, subject to certain exceptions, to request their data be deleted from companies they no longer do business with.
The firm now faces a pair of lawsuits. The lawsuits, both filed in federal court in New York at the end of July 2020, allege negligence on behalf of the firm and invasion of privacy due to the firm’s failure to confirm that all of the data had in fact been destroyed, potentially resulting in the exposure of customers’ personal information; and that the firm took too long to identify and notify affected parties of the breaches. Plaintiffs are seeking class action status on behalf of all affected parties.
The firm is offering free credit monitoring and fraud detection through a company that in 2017 reported its own data breach affecting over 147 million people. The irony of this is not lost on me.
This is not the first time this particular firm has been in hot water over not protecting its customers’ data. In 2016, the firm was charged with violating Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”) for, among other things, failure to implement sufficient authorization and access controls for two of its web portals, allowing one employee to misappropriate the personal information, including full names, account numbers and balances, and securities holdings information of approximately 730,000 customer accounts between 2011 and 2014. The firm was censured and fined $1 million in that instance.
There are some things this firm could have done differently to ensure a different outcome, and hindsight is always 2020, but most of the issues here circle back to having appropriate policies, procedures, and controls in place for data and hardware destruction, asset inventory, and decommissioning hardware. Policies requiring vendors to attest to, or otherwise provide certification of, data and hardware destruction should be implemented. These types of policies hold vendors accountable for ensuring data is properly wiped and hardware is properly disposed of, and also provide an audit trail for firms to review. Maintaining and periodically reviewing asset inventories in conjunction with logs of decommissioned hardware helps to ensure that equipment no longer being used is properly decommissioned and any information stored on such hardware is properly handled. These policies and procedures serve more than to just satisfy regulatory requirements. They provide the blueprints firms rely on to securely dispose of data; they exist so that breaches like this don’t occur.
For more information on how you can keep your data secure, please contact our cybersecurity experts at: firstname.lastname@example.org.
Subscribe to the CSS Blog
CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.