Wells Questioned About Privacy BreachConn. AG Asks Why Bank Released Social Security Numbers
The Social Security numbers allegedly were included in information the DSS requested as part of a fraud investigation. According to the Connecticut AG, the DSS was investigating state employees who may have falsified financial information on applications for state-funded food-assistance programs. The department asked Wells to provide financial information about state employees who hold accounts with Wells.
In response, the AG says, Wells' included Social Security numbers in the documents it provided the DSS and customers named in the subpoenas. Social Security numbers of multiple individuals, together with identifying information, were included on at least two subpoenas issued to Wells from the DSS. From there, Wells provided copies of those subpoenas to customers without redacting the personal information.If the disclosure of those numbers is found to be improper, Wells could be facing fines for violating Connecticut privacy laws.
"My initial review suggests that neither Connecticut nor federal law required Wells to disclose DSS's subpoenas to the customers whose records were sought therein, nor am I aware of any reason to conclude that Wells was prohibited from redacting other individuals' information from subpoenas it chose to disclose to customers," Jepsen states in his letter to Wells.
McAfee consultant Robert Siciliano says the whole scenario highlights how quickly an unintended breach can occur when organizations are not mindful of consumer privacy obligations. "When a fraud investigation leads to a data breach that could result in unintended fraud, we see a bizarre view of the full life-cycle of fraud perpetrated by nefarious humans and exasperated by irresponsible ones," he says.
Neal O'Farrell, who heads up the Identity Theft Council, an ID theft assistance organization, says the Wells incident highlights the most common reason for data breaches - human error. "If you look back at the daily breaches over the last few years, most are as a result of dumb mistakes by data handlers - employees or contractors who have access to sensitive data or have it in their possession but don't have the accompanying training awareness to 'think security first,'" he says.
During the first six months of 2011, more than half of reported data breaches involved Social Security numbers, O'Farrell says. "Obviously, the awareness message is not getting through. No matter how often the security industry derides or ridicules the value of security awareness, I've yet to see a technology that can prevent, filter or block human errors like this. We need to go back to basics, and understand that security is still fundamentally about people."
Wells spokesman Kefin Friedlander says Wells is addressing the allegations, but says the bank's "focus and concern is on our customers and the other individuals impacted."
Jepsen has asked Wells to respond immediately. If a breach of customer information has occurred, Jepsen expects Wells to provide credit monitoring, identity theft insurance and security freeze reimbursement to all affected customers.
Siciliano says banks, retailers and creditors have lobbied against credit freezes. But credit freezes can be effective at fighting and preventing fraud. "If a credit was frozen across the board, as opposed to open by default, the Social Security number would be useless to a thief for new account fraud, and this wouldn't be considered a breach," he says.
Wells did not comment about the possibility of approving credit freezes, but it did say it plans to offer affected customers the option of signing up for complimentary ID theft protection.