Secure Information? Why my Bank is making me Paranoid!

Who is protecting your personal information?

Recently I received a note from one of the service providers I use for personal banking telling me that some of my information may have been compromised. Hey, this stuff happens from time to time, right? One would hope there would be some level of real disclosure about what information was in fact compromised.

Who is protecting your personal information?

Recently I received a note from one of the service providers I use for personal banking telling me that some of my information may have been compromised. Hey, this stuff happens from time to time, right? One would hope there would be some level of real disclosure about what information was in fact compromised.

A follow-up letter arrived via email that provides tidbits of information about what actually occurred and what information may have been accessed.  Not surprisingly, it had obviously been drafted by a professional wordsmith, passed through lawyers’ hands, filtered through many levels of executive approvals, and then finally sent out to the masses. I have included the letter below and added my own insite in red (the company’s names have been changed to protect the…….).

Email from XYZINC

 

XYZINC is letting our customers know that we have been informed by ABCINC, a vendor we use to send e-mails, that an unauthorized person outside ABCINC accessed files (um…how exactly were they accessed?) that included e-mail addresses (and…..?) of some XYZINC customers (would be nice to know if I am I one of the “some”?). We have a team at ABCINC investigating (What kind of team? Who’s on the team? What are their qualifications? Hey wait a minute, are these the same guys that just allowed my information to be “accessed”?) and we are confident (they were probably confident the last time as well but if they are confident I guess that means I should be as well because…well… they said so) that the information that was retrieved included some (again, am I one of the “some”?) XYZINC customer e-mail addresses, but did not include any customer account or financial information (I’d love to know what they qualify as customer account/financial information.  I’d be much happier if they specifically pointed out that my SSN, address, phone number, place of employment, or any other information they required of me in order to transact business through them was not swiped).
 
We apologize if this causes you any inconvenience (the inconvenience is unknown until it’s too late as I don’t know what information was really “accessed”, do I?). We want to remind you that XYZINC will never ask for your personal information or login credentials in an e-mail (neither do the phishers these days.  They just put up bogus sites hidden under mis-labled URLs for the non-technical folk to give away their information, now they have my email address apparently, oh joy!). As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam (LOL, I am willing to bet that ABCINC has already sold my email address to a number of “partner” companies and that’s where most of the marketing spam originated). It is not XYZINC ‘s practice to request personal information by e-mail. 

As a reminder, we recommend that you:
Don’t give your XYZINC User ID or password in e-mail.
Don’t respond to e-mails that require you to enter personal information directly into the e-mail.
Don’t respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.
Don’t reply to e-mails asking you to send personal information.
Don’t use your e-mail address as a login ID or password.
 
The security of your information is a critical priority to us and we strive to handle it carefully at all times (Should this be considered case and point? I am guessing not, but gosh they are striving, that makes me feel so much better). Please visit our Security Center at XYZINC.com and click on “Fraud Information” under the “How to Report Fraud.” It provides additional information on exercising caution when reading e-mails that appear to be sent by us (but remember, we hire ABCINC to send our email, so email from us is not really from us even though it appears to be sent by us).
 

After reading this stunning bit of legal repentance my next stop was to go review XYZINC’s Privacy notice on their web site, and what an eye opener that was. I won’t bore you with all the gory details of the notice but here are a few highlights that made me worry:

XYZINC’s Privacy Notice

Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand what we do. (The details around what they do to collect, share, and protect your personal information is comical at best. I am not going to go all political on you here, but this is a perfect example of how the financial institutions  seem to “own” congress, to the point where your personal information is not your information at all.)
 
The types of personal information we collect and share depend on the product or service you have with us. This information can include:
  • Social Security number (wowza) and income
  • account balances and transaction history
  • credit history and payment history
(There is no mention of what information will or will not be shared based on “need”, therefore does mean that all of this information can be shared at their discretion?)
 
All financial companies need to share customers’ personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers’ personal information; the reasons XYZINC chooses to share; and whether you can limit this sharing.
Reasons XYCINC can share my information
Does XYZINC Share
Can you limit this sharing
For our everyday business purposes – such as to process your transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus (/i believe this is the only one that you should not be able to limit, but it should be allowed only with notification every time it is shared. But then again I am just a lowly customer 😛 )
YES
NO
For our marketing purposes(not surprised, but come on, really?)
to offer our products and services to you
Yes
No
For joint marketing with other financial companies (Feeding the co-opetition for fun and profit!)
Yes
No
For our affiliates’ everyday business purposes
information about your transactions and experiences
Yes
No
For our affiliates’ everyday business purposes
information about your credit worthiness
Yes
Yes
For our affiliates to market to you
Yes
Yes
For non-affiliates to market to you (so basically anyone with a checkbook)
Yes
Yes

I guess I should not have been so wound up from the email alone, but a couple of months prior, one of the automobile manufactures that I purchased a vehicle from sent me the following (once again my comments in red):

 

Email from Bedrock Motor Co.

Bedrock Motor Co., Inc. recently became aware (by carrier pigeon?) of unauthorized access to an email list used by a vendor (what Vendor? Because I’d like to punch them in the nads for this.) to create a welcome email (wow, do companies write their own email anymore?) to customers who have a User Link or My Bedrock vehicle account. The data that was obtained included your email address, your name, Vehicle Identification Number (VIN) and User ID (You ever get the get the feeling that hey don’t tell you everything that was “included”?). Your password was not included (That would be fine except all the other information they have can be used to do a self-service password reset!) and no other sensitive information (what exactly do they consider “other sensitive”?  Why not just tell me all information they have on me?) was contained in that list.
 
We apologize for any inconvenience this may cause (similarly to the letter above, the inconvenience is unknown until it’s too late as I don’t know what information was really “accessed”.  So, yeah, thanks for apologizing to me ahead of time before someone kicks in my teeth).  As a company, we believe that all customer relationships must be built on trust. That is why we believe it is important to inform you of this incident. (that’s very considerate; of course until there was a law FORCING you to do this you never would have considered it.) You may be aware of attacks on email marketing systems, therefore we want to assure you that we take the safeguarding of your information seriously and that the appropriate authorities have been contacted regarding this incident. Additionally, we have taken steps to minimize this type of exposure in the future (Honestly, do companies not see this coming?  Do they not read the news?).
 
As a Company, we encourage you to continue to be aware of the increasingly common email scams that may use your email address to contact you and ask for personal or sensitive information (so if these companies know this, then why do they insist on pushing my email address all over creation) — Be cautious when opening links or attachments from unsolicited third parties. Also, know that Bedrock Motor Co., Inc. will not send you emails asking for your credit card number, social security number or other personal information. If ever asked for this information, you can be confident it is not from us.
 

After I got this message, I wrote Bedrock Motor Co. asking for details on the exact information that was compromised, when it actually occurred, and what the corrective action was. I am still waiting on a response.

But what I really want to highlight here is; do we have any idea where our personal information is going? Is anybody ultimately accountable for events like the above? I know we have laws and regulations including HIPAA, Sarbanes-Oxley, etc. that claim to go after the CEO, CIO and upper management criminally but how many of these organizations have actually seen their management do the perp walk?   I am positive that both XYZINC and Bedrock Motor co. have Identity Management technologies in place because I have done work at both in the past. As I am sure that they have intruder detection technology, GRC technology, and an array of other security solutions.

What I have no clue about is who are these other companies that are being given my personal information. To how many companies has my information been distributed to, and for what reason? In both cases, the data loss or “access” occurred at a partner company and/or service provider. What is the validation process that XYZINC and Bedrock Motor Co. go through to ensure that the information is safe across the board?  How do they validate the Identity Management, Data Loss Prevention and protection of their “affiliates” and “non-affiliates” that they seem so keen to give my personal information too?

In the case of XYZINC, they are bound by a number of standards and regulations. This does not mean that they are fully compliant or have properly executed the required controls, but the boundaries that they are supposed to live within are defined.   What about the partners/service providers, are they bound by the same regulations? Are they US based?  If not then they may very well likely not be subject to HIPAA or SOX or whatever US regulation is present and even if they are what about the affiliates of the affiliates?

So can this be addressed?

Looking at this problem from a consumer perspective, I feel insulted, violated, and that I have been intentionally mis-led. I want details about exactly what happened and exactly what information was “accessed”. I want to know where all my information has been distributed, for what reason, and of what benefit to me? How much money was made in the distribution of my information to partners of the service providers, and does this reduce my cost of doing business these providers? I want to know how these companies are going to support me if the theft of my information turns into personal financial loss or a tarnished credit record?

I have a strong desire to go to these companies with a few of my co-workers and perform a risk assessment of their environments, to turn over the rocks and expose some of the ugly critters that live underneath. To provide suggestions and solutions on how to eliminate the critters and put in place processes, policies, and technology that are robust enough and all encompassing to cover their internal and partner Identity Management challenges.

As a company, we keep up with the challenges that are faced every day in management of identities across the various verticals. Something that is considered high profile and high risk in the banking industry may have little or no meaning at all in the higher education or automotive industry. The management of information flow between partners in different verticals is also quite different, some of which can have serious impact to companies or individuals.

One of the interesting elements of all this is that companies really have learned how to maintain a very low profile when it comes to security violations. By sending out vague letters that communicate very little real information and comforting words that they have it under control seems to be sufficient. Rarely, if ever do you hear more about these events.

In our business, when a large Identity Management initiative is launched, anyone who’s keeping in touch with the industry usually hears about some related activity.  To date, I haven’t heard nor read a blip in the market about either of the two companies above taking on a new Identity protection initiative.   If there is a violation in the public sector, you can almost set your watch to the time it takes for new initiatives to get under way. If it’s something as big as the Wiki-leaks scandal, you can almost hear the thundering herd of security professionals moving to the inter-sanctum of the beltway.

The bottom line is that companies need to take their customers privacy matters into their own hands, even when working with partners.

At IDMWORKS when we get involved in Risk Analysis, Identity Strategy, or any type of security related initiative, we recognize and take into account that functional businesses require support services from various outside sources. At times this does require the need to share customer specific information. We work closely with our clients to ensure that only the “minimum necessary” information is passed along to partners/service providers to perform the required function, and that the client specific and any other information is properly protected.

Note: ARRRRGGGGGHHHH!!!!!! This just came in from another financial institution as I was finalizing this write up! I will leave out the blow-by-blow commentary this time, but this one seems a little more descriptive. Hmm…who’s driving their Identity Management Strategy?

Email from 123co
As we have communicated over the course of the last week, EFGCO—a marketing vendor that sends e-mails on our behalf—notified us about unauthorized outside access to files that included 123CO customer e-mail addresses.
 
The information obtained was limited to the e-mail address of some customers. No account information or other information was compromised. We’ll continue to provide updates when we have important new information to share. And, we’ll let you know what impact, if any, these developments will have on you.
 
Protecting our customers’ information is always a top priority for 123CO. We’re working with EFGCO and law enforcement, and we’re thoroughly investigating this incident to help prevent future ones like it. EFGCO is also conducting its own comprehensive investigation in cooperation with the appropriate authorities.
 
It’s always a good idea to ignore any e-mail that requests your confidential account or login information. And don’t forget, if you get an e-mail you think is suspicious, don’t click any of the links. Just send it to 123CO@email.com. Then delete it.
We apologize for any inconvenience this unfortunate incident has caused and appreciate your patience. For more information, please visit our Web site at 123CO.
 
Sincerely,
123CO
 
I think I’m just going to become a hermit and live off the land.