TD Bank "misplaced" the unencrypted data of 267,000 customers

By on October 16, 2012, 5:00 PM

Toronto-Dominion (TD) Bank is notifying customers about a mishap that may have exposed the personal details of more than a quarter million people. In letters sent to folks along the East Coast of the US, the company writes that it lost two data backup tapes that may have contained the names, addresses, birth dates, driver's license numbers, debit card numbers, account numbers, Social Security numbers and other such information of about 267,000 customers spanning from Maine to Florida.

TD Bank is unable to account for the disappearance of the tapes and has no clue where they might be. They simply vanished while being transferred between locations. Although its letters to States' Attorneys General acknowledge the possibility of a security lapse, TD Bank spokeswoman Rebecca Acevedo said the company isn't classifying the event as a breach. "No data has been lost," she said. Rather, it has merely been "misplaced" -- less than comforting words for those affected, we're sure.

To make matters worse, TD Bank waited more than five months to notify customers of the issue. The tapes originally disappeared in late March 2012. The company reportedly delayed its announcement so it could conduct a thorough investigation. As the cherry on top, all of the data was unencrypted. On the bright side, TD Bank says there are no signs that the "misplaced" information has been misused.

Nonetheless, TD Bank's conduct has drawn scrutiny from customers and government alike. The mishap could cost TD Bank nearly $43 million in lost business, according to information security analysts at the nonprofit Ponemon Institute. "We will be reviewing the circumstances of this breach and the steps that TD Bank is taking to address the loss," said Massachusetts Attorney General Martha Coakley.

Customers with data on the lost tapes -- which includes about 1,000 Canadians with US accounts -- should have been contacted via snail mail. Individuals affected by the loss may transfer funds from affected accounts to new accounts free of charge and they are eligible for a free year of credit monitoring. Additionally, TD Bank reminds customers of common sense practices that can help prevent identity theft:

  • Remain vigilant about your personal information, particularly over the next 12 to 24 months.
  • Carefully review monthly account statements and your free credit reports.
  • Notify us immediately of any suspicious activity or suspected identity theft.
  • Report any suspicious or unauthorized activity to law enforcement and to the FTC at 1-877-FTC-HELP (877-382-4357)
  • Place a fraud alert on your credit file, which tells creditors to contact you before they open any new accounts or change your existing accounts.

User Comments: 7

Got something to say? Post a comment
avoidz avoidz said:

Is "misplaced" like an "unrequested fission surplus"?

dikbozo said:

I am sure glad I have never had an account at this +100 year old bank.

Guest said:

The title scared me, I actually live in Toronto and my bank is TD. However "misplacing" foreign (USA) personal information is fine by me. ;p

lchu12 lchu12 said:

@Guest: I wouldn't be so sure, if it could happen to there in the US. It can sure as hell happen here in Toronto...

Guest said:

This really goes to show you how incompetent big corporations are with your personal data. I guarantee you your whole personal financial data is floating around on someone's laptop or a simple thumb drive somewhere right now without any security measures implemented. The reason being is that average joe employee or that non-tech savvy CEO has complete access to your personal data from the company's server but has no clue how to protect your information. I've worked in lots of companies and in every one of them I could easily download people's personal data and credit card information and noone would either know or care. Pretty scary if you ask me.

Guest said:

I find this kind of thing more forgivable than shoddy password security encyption. Who hasn't lost track of something important at somepoint. That said...these things would wash better with the public if they didn't wait 5 months to alert people. They should make annoucements like "Hello customer, last week we may have had a breach in our security, heres your coupon for free Identity Theft Protection while we investigate." When they wait it tells the customer "we just spent 5 months trying to prove we didn't screw up, sorry about the damage to your credit rating. TD Bank cares, just not about you."

Guest said:

To be fair, how many people knew of the security vulnerability when it happened? Now how many know it now?

If they publicly announced it, scammers, frauders, and thieves would have heard about it, and that presents an even greater security threat.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.