Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Chase Data for 2.6 Million Ends up in Landfill 148

svonkie writes to mention a ComputerWorld story about some bad news from some 2.6 Million Chase credit card customers. These folks are being told that tape backups with their information were mistakenly thrown away back in July. There's apparently no need to worry about possibility of compromised personal information; the company believes the tapes were destroyed at a landfill. Just the same, "To prevent similar incidents, Chase said it is strengthening its security procedures and is conducting a review of all data storage and protection processes. Chase began notifying the affected customers about the incident yesterday and said the process is expected to take two to three weeks. The company is offering one year of free credit monitoring to people whose Social Security numbers were on the tapes."
This discussion has been archived. No new comments can be posted.

Chase Data for 2.6 Million Ends up in Landfill

Comments Filter:
  • indexes? (Score:5, Interesting)

    by Loconut1389 ( 455297 ) on Friday September 08, 2006 @06:19PM (#16069444)
    if they think the tapes were destroyed, how do they know exactly which card numbers were on the tapes? I mean they may know the bulk, but not all, right? or would they? If they got rid of the tapes, would the still have the indexes?
  • by dgatwood ( 11270 ) on Friday September 08, 2006 @06:21PM (#16069451) Homepage Journal

    Is this data not encrypted!?!

    Yikes! A dumpster diver's paradise!

    • Re: (Score:3, Informative)

      It is, but the key is written on the outside of the tapes. Apparently it's some sort of poor-man's DRM.
    • by skids ( 119237 ) on Friday September 08, 2006 @07:21PM (#16069707) Homepage
      I know this for a fact, because of all the spam I keep getting telling me to fix the particulars of a Chase bank account which I have never had in the first place. Obviously there are bit errors in the data :-)

      • And this is very likely how a dipshit in NJ was able to walk in to the local RadioShack and use my SSN to buy a new cell phone without an id. It was those damn tapes! He just showed them to the clerk and they signed him up. That makes me really mad!
    • Re:Encryption!?! (Score:4, Interesting)

      by MECC ( 8478 ) * on Saturday September 09, 2006 @01:08AM (#16070614)
      I was working on a project with equifax, one of the companies that keeps a repository of consumer credit data. We were setting up a VPN to their internal network. I offered to give them my public key so they could encrypt some configuration data. They promptly sent it all in the clear, keys and everything.

      *sigh*

      The sad part is there doesn't appear to be an effective evolutionary mechanism to rid the gene pool of such undesirable traits. Maybe this guy [rleeermey.com] should be in charge of their data security, to help make sure the clueless don't contaminate the rest of the world.

  • by User 956 ( 568564 ) on Friday September 08, 2006 @06:21PM (#16069452) Homepage
    These folks are being told that tape backups with their information were mistakenly thrown away back in July.

    Well, they better go Chase it!
  • Company spokesman says, "Ooops. Our bad. Please, Mr. Government, whatever you do to punish us, don't give us lots of money. We hate that." Government officials are trying to determine how much money to punish them with.
  • by SpaceLifeForm ( 228190 ) on Friday September 08, 2006 @06:23PM (#16069464)
    Gee, what if this was an inside job, and they
    were placed in the trash to be retrieved later
    before making it to the dump?

    • Shiny! (Score:1, Funny)

      by Anonymous Coward
      Joss Whedon is now my master too.
      • Re: (Score:2, Informative)

        Er, parent post isn't offtopic. He's referring to the firefly episode "Trash", wherein a heist is pulled off by dumping a valuable object in the trash to avoid it setting off alarms on the way out. The valuable item is then retrieved from the trash bin before it makes it to the dump.
    • Re: (Score:3, Funny)

      by truthsearch ( 249536 )
      That would stink.

      (Sorry.)
    • That sounds an awful lot like the original plot to the original Ocean's 11... Except it was Sammy Davis Jr driving the garbage truck, and it was the Casino's money, not the personal information of millions of customers...
    • Since that law was passed it seems one company every 2 or 3 months ends up announcing a huge amount of SSNs, credit card numbers, or otherwise private info has been "misplaced" etc.

      Makes me wonder how much crap was lost before that law and were never told about.
  • Grab your shovels boys and watch your step on those hypodermic needles!
  • ...thinking that the tapes were destroyed is not an acceptable answer. From a PR standpoint they should've just lied or said they were taking actions to make sure they were destroyed.
    • You're right, they could have said: "Instead of the possibility that the customers card numbers be out in the wild we have made sure they are destroyed with the use of 3 million tons of molten lava and napalm we threw on top of the dump. Case closed critics."

      How dare someone NOT lie!
      • ... better yet, have all new cards issued with new numbers (credit, ssn, drivers license, etc) and they have to pay the costs.

        That's an incentive with TEETH.

      • by Trillan ( 597339 )
        That assumes the tapes are still in the dump. One or more of them could have escaped (with help, of course).

        We'll have to nuke the planet. Just to be sure.
    • Re: (Score:1, Interesting)

      by Anonymous Coward
      They could have already lied, the tapes could have been stolen and they are stating they were thrown away.

      I know we all look back and say, what were they thinging with stories like this, but really, what were they thinking? Doesn't every single person that has any involvement with any type of backup media know that it contains information that anyone with that media could read? What person in the IT department would just throw them away? That does not make any sense at all. I work in a law firm of about
  • Circuit City (Score:5, Informative)

    by phatvw ( 996438 ) on Friday September 08, 2006 @06:25PM (#16069478)
    The article summary posted above fails to mention that these were Circuit City credit customers. That is a very important bit of info as many retail credit card holders often have no idea who the issuing bank is.
    • Re:Circuit City (Score:4, Insightful)

      by TubeSteak ( 669689 ) on Friday September 08, 2006 @07:41PM (#16069780) Journal
      That is a very important bit of info as many retail credit card holders often have no idea who the issuing bank is.
      True dat.

      I have a CC with a "MBNA America" & "MasterCard" logo on it.

      I called the 1-800 number on the back... and they responded:
      "Hello, this is [Some Gal] with [Company I've Never Heard Of].

      Makes me wonder, if your CC gets stolen/lost & you don't have a bill handy, how do you remember what number to call and report it?
      • Makes me wonder, if your CC gets stolen/lost & you don't have a bill handy, how do you remember what number to call and report it?

        111-1111... Chase? Damn!

        111-1112... Chase? Damn!!
      • by SeaFox ( 739806 )

        I have a CC with a "MBNA America" & "MasterCard" logo on it.

        I called the 1-800 number on the back... and they responded:
        "Hello, this is [Some Gal] with [Company I've Never Heard Of].

        I'm a Chase cardholder and they do the same thing. The automated system answers with simply "Thank you for calling credit card services..." no company name at all. They also use the CallerID info as part of he verification for account access. If I call from my cell phone (which is the phone number I have listed with them), I

      • by jimicus ( 737525 )
        Equally possible it was answered by a call centre which handles lots of card companies, and the person answering the phone wasn't paying enough attention to the message which flashed up on their screen saying who they should claim to be.
    • Household Bank. And after they absolutely dicked me over on one of them 'buy now pay later' plans, I refuse to use any card backed by that bank.
    • by SeaFox ( 739806 )
      The article summary posted above fails to mention that these were Circuit City credit customers.

      Which is a great bit of info for me. I am a Chase cardholder, but it's a real Chase card, not a Circuit City card, so I dodged the bullet on this one.
  • I say... (Score:5, Funny)

    by camperdave ( 969942 ) on Friday September 08, 2006 @06:26PM (#16069480) Journal
    I say they nuke the site from orbit. It's the only way to be sure.
  • by earthlingpink ( 884677 ) on Friday September 08, 2006 @06:26PM (#16069483) Homepage
    One year of free credit monitoring?

    Is it just me, or is the whole "pay for" credit monitoring industry a big con?

    You have to PAY to find out what information may or may not be stored about you? It may be correct; it may be erroneous: you don't find out until you've stumped up the cash (and yes, I realise that the credit companies are required to make information available in the event that you are turned down for credit... but what about those who are just curious?).

    And in this instance, what happens when that year is up?

    • Re: (Score:3, Informative)

      As i recall you're allowed 1 free credit report a year every year anyway. Wasn't there a piece of legislation passed that said that?
      • by Anonymous Coward on Friday September 08, 2006 @06:57PM (#16069619)
        The FTC website [ftc.gov] gives good explanation of how you can get a free credit report. You can get one per year for free (as parent mentioned), but you can also get them in other situations, such as if you are the victim of identity theft, or if you are unemployed, etc.. They lay out a few examples of how you can get one in the linked document.

        Someone got an expired credit card number of mine and did some damage on eBay, lucky only for about $200. It still took me approximately 30 hours of my time just to clear the shit up with AOL, eBay, PayPal, and the collection agency that originally contact me. I also filed a local police report, contacted the FTC, and Equifax. By law one of the major credit agencies has to provide you with a free credit report in those situations. I'm not sure if anything can be done if your information was just "lost", rather than "stolen", but you are atleast guaranteed the free credit report each year regardless.
        • by durdur ( 252098 )
          Yeah, so I'd like see legislation that makes careless custodians of your information, like Chase, pick up the bill for all your lost money, time, etc. up to some fairly large limit, like $10K per credit card. I bet we'd see a lot more encryption and a lot fewer stolen laptops, dumped tapes, hacked websites, etc. Could still happen but they are bound to be more careful when it is not just their reputation but hard dollars also at risk.

          • The only problem is that the majority of personal information leaks seem to be form the government in particular the VA is great at losing laptops with large amounts of personal information. And to enact legislation like that would really be shooting themselves in the foot. The government treats you bad because they aren't afraid of losing you as a customer.
        • Re: (Score:3, Insightful)

          by aztektum ( 170569 )
          that's great. 3 big companies are required to turn over any records they have pertaining to me once every 12 months, but only at my request.

          the law should require ANY company that keeps customers private information for any period to at least proactively make the customer aware, then divulge it at no expense to the customer.

          its my data, they're retaining it for some purpose, usually financial gain. i should be informed, given a cut or the option to have them expunge it.
          • the law should require ANY company that keeps customers private information for any period to at least proactively make the customer aware, then divulge it at no expense to the customer.

            On the flip side, it would make mail theft a more viable means of identity theft.

            Right now, when you request a credit report, you'll be looking for it. If it's sent out automatically, would you realize if it didn't show up?

      • by schtum ( 166052 )
        It's actually THREE free credit reports per year. One from each of the three credit reporting companies: Equifax, Experian and TransUnion. I know this because I just did all three last week, but you should be able to get one every 4 months as long as you don't use the same company twice within a year.
    • by dr_dank ( 472072 )
      And in this instance, what happens when that year is up?

      Then they'd be signed up for this service (automatic renewal) at the full consumer price. Credit monitoring services usually clamor for these kinds of cases since they tend to make money on people who stay with the service or just don't notice as the service autobills them.

      With the high likelyhood of some kind of "partnership" between the creditor and these monitoring services (if not outright ownership), the offending bank stands to make money either
    • The company is offering one year of free credit monitoring to people whose Social Security numbers were on the tapes.

      Free credit monitoring is the least they should be offering. Asking the customer to buy protection against potential misuse that was caused by the company is extortion. This is no different from throwing bricks close to someone's window and telling them, 'whoops, my bad. I tell you what, since I'm such an upstanding citizen, I'll make sure your window doesn't break from flying bricks for

    • Re: (Score:2, Interesting)

      by LifesABeach ( 234436 )
      I have the same question as the parent above. But credit checking for only one year? The expiration dates on those cards go far longer than a year. And to think that the data is lost in some pile of trash the size of a small canyon is, to me, criminally foolish. I think a better public relations spin would be to tell Visa, or Master Card that Chase wants to know of any wrongful use of the 'trashed' credit card numbers. Chase could then look like a hero by aggressively bringing to the courts notice, tho
    • Re: (Score:2, Insightful)

      It's not just a big con, it's incredibly unethical. People should be able to find out what data is stored about them as well as be able to correct erroneous information for no cost. In a computer ethics course I took as an undergraduate we learned about ethical issues related to databases; I can't recall the name of the text we used, but I believe there was a section talking about six ethical principles.
      • Re: (Score:3, Informative)

        by LordKronos ( 470910 )
        You are able to find out what data is stored. You are entitled to a free annual copy of your credit report from each of the 3 reporting agencies. Further, you are allowed to request they fix incorrect information. If they don't comply and fix incorrect data, there is also a law (which I'm not fully familiar with) which allows you to sue them for it. A couple of the credit-related forums have regular reports of people suing creditors and credit reporting agencies for failure to fix incorrect information and
        • by ipfwadm ( 12995 )
          Whoop-de-doo, one free copy every year. So if things start hitting my credit report the day after I check it, I'm screwed for 364 days unless I somehow find out about it and can then get another copy based on suspicion of fraud. How much does it cost the reporting agencies to let you get an online copy far more often, like once a week or once a month? Just about nothing. I could understand not being able to get a paper copy that often, since that actually has costs. But online, come on. Once a year is a jok
  • by davidwr ( 791652 ) on Friday September 08, 2006 @06:31PM (#16069513) Homepage Journal
    Now we know where this guy [dilbert.com] funds his science projects and student loans.
  • There's a news [shareholder.com] summary on their main web page:

    Circuit City Customers

    Chase is notifying a segment of Circuit City credit card account holders that computer tapes containing their personal information were mistakenly discarded.
    • I wonder how long those computer tapes will remain in a "salvagable" condition?

      Were they in containers of some sort that may or may not have been cracked open while near the surface of the landfill?

      What kind of volume do we have at this landfill, arriving daily. Not much, it was a holiday. Quite a lot, we get 40 trucks per hour here.

      Were employees of the landfill, namely garbage pickup drivers, dozer drivers, interviewed to see if they "remember" seeing some sort of container that resembles "this one" (pict
  • I knew they'd end up down in the dumps
  • I knew there was a reason I went with Capital One...

    What's in your wallet???
  • So what it came down to is someone not doing the proper procedure.
    • by mypalmike ( 454265 ) on Friday September 08, 2006 @07:21PM (#16069708) Homepage
      > So what it came down to is someone not doing the proper procedure.

      I think they missed the fine print in step 3:

      Chase Inc.
      Procedure manual.
      Page 1.

      While cleaning out the server room:

      1. Place trash barrel in center of room.
      2. Remove tape from backup drive.
      3. Toss backup tape across room to storage rack on opposite side of room.*
      4. Collect all trash and place in trash barrel.
      5. Bring trash to dumpster.

      * Be sure not to allow tape to land in trash barrel.
  • human stupidity will cut right through it. Why doesn't the bank just leave a few hundred thousand dollars of their customer's money in the middle of the landfill.
    • To paraphrase Lewis Black: "It would've been better if the CEO of Chase just came to your house ... and pissed on your foot."
  • I worked for Chase when this happened.
    The guys couldn't find the tape(s) and were SURE that they had ended up in the storage locker...
    Guess they couldn't find them there...

  • What the summary doesn't mention but it's in the article that it affects Circuit City customers only. At least, my Amazon card is OK. (I hope...)
  • obviously (Score:4, Insightful)

    by swelke ( 252267 ) on Friday September 08, 2006 @06:51PM (#16069599) Homepage Journal
    To prevent similar incidents, Chase said it is strengthening its security procedures and is conducting a review of all data storage and protection processes.

    How in the world would they just now find out that they threw such a thing away if they weren't already conducting some kind of review like that? The truth must be that they were already conducting the review, found the prior mistake, and then used the review as a way of atoning for the mistake.
  • With so many companies collecting personal data about customers, and with the complexity of managing this data with the necessary protections, it seems like incompetence in managing customer data is prevalent. Customers are justified in not trusting the companies to manage their data properly.

    It looks like a great opportunity for some IT company to come along and provide some standardized service. For example, the management company would provide options on encryption, accessing/sharing policies, archiving
  • by Anonymous Coward on Friday September 08, 2006 @07:07PM (#16069656)
    I used to work at a Chase subsidiary, and no amount of IT incompetence from them surprises me. Frankly I'm shocked we were never sued into the ground with the idiotic things they did; for example, sending out tax forms for RV loans late, resulting in customers losing tax refund money; also (it was a "loan servicer") we'd call people 3x or more/day after they'd already spoken to us.

    The corporate intranet webshite had a form that all employees had to agree to yearly. My section all did theirs after I did, and each time they logged in *on different machines and with different accounts* the form thought they were me.

    I know I could name many more things, but it's been a couple years and I've successfully blocked out most of those memories.
  • by mkraft ( 200694 ) on Friday September 08, 2006 @07:13PM (#16069678)
    I have a Chase Circuit City credit card. Why am I first hearing about this on Slashdot instead of from an email from Chase?
    • Because they said the process of directly notifying all customers would take a few weeks. Hence the reason for announcements like this, so that customers will be able to learn about it before the company is able to directly contact them.
  • >> the company believes the tapes were destroyed at a landfill.

    Like they'd have bothered to find out for sure if it got trashed or where every item in their trash goes.

    Read: we really don't know where it is but no-one seems to have used the data yet, so we're going to say some non-commital 'we beleive' bullshit to make you feel happier.
  • People keep jumping all over companies over their stupidity in incidents like this one.

    Really I am shocked that it does not happen (or at least doesn't get reported) more often. All it takes is one stupid employee, or one mis-run report and hundreds of tapes can end up anywhere.

    Companies in the Fortune 500, let alone finanical institutions in the Fortune 50 have hundreds of thousands of backup tapes. These tapes do eventually wear out and need to be replaced. Typically, you would destroy the tapes onsit

    • So, while I am sure heads are rolling at Chase, I am not horribly mad at them (I am a customer of theirs, but have not recieved a letter). I understand how things like this can happen.

      At my previous job we had two degaussing devices. One mains powered unit like a large shaver, and a simple permanent magnet. Every tape which we got rid of was treated by one or both machines. Any competent organisation would do the same.

    • It's also not particularly difficult to create a system wherein things like this cannot happen. Get a thirty thousand dollar automated backup vault, and when it comes time to move the backups, pretend they're money. Draw big green dollar signs on some bags and put the tapes in those, then send them around in an armored car. It's not like Chase is running short on armored cars.

      You don't see Chase accidentally burying bags full of money, now, do you?
  • Give them a break! With all the havoc that's happening at Chase HQ [wikipedia.org], I'd imagine that something like this could be overlooked.
  • I have had the unfortunate pleasure of dealing with Chase on both a business and a personal level. This is a classic case of Chase covering their ass once again for trying to cut corners and once again, failing their customers. Nice cover story, I am not buying it for a second.
  • So that's why they keep sending me emails to update the information on my account!

    ...laura

  • I would hope that any old tapes would be shredded according to some predefined corporate security policy...
  • I mean, yeah, they really should have destroyed those tapes if they meant to throw them out. But I'm having a hard time believing that any dumpster divers are actually crawling through trash cans and picking up old backup tapes just on the off-chance that there might be credit card info on them. Seems like there's probably far, far easier ways to get 2 million valid credit card numbers.
    • by vidarh ( 309115 )
      Yes, you just buy them off people on IRC. According to a security expert I used to work with, the going rate for 10,000 credit card numbers WITH expiry date and security code, and recently verified to work, was around $50 a couple of years ago.
  • Interesting timing. Just a moment ago I opened my mailbox and found a letter from the Department of Veterans Affairs. It seems they found the stolen hard drive [consumeraffairs.com] that contained personal info on 26.5 million veterans. According to the letter, the FBI found the laptop and hard drive.

    "Based on the results of forensic tests, the Federal Bureau of Investigation (FBI) has told us that they are highly confident the sensitive data were not accessed."

    As a further backup, the VA has "obtained data breach analysis services as a means of further ensuring no misuse of this data occurs in the future."

    Like Chase, the VA is "throughly examining every aspect" of their information security program. In the case of the VA snafu, an employee took the laptop home in violation of VA policy. The rash of these incidents makes me wonder how we can expect any sort of large organization to keep a lid on data spills like these, given that most people can't be bothered with basic security precautions even on their own computers. Even if the VA spends millions upon millions of dollars upgrading their security technology and processes (which of course will draw the wrath of opponents of government waste), I'm not sure it will make much difference.

  • *Imagine you are looking at me, a masculine gentleman with a suave but geeky apperance when suddenly an effeminate voice that is not his own begins to speak, sort of like those Citi bank commericals* "Wow! This is just mah-voh-ously fabulous! I found this guy's credit card accound and I was like 'Hello shopping spree!' So me and the boys went down to the gay bar and spent all this guys money. If the fact that I took his identity is stollen doesn't shock him, the places that I spend it will."

    --Bushido Hac
  • I was helping a VERY untechnical office staff (most around 50+ years old) move to a new building and while going through the basement, we found floppy backups of their medical and insurance info and they told me they didn't need ones older than 10 years, which there were some of. Before I even said it, they suggested we destroy them somehow because of the sensitive data on them. I ended up putting a scissors blade through a couple hundred floppies, 3 at a time (that was FUN!) But if 50+ year old doctors
    • Here is a question, wich needs to be destoyed before throwing away. Patient data on a paper chart, puch-card, a computer tape or on a HD? Can you guess the answer? All of i offcourse.

      There is nothing new about loosing a box of paper records vs a stack of backup tapes. Just that it just seems looking back people used to have more common sense. Simple thing really, the old paper records at the local townhall were in a FUCKING SAFE. The new computer system has internet. Can you see the difference? One gets lo

  • "There's apparently no need to worry about possibility of compromised personal information; the company believes the tapes were destroyed at a landfill."

    They "believed" the tapes were locked-down safe before, but they weren't. Now they "believe" the tapes were destroyed. Who cares what they "believe"? Corporations can't "believe" anything.

    They need to produce evidence that these tapes were destroyed, offer proactive credit monitoring until the the personal info expires, and assume liability for any misuse o
  • by fizban ( 58094 )
    Way back in July? Hmm... let's see... oh, right! That was right about the time I saw fraudulent activity ON MY CHASE CREDIT CARD! Christ Almighty, is it soooo hard for companies in this country to not be idiotic and to take some f***ing care of their clients' private and sensitive information? I mean, really, is it that hard? "Oh, sorry, we just handed your entire life's story - bank account numbers, social security number, favorite dog's name - to that guy who walked in off the street... We thought he was
  • The company is offering one year of free credit monitoring to people whose Social Security numbers were on the tapes.

    I am not a US citizen, and I wonder why an SSN is secret information that has power w.r.t. credit.
    We do have a similar number, but it essentially is public information. It is printed on all letters from the tax office and social security (related) offices, and soon will be used by all government and municipality related offices. It is on your passport, your driver's license, it is everywher

The solution of problems is the most characteristic and peculiar sort of voluntary thinking. -- William James

Working...