[ISN] E-mail snarls bank in privacy inquiry

From: InfoSec News (isn@private)
Date: Mon Feb 23 2004 - 23:46:39 PST

  • Next message: InfoSec News: "[ISN] Hacker Sentenced To Prison For One Year"

    Forwarded from: Marjorie Simmons <lawyer@private>
    
    http://www.miami.com/mld/miamiherald/8019815.htm
    
    Mon, Feb. 23, 2004
    Associated Press
    
    ST. LOUIS - State investigators are trying to pinpoint whether
    Southern Commercial Bank perhaps compromised the privacy of more than
    40,000 customers by e-mailing unsecured personal data to an
    independent computer programmer.
    
    The information included bank account, Social Security numbers and
    addresses of customers who have loans and demand deposits, including
    checking, savings and money market accounts, the St.  Louis
    Post-Dispatch reported Monday.
    
    Regulators are concerned because such information could be used to
    commit identity theft, either by the person who receives it or by
    someone who accesses the computer or the transmission.
    
    St. Louis-based Southern Commercial said it did not violate its own
    policies or federal regulations designed to protect customer
    information.
    
    "There is a statement of policy, not laws, involving the transmission
    of data over the Internet," said Eric McClure, commissioner of the
    investigating Missouri Division of Finance, which regulates
    state-chartered banks including Southern Commercial. "Generally,
    unencrypted information is not recommended."
    
    St. Louis Federal Reserve Bank officials said the matter would be
    reviewed during the bank's next examination.
    
    McClure said anyone who knowingly or intentionally shared the data
    could face federal criminal charges, punishable by up to five years in
    prison.
    
    "We've got zero tolerance for this information being out there,"  
    said Joe Elstner, a spokesman for St. Louis' Federal Reserve Bank.
    
    Rick Henderson, a Kirkwood computer programmer, said Tom Green - vice
    president of one of Southern Commercial's 10 branches - sent an e-mail
    in October that included the questioned information in an attachment.
    
    At the time, the subcontracting Henderson was trying to finish work on
    a computer program that was to help the bank improve customer service.
    When he got e-mailed to him personal information on more than 40,000
    of the bank's customers, "I just about fell out of my chair when I
    opened it, and it was the real thing."
    
    He said he contacted state regulators and the Post-Dispatch after he
    was not fully paid for his subcontracting work.
    
    Henderson said he did not illegally use the customers' information and
    does not intend to do so. He said he no longer has the information,
    and the e-mail with the attachment was deleted when he rebuilt his
    computer.
    
    Dick Illyes, president of the bank's contractor, Micr Automation Inc.,
    said Green "made a mistake" when he sent the e-mail with attached
    records and simply assumed Henderson "was trustworthy."
    
    The bank's attorney, Jeff Demerath of St. Louis, sent a letter last
    month to Henderson demanding that he return the information or provide
    proof he destroyed it or face prosecution.
    
    Henderson said he did not respond, though Demerath said Southern
    Commercial said it is satisfied the information was not and will not
    be disseminated.
    
    Since the incident, Demerath said, the bank has revised its practices
    regarding the sharing of customer information with vendors.
    
    Joe Elstner, a spokesman for the Federal Reserve Bank of St. Louis,
    said that while banks may share sensitive customer information with
    vendors under contract, banks may not share such information with
    outsiders.
    
    Illyes said Micr - a longtime check-processing consultant to the bank
    - treated Henderson as its employee, though it has no written contract
    with him.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Feb 24 2004 - 06:43:23 PST