[ISN] Another breach at Wells

From: InfoSec News (alerts@private)
Date: Wed Sep 06 2006 - 23:26:13 PDT


http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/09/06/BUG90KVPSK1.DTL

By David Lazarus
September 6, 2006

Have we reached the point where stolen laptops and missing consumer
data have become so commonplace, they're no longer news? It's starting
to seem that way.

But that doesn't diminish the seriousness of the problem -- or the
profound impact such incidents can have on people in terms of the
threat of fraud and identity theft.

The latest installment in this long-running drama involves Wells
Fargo, which has now experienced at least six significant security
breaches in less than three years.

The latest, which the San Francisco bank disclosed in letters dated
Aug. 28 to employees, involves the theft of a computer and data disk
from the trunk of a car belonging to an outside auditor.

According to Wells, the disk contains the names and Social Security
numbers of an undisclosed number of bank workers, as well as
information about prescription drug claims made through the company's
health plan last year.

Wells isn't saying where or when the theft took place. It says only
that the bank has "no indication that the information has been
accessed or misused." Employees are being offered one-year
subscriptions to a credit-monitoring service.

"The auditor had this information because we are required by the
Internal Revenue Service to have our health plans audited by
independent, qualified public accountants," said Julia Tunis, a Wells
spokeswoman. "The auditor is no longer auditing any of our plans."

She said the auditor "contacted law enforcement when it learned of the
situation, and both the authorities and Wells Fargo corporate security
are investigating."

The incident is a virtual rerun of a security breach disclosed last
month by San Ramon oil giant Chevron. In an e-mail to U.S. workers,
the company said a laptop "was stolen from an employee of an
independent public accounting firm who was auditing our employee
savings, health and disability plans."

A Chevron spokesman said the missing data include names, Social
Security numbers and other sensitive data.

A key vulnerability

Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego
advocacy group, said it's become clear that corporate third parties --
and especially auditing firms -- represent a key vulnerability when it
comes to keeping customer data under wraps.

"In the old days, auditors would come in and practically live in your
office for a week or two," she observed. "Now they take the work
home."

While many companies have experienced security breaches in recent
years, Wells has had an especially rough run of bad luck.

In May, the company alerted mortgage customers that their name,
address, Social Security number and account number were stored on a
computer that disappeared while being transported by "a global express
shipping company" from one Wells Fargo office to another.

It didn't say how many of the bank's 23 million customers were
affected. (Bank insiders have since told me the shipping company in
question was DHL.)

Prior to that, about 700,000 people had their personal data
jeopardized due to a string of security breaches affecting Wells
Fargo, according to the office of the comptroller of the currency,
which regulates federally chartered banks.

These incidents include an October 2004 theft of four computers from
the office of a bank affiliate, a March 2004 computer theft from a
bank office, a February 2004 computer theft from a rental car driven
by two bank employees, and a November 2003 computer theft from the Bay
Area office of a bank consultant.

In an e-mail to workers Tuesday, Avid Modjtabai, Wells' director of
human resources, said the bank isn't saying more about the latest
incident "because doing so may jeopardize the investigation."

Return to sender: Then there's the matter of Alameda resident David
Cassel, who exited a job at a Bay Area tech company in June 2005 and
then, a few months later, received a check for $262 from Wells Fargo,
which administers the tech company's 401(k) plan.

"I assumed they were sending me some sort of end-of-the-year profit
sharing," Cassel said.

He deposited the check in his bank account (BofA, not Wells) and that
was that. And then a whole year went by.

That wasn't the end

And then, just the other day, Cassel received a letter from Wells
Fargo saying that the $262 had been sent to him in error and that the
bank wants its money back. That raised an interesting question
(several actually).

"Do I have to give it back?" Cassel wanted to know. "Even if it's
their mistake? Isn't there a statute of limitations or something?"

The answers: Yes, yes and, surprisingly, yes.

"If he was truly paid in error, he needs to pay it back," said Fred
Keeperman, a Moraga attorney who specializes in debt collection.

But there is a statute of limitations on this sort of thing, he said,
and in most cases that's four years. So Wells Fargo is still within
its rights in demanding the money back 12 months later.

The bank agrees.

"If the assets of a plan are distributed incorrectly, for whatever
reason, fiduciaries have an obligation under federal law to try to
collect those assets and have them returned to the plan," said Susan
Stanley, a Wells spokeswoman.

But wait, as they say, there's more:

Cassel has just received another letter from Wells, this time stating
that "not all (retirement plan) participants who received a letter
should have received a letter." After further review, the bank has
decided that Cassel doesn't have to send the money back after all.

"Wells Fargo Retirement Solutions is truly sorry for any inconvenience
the earlier letter may have caused," the bank said.

That's OK. Nobody's perfect.

-=-

David Lazarus' column appears Wednesdays, Fridays and Sundays. Send
tips or feedback to dlazarus (at) sfchronicle.com.


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Wed Sep 06 2006 - 23:41:06 PDT