BofA Discloses “Undisclosed” Breach
Jan 24th, 2010 by sherri
Recently, a friend of mine received a letter from Bank of America informing her that “some credit card information on your Bank of America account may have been compromised at an undisclosed third-party location.”
The letter went on to state that BofA had reviewed her account and saw “no evidence that your account has been misused in any way. We will continue to monitor activity on your account, and if we detect suspicious transactions, we will notify you.” BofA also informed her that “we will close your existing account and issue you a new account number and credit card(s).”
Imagine if your doctor sent you a letter informing you that “you’ve contracted an undisclosed disease from an undisclosed third party. Take these pills and carry on as before. We’ll monitor your symptoms and notify you if you show signs of further infection.”
The underlying subtext here is that a) my friend’s information was probably compromised through a merchant that she has done business with; b) she does not have the right to know who that was; and therefore c) she must continue to do business as usual without the ability to change her behavior based on the fact that the merchant did not safeguard her information appropriately.
BofA referenced a web site where they talk about data compromise:
http://www.bankofamerica.com/compinfo
According to this site, “When a data compromise occurs Bank of America is notified by multiple sources, including Visa®, MasterCard®, American Express® and law enforcement agencies when our accounts have been included in a data compromise… Unless the merchant announces the breach to the public, we are unable to provide the name of the merchant or where the data breach has occurred.”
In other words, the credit industry is facilitating willful ignorance in order to protect their fundamentally broken system. If you or I found out where exactly the breach happened, we might not be so inclined to give our credit-card numbers to the end merchant or payment processors involved. Customers are not provided with the information we need to make educated decisions about who we trust with our information.
Truth be told, the fundamental problem isn’t with the end merchants, anyway. The problem is that our financial infrastructure rests on the broken concept that a short string of numbers can be used to move money from one person’s account to another. This string of numbers has to be kept “secret,” but it also has to be given to dozens of people throughout the course of a day in order to conduct routine transactions.
Here’s my favorite section of BofA’s data compromise FAQ:
“Is it safe to use my new card?
“We are confident that this was an isolated incident and that the steps we have taken will ensure the continued security of your account. Please continue to use your new account as you normally would.”
Yes… an “isolated incident,” just like the other 285 million records that were compromised last year. Take these pills and carry on.
| Sherri Davidoff |
| PGP-signed text: 2010-01-24 (current) |
This is exactly the letter I got from BofA today. So – from what I understand, if I used my card at Wal-Mart and their security was breeched then so was mine. Which might mean it could be breeched again and I woud again be vulnerable. At any rate, I feel okay about it since they guarantee I will not be liable for fraudulant charges.
I have another exact copy dated February 2, 2010. I actually found out about the breach before the letter reached me. I happened to log into the BofA site to pay my credit card bill shortly after the 2nd. The site did not notify me of the problem. It showed the wrong account number and demanded that I put in a bank account number before I could pay and then it started sending me to the security page no matter what link I clicked on. There was nothing on the site to tell me what had happened. But, they had instructed the site to block access to my account. They could have let me know through the site. Why didn’t they?
When I called to ask about the site I was told that my account was reported lost or stolen in early January. One bank employee let it slip that over 200,000 people were affected by the same breach. And then told me they did not know where the breach occurred. After being bounced through 3 people I was told that the breach occured on February 2nd. They refused to tell me where the breach occurred. They seem to have lied about when the breach occurred. They did not cancel my stolen card. They did not call. They did not send me an email. Their staff told me BofA could not do either! And yet they can do both when a payment is late. All they did was send out new cards by snail mail.
The replacement cards they sent were already activated. Anyone who happened to get their hands on the new cards could have used them. I was not informed that the cards were coming so I would not even know that they were missing.
As far as I can tell a criminal act took place and Bank of America is actively colluding to cover up the crime.
I collected my notes on what happened and sent them to everyone I know in hopes of warning them of the the danger. The message that Bank of America is not taking any reasonable steps to protect customers must be told. When a bank as large as BofA becomes more interested in covering up a crime than helping the victims, then they need to be put out of business.