BofA Discloses “Undisclosed” Breach
Jan 24th, 2010 by sherri
Recently, a friend of mine received a letter from Bank of America informing her that “some credit card information on your Bank of America account may have been compromised at an undisclosed third-party location.”
The letter went on to state that BofA had reviewed her account and saw “no evidence that your account has been misused in any way. We will continue to monitor activity on your account, and if we detect suspicious transactions, we will notify you.” BofA also informed her that “we will close your existing account and issue you a new account number and credit card(s).”
Imagine if your doctor sent you a letter informing you that “you’ve contracted an undisclosed disease from an undisclosed third party. Take these pills and carry on as before. We’ll monitor your symptoms and notify you if you show signs of further infection.”
The underlying subtext here is that a) my friend’s information was probably compromised through a merchant that she has done business with; b) she does not have the right to know who that was; and therefore c) she must continue to do business as usual without the ability to change her behavior based on the fact that the merchant did not safeguard her information appropriately.
BofA referenced a web site where they talk about data compromise:
http://www.bankofamerica.com/compinfo
According to this site, “When a data compromise occurs Bank of America is notified by multiple sources, including Visa®, MasterCard®, American Express® and law enforcement agencies when our accounts have been included in a data compromise… Unless the merchant announces the breach to the public, we are unable to provide the name of the merchant or where the data breach has occurred.”
In other words, the credit industry is facilitating willful ignorance in order to protect their fundamentally broken system. If you or I found out where exactly the breach happened, we might not be so inclined to give our credit-card numbers to the end merchant or payment processors involved. Customers are not provided with the information we need to make educated decisions about who we trust with our information.
Truth be told, the fundamental problem isn’t with the end merchants, anyway. The problem is that our financial infrastructure rests on the broken concept that a short string of numbers can be used to move money from one person’s account to another. This string of numbers has to be kept “secret,” but it also has to be given to dozens of people throughout the course of a day in order to conduct routine transactions.
Here’s my favorite section of BofA’s data compromise FAQ:
“Is it safe to use my new card?
“We are confident that this was an isolated incident and that the steps we have taken will ensure the continued security of your account. Please continue to use your new account as you normally would.”
Yes… an “isolated incident,” just like the other 285 million records that were compromised last year. Take these pills and carry on.
| Sherri Davidoff |
| PGP-signed text: 2010-01-24 (current) |
This is exactly the letter I got from BofA today. So – from what I understand, if I used my card at Wal-Mart and their security was breeched then so was mine. Which might mean it could be breeched again and I woud again be vulnerable. At any rate, I feel okay about it since they guarantee I will not be liable for fraudulant charges.
I have another exact copy dated February 2, 2010. I actually found out about the breach before the letter reached me. I happened to log into the BofA site to pay my credit card bill shortly after the 2nd. The site did not notify me of the problem. It showed the wrong account number and demanded that I put in a bank account number before I could pay and then it started sending me to the security page no matter what link I clicked on. There was nothing on the site to tell me what had happened. But, they had instructed the site to block access to my account. They could have let me know through the site. Why didn’t they?
When I called to ask about the site I was told that my account was reported lost or stolen in early January. One bank employee let it slip that over 200,000 people were affected by the same breach. And then told me they did not know where the breach occurred. After being bounced through 3 people I was told that the breach occured on February 2nd. They refused to tell me where the breach occurred. They seem to have lied about when the breach occurred. They did not cancel my stolen card. They did not call. They did not send me an email. Their staff told me BofA could not do either! And yet they can do both when a payment is late. All they did was send out new cards by snail mail.
The replacement cards they sent were already activated. Anyone who happened to get their hands on the new cards could have used them. I was not informed that the cards were coming so I would not even know that they were missing.
As far as I can tell a criminal act took place and Bank of America is actively colluding to cover up the crime.
I collected my notes on what happened and sent them to everyone I know in hopes of warning them of the the danger. The message that Bank of America is not taking any reasonable steps to protect customers must be told. When a bank as large as BofA becomes more interested in covering up a crime than helping the victims, then they need to be put out of business.
I received the same letter from Bank of America today, March 15, 2010. When I called to say “Don’t reissue a new card, I don’t want one,” they would not talk to me without me giving them my credit card number and/or social security number. AND they were rude and transfered me twice without saying why.
How the heck are we even supposed to know the letter is real? And then they want us to call and give the person at the other end of the line all our account info???
And, same as the others, asked which merchant was compromised and they would not answer me. Why are they protecting them?
I was thinking of getting rid of the credit card, getting a cryptic letter like this just sealed the deal. If they’d rather save their business relations than protect their customers, I don’t want to be associated with them.
i had this happen to me. i should have known enough to use their shopsafe program when shopping on the internet. this assigns a different number that you can use to make a purchase and it is a different number each time you use this service. this way nobody knows your real account number and
you would not have this problem. i will remember to do this from now on.
Probably a ploy to issue new cards with new terms & fine print.
Got this exact same letter in the mail today. The website address included in the letter isn’t even valid. Seems as though BofA isn’t offering a dang thing. Got a similar letter from Wells Fargo a couple of years ago and they paid for a year of credit monitoring service (can’t remember which service, but and outside company). At least, I don’t have a bunch of recurring charges that I use with this card – what a hassle. I’m going to check into the above mentioned “shopsafe program”. I assume that has some fee attached to it.
Got “the letter” today about my cc account– ‘may have been compromised at an undisclosed third party location”. It was or it wasn’t and they have to know where by the merchant codes.Baloney! First, they could discover plain English. They sound like “government speak”. Why can’t I know where not to shop? Because they don’t want to hurt their merchant relationship. Screw the customer! And this is my second of these inconveniences, and I have to look up the info and make the calls and the credit bureau gets this crap from the bank and puts it on my report. And if I am busy or on vacation and my automatic payment is bounced, guess whose credit report that is on. And just try fixing a credit report. Close to impossible. Now I see why BofA was on a recent list of the worst places to do business. Richly deserved. Fed up.
I received a letter from B of A today, June 4,2010 giving me the same information as reported in the above messages. I am very concerned about the 3rd party issue as I had two other cards compromised in April, a Chase Card, and State Farm Bank card. It is pretty obvious that we are doing business with a thief and yet we have no idea who it is. The criminals racked up charges on the first two which took place on the East Coast..I live on the West Coast…lookes like a ring of thieves.
Got this letter May 13. I have multiple accounts with BoA, but they stated only one was compromised and re-issued a new card. They also said that my current card would be vaild till May 29th.
Between May 13th and June 1st, I had $850+ of fraudulent charges on multiple accounts with BoA.
Pain in the ass, but eventually I got it taken care of. Will this happen again? I have no doubt about it. Banks need to be a bit more proactive to this stuff.
I will however, keep my business at BoA.
I got my letter yesterday, July 30th! I have 2 BofA accounts, but, only got a letter for one of those. I, like David, comment #6 above, immediately thought, oh….now they will issue a new cards, change the terms and interest rates! I could be wrong, but, after reading all of the above comments above, I am wondering how a company can recogize accounts may have been compromised since the beginning of the year, yet, I’m just now being notified at the end of July! Something’s not right with that!
Same exact letter today, August 17, 2010. I find it quite ironic that I got this letter about two weeks after attempting to transfer my BoA balance to a lower interest rate card that I opened for a promotional rate four times less than the BoA rate,
I just received the same exact letter with a replacement card (in my case a debit card). Also, I checked out they page they referred me to for more information, http://www.bankofamerica.com/compinfo , but that page doesn’t exist.
At the very least, given the above string from January 2010, Bank of America is not providing security for it’s accounts.
I think that if my card was compromised, and I had to go through the hassle of changing all my stuff, they could at least provide credit monitoring, which by the way is the only way I found out about it in the first place. They had to do that last time, but only because a class action suit. Bank of America is the snake of all credit cards. Is there any legal action?
I received the same letter this week, 9/15/2010. It was my debit card. I will no longer be associated with this bank.
I just received this letter today, October 22. When I called and escalated the issue, demanding to know who notified them, they said they would have the supervisor’s supervisor call me back. I told them I would not activate the card till they called and will cancel if I am not satisfied with their answer. I wonder what is going on with this rolling turnover of accounts? Could they really all be separate breaches?
I just got “the letter” today, Oct 23rd, and was told that my old VISA card number will be canceled approximately seven days after the mailing of this letter. There is no date on the letter, so just when is “approximately seven days” going to occur? When I first got my VISA card in 1995, it was through a local bank, and I was not even aware it had been “sold” or whatever to Bank of America….. I guess I have no choice but to activate the card, it’s the only one I have. Damn big business anyway. And, why the huge gap in the dates these letters were received???
I will probably be getting one of those cryptic letters soon. I was out shopping and my Debit card was canceled, not froze, canceled. I was grocery shopping. How embarrassing! I called BOA from my cell phone & they let me buy my groceries. I thought the card was active again. I go to another grocery for other items & card canceled again. I called again, BOA rep said card was canceled due to a security breach by a 3 party & they would be mailing a new card. I’m very angry. No for warning, no notice on the online banking site, nothing. They also froze my Visa at the same time. I was in town with no working cards! BOA had my money! Dec.9th, 2010. two hours on phone w/BOA! This must be business as usual for BOA. Time to move on to another bank!
March 8th, 2011. And, yet again, another security breach involving thousands of customers and Bank Of America. I, too, was notified my card was “frozen” when I tried to use it to pay a bill over the phone. After speaking to 3 reps and a Supervisor in their customer service area, I was told the card was canceled due to a breach and I needed to wait until I received a new card in the mail to pay bills or make purchases. Let me think about that, most if not all bills have due dates and late charges if not paid on time. I am guessing by the time I received this new card it would be late and I would have incurred a late charge. When I questioned late charges, all the phone reps said I had to take that up with another department. Of course. I rarely carry cash and use my card frequently so if I had to wait for a new card, I’d be without groceries, gas etc until I got a new card. The phone reps did tell me I could go to a BofA branch, get a temporary card and then wait for another permanent card to be mailed. Because I wanted to discuss this further and didn’t want to wait until I received a new card, I opted to go to a branch. When I got to the bank, I found I could not get a temporary card because my account had been opened in another state and the only option was to close out the account I have had since 1992 and re-open one in the state I now reside. I declined but due to the perseverance of the personal banker, he was able to get someone to over night a new card to me then gave me a cashier’s check at no charge to pay my bill. Otherwise I would have been without a card for however many days/weeks it took to replace mine. It’s a good thing I had a really good personal banker help me or I would have closed my account and notified the State Attorney General. I asked both on the phone and in person what company did this. The phone reps told there was no way they could give me info on who had the breach as it was “under investigation” which is a blatant lie. If a company tells BofA or any bank they had a breach, no investigation is involved, it’s a FACT. The branch rep said it was due to legal issues. I don’t believe any of those excuses. I was also told by everyone there was no way they could notify their customers prior to cancellation such as by phone or email due to the LARGE number of customers involved and the time it would take. Only a mass mailing letter can be done. Seriously? Not only would it be much more cost effective to notify by email than by snail mail but by being proactive, customers would not be caught off guard when they tried to use their cards and were declined. Not to mention IRATE. I know not everyone has online banking but I’ll bet millions of us do. Not notifying customers immediately is unconscionable. Like previous posters on this site, who wants to do business with a company that allows breaches of such magnitude. Seems like some branch of the government should/could force banks to be forthcoming with this information. I know BofA is not the only bank keeping these secrets as my brother banks with another bank and it has happened to him also. Oh, and I am still perturbed even after this rant.
I received one today on 04Apr11. I recently closed out all of my BOA accounts, except for the credit card and was wondering if the letter was some type of ploy to earn my business back. Maybe not…
The reason they sent you new cards was so they could make you feel vulnerable and get you on the phone to offer you a service that can protect you from identity theft. do you remember them offering this service?
i got my letter today july 5, all my accounts are frozen or canceled..
WOW! Just received the exact letter as previous posts– on 8/22/2011!! I haven’t used that card for over a year….When I called the phone number on the letter, I recieved the same response. BofA acknowledged that I hadn’t used the card but a location where I used the card in the past had reported my card information had been compromised. She could not give me the location. I asked the rep if businesses typically keep credit card records for longer than a year. She said some do. I’m going to have to seriously re-consider the use of any credit card….
This is the second time it has happened to me. I am furious!
First my person visa, and then 2 months later my business Visa.
I was mailed new cards before I even knew my accounts had been compromised. I still keep getting the same blah blah blah.
A Very unhappy customer of Bank America.!!!!!
I also received a similar letter this week.
I agree with this blog completely. This is ridiculous, and absurd. I love how the customer service reps claim that cannot tell me who/how my account was breached because “they don’t know”. Really?!? It is amazing their value my business so little. I have had a credit card with them for 20 years and they are my bank. I will be canceling my credit card and moving banks, and I told them so.
The only way our financial system will change is if we demand that it will change. Vote with your feet. And always vote!
My wife received a robo-call from BoA over the weekend saying they detected “unusual” activity on her card. The robo-call then asked her to verify her identity by entering her social security number. She immediately hung up. I called BoA directly and found that, yes indeed it was BoA calling (they verified the number), and that, yes the robo-call will ask you to enter your SSN. I was FURIOUS! BoA, in “trying to protect it’s customers” is acting like a phisher! Stupid. So after a while on the phone w/ customer service, I’m told that it wasn’t unusual activity but a “data compromise” and now all of sudden, it’s my card AND my wife’s card. In fact, they said they had already put a block on both of our cards, though they were surprised to learn that we’d used one of the cards only about an hour before. UFB!
I think it is something from the inside. I had this happen twice in the past 4 or so months and have had to go through all the hassle of changing my card number for all the automatic payments I set up. I hardly ever use this card at all for anything except for automatic payments of my phone bill which a few months ago changed from AT&T to T-mobile, so a 3rd party merchant seems far-fetched. I just cancelled my card. Chase Freedom is awesome.