BofA Discloses “Undisclosed” Breach
Jan 24th, 2010 by sherri
Recently, a friend of mine received a letter from Bank of America informing her that “some credit card information on your Bank of America account may have been compromised at an undisclosed third-party location.”
The letter went on to state that BofA had reviewed her account and saw “no evidence that your account has been misused in any way. We will continue to monitor activity on your account, and if we detect suspicious transactions, we will notify you.” BofA also informed her that “we will close your existing account and issue you a new account number and credit card(s).”
Imagine if your doctor sent you a letter informing you that “you’ve contracted an undisclosed disease from an undisclosed third party. Take these pills and carry on as before. We’ll monitor your symptoms and notify you if you show signs of further infection.”
The underlying subtext here is that a) my friend’s information was probably compromised through a merchant that she has done business with; b) she does not have the right to know who that was; and therefore c) she must continue to do business as usual without the ability to change her behavior based on the fact that the merchant did not safeguard her information appropriately.
BofA referenced a web site where they talk about data compromise:
http://www.bankofamerica.com/compinfo
According to this site, “When a data compromise occurs Bank of America is notified by multiple sources, including Visa®, MasterCard®, American Express® and law enforcement agencies when our accounts have been included in a data compromise… Unless the merchant announces the breach to the public, we are unable to provide the name of the merchant or where the data breach has occurred.”
In other words, the credit industry is facilitating willful ignorance in order to protect their fundamentally broken system. If you or I found out where exactly the breach happened, we might not be so inclined to give our credit-card numbers to the end merchant or payment processors involved. Customers are not provided with the information we need to make educated decisions about who we trust with our information.
Truth be told, the fundamental problem isn’t with the end merchants, anyway. The problem is that our financial infrastructure rests on the broken concept that a short string of numbers can be used to move money from one person’s account to another. This string of numbers has to be kept “secret,” but it also has to be given to dozens of people throughout the course of a day in order to conduct routine transactions.
Here’s my favorite section of BofA’s data compromise FAQ:
“Is it safe to use my new card?
“We are confident that this was an isolated incident and that the steps we have taken will ensure the continued security of your account. Please continue to use your new account as you normally would.”
Yes… an “isolated incident,” just like the other 285 million records that were compromised last year. Take these pills and carry on.
| Sherri Davidoff |
| PGP-signed text: 2010-01-24 (current) |
This is exactly the letter I got from BofA today. So – from what I understand, if I used my card at Wal-Mart and their security was breeched then so was mine. Which might mean it could be breeched again and I woud again be vulnerable. At any rate, I feel okay about it since they guarantee I will not be liable for fraudulant charges.
I have another exact copy dated February 2, 2010. I actually found out about the breach before the letter reached me. I happened to log into the BofA site to pay my credit card bill shortly after the 2nd. The site did not notify me of the problem. It showed the wrong account number and demanded that I put in a bank account number before I could pay and then it started sending me to the security page no matter what link I clicked on. There was nothing on the site to tell me what had happened. But, they had instructed the site to block access to my account. They could have let me know through the site. Why didn’t they?
When I called to ask about the site I was told that my account was reported lost or stolen in early January. One bank employee let it slip that over 200,000 people were affected by the same breach. And then told me they did not know where the breach occurred. After being bounced through 3 people I was told that the breach occured on February 2nd. They refused to tell me where the breach occurred. They seem to have lied about when the breach occurred. They did not cancel my stolen card. They did not call. They did not send me an email. Their staff told me BofA could not do either! And yet they can do both when a payment is late. All they did was send out new cards by snail mail.
The replacement cards they sent were already activated. Anyone who happened to get their hands on the new cards could have used them. I was not informed that the cards were coming so I would not even know that they were missing.
As far as I can tell a criminal act took place and Bank of America is actively colluding to cover up the crime.
I collected my notes on what happened and sent them to everyone I know in hopes of warning them of the the danger. The message that Bank of America is not taking any reasonable steps to protect customers must be told. When a bank as large as BofA becomes more interested in covering up a crime than helping the victims, then they need to be put out of business.
I received the same letter from Bank of America today, March 15, 2010. When I called to say “Don’t reissue a new card, I don’t want one,” they would not talk to me without me giving them my credit card number and/or social security number. AND they were rude and transfered me twice without saying why.
How the heck are we even supposed to know the letter is real? And then they want us to call and give the person at the other end of the line all our account info???
And, same as the others, asked which merchant was compromised and they would not answer me. Why are they protecting them?
I was thinking of getting rid of the credit card, getting a cryptic letter like this just sealed the deal. If they’d rather save their business relations than protect their customers, I don’t want to be associated with them.
i had this happen to me. i should have known enough to use their shopsafe program when shopping on the internet. this assigns a different number that you can use to make a purchase and it is a different number each time you use this service. this way nobody knows your real account number and
you would not have this problem. i will remember to do this from now on.
Probably a ploy to issue new cards with new terms & fine print.
Got this exact same letter in the mail today. The website address included in the letter isn’t even valid. Seems as though BofA isn’t offering a dang thing. Got a similar letter from Wells Fargo a couple of years ago and they paid for a year of credit monitoring service (can’t remember which service, but and outside company). At least, I don’t have a bunch of recurring charges that I use with this card – what a hassle. I’m going to check into the above mentioned “shopsafe program”. I assume that has some fee attached to it.
Got “the letter” today about my cc account– ‘may have been compromised at an undisclosed third party location”. It was or it wasn’t and they have to know where by the merchant codes.Baloney! First, they could discover plain English. They sound like “government speak”. Why can’t I know where not to shop? Because they don’t want to hurt their merchant relationship. Screw the customer! And this is my second of these inconveniences, and I have to look up the info and make the calls and the credit bureau gets this crap from the bank and puts it on my report. And if I am busy or on vacation and my automatic payment is bounced, guess whose credit report that is on. And just try fixing a credit report. Close to impossible. Now I see why BofA was on a recent list of the worst places to do business. Richly deserved. Fed up.
I received a letter from B of A today, June 4,2010 giving me the same information as reported in the above messages. I am very concerned about the 3rd party issue as I had two other cards compromised in April, a Chase Card, and State Farm Bank card. It is pretty obvious that we are doing business with a thief and yet we have no idea who it is. The criminals racked up charges on the first two which took place on the East Coast..I live on the West Coast…lookes like a ring of thieves.
Got this letter May 13. I have multiple accounts with BoA, but they stated only one was compromised and re-issued a new card. They also said that my current card would be vaild till May 29th.
Between May 13th and June 1st, I had $850+ of fraudulent charges on multiple accounts with BoA.
Pain in the ass, but eventually I got it taken care of. Will this happen again? I have no doubt about it. Banks need to be a bit more proactive to this stuff.
I will however, keep my business at BoA.
I got my letter yesterday, July 30th! I have 2 BofA accounts, but, only got a letter for one of those. I, like David, comment #6 above, immediately thought, oh….now they will issue a new cards, change the terms and interest rates! I could be wrong, but, after reading all of the above comments above, I am wondering how a company can recogize accounts may have been compromised since the beginning of the year, yet, I’m just now being notified at the end of July! Something’s not right with that!
Same exact letter today, August 17, 2010. I find it quite ironic that I got this letter about two weeks after attempting to transfer my BoA balance to a lower interest rate card that I opened for a promotional rate four times less than the BoA rate,
I just received the same exact letter with a replacement card (in my case a debit card). Also, I checked out they page they referred me to for more information, http://www.bankofamerica.com/compinfo , but that page doesn’t exist.
At the very least, given the above string from January 2010, Bank of America is not providing security for it’s accounts.