Theft of Unencrypted Data on Laptop Exposes 230,000 Ameriprise Customers and Advisers to Potential Identity Theft and Other Fraud

(Newsinferno.com) January 29, 2006 -- As we reported only two days ago, over the past year “the vulnerability of personal information has never been more apparent. It has become painfully clear, to millions of “victims,” that once they entrust their Social Security number, banking information, credit card numbers and security codes, and other forms of personal identification and financial data to stores, online merchants, government agencies, employers, and financial institutions, they lose all control over it and have no idea of where it might ultimately wind up.”

In terms of lost and stolen computer records 2005, which was already a very bad year, has gotten even worse with the report that Ameriprise Financial, the 2005 spin-off from American Express, has “lost” unencrypted personal financial data belonging to some 230,000 customers and financial advisers.

The information was stored on a laptop belonging to the company that was stolen from an employee’s car near the end of December. The unprotected data included over 70,000 Social Security numbers belonging to current and former financial advisers and the internal account numbers of some 158,000 customers.

Although company rules explicitly prohibited the unencrypted storage of such sensitive data, there is nothing startling about the apparent negligence in the storage and safeguarding of third-party financial information.

As we pointed out in our coverage of the $15 million settlement by ChoicePoint with the Federal Trade Commission, this problem “is not going to be much better unless and until security is ramped up to the point where private individuals and companies can safely entrust electronic data to third-parties for processing, storage, billing, or other transactions.”

“Many experts believe that until there is accountability for the loss of sensitive data through negligence or inadequate security, thieves and other opportunists will continue to feast upon the wealth of electronic data floating unprotected through cyberspace or in unsecured or inadequately protected storage and shipping facilities.”

Some measure of accountability was achieved in the ChoicePoint data loss with the Federal Trade Commission’s (FTC) announcement that the company has agreed to settle data security breach charges by paying $10 million in civil penalties and $5 million for consumer redress

According to the FTC release: “Consumer data broker ChoicePoint, Inc., which last year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026.”

Significantly, the agency’s Chairman, Deborah Platt Majoras issued the following admonition to those entrusted with sensitive information: “The message to ChoicePoint and others should be clear: Consumers’ private data must be protected from thieves. Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business in America.”

The Ameriprise data theft, however, demonstrates the severity of the problem and the gaps in security that can result in massive losses of sensitive information in rather mundane ways.

As 2005 drew to a close, Ford Motor Co. started notifying some 70,000 current and former white-collar workers that their sensitive personal and financial data has been stolen. The information, which included the employees’ names, addresses, and Social Security numbers, was contained on a computer that was stolen in November.

February 2005: Bank of America reported that a small number of backup tapes containing records of the personal financial information of government employees were lost in a shipment to their backup center.

In April 2005, Time Warner Inc. reported that a container of computer tapes containing information on 600,000 current and former employees was lost during a truck ride to a data storage facility. Foul play has not been ruled out.

On June 6, financial giant Citigroup announced that United Parcel Service had somehow “misplaced” a box of computer tapes containing personal data on approximately 3.9 million Citigroup customers.

While a spokesperson for United Parcel Service claimed the company is “proud of its record in service and reliability,” he declined to discuss what security measures had been taken to protect the sensitive package.

Citigroup released a statement that it intended to start sending data electronically in an encrypted form and that it had “no reason to believe this information has been used inappropriately.”

Although the employee was reportedly fired for violating “a few written company policies,” the message is obvious; even a garden variety street crime can net the thieves far more than a laptop or briefcase.

In fact, while Ameriprise officials downplayed the potential for the lost data to be used for fraudulent purposes, other recent cases have shown that stolen data is not only used to commit acts of financial fraud (over 800 people victimized in the ChoicePoint case) but is also sold individually and in bulk to identity thieves.