Officials at VSECU, the state’s largest credit union, have notified consumers that two unencrypted backup data tapes loaded with customer identification information were mistakenly thrown away and ultimately disposed of in a landfill last month.
The data files contained names, Social Security numbers, addresses, driver’s license numbers, financial account information and transaction records for as many as 85,000 credit union customers. The records were from 2002 to 2012. The data has not been compromised, officials say, because the information was not stolen.
Steve Post, the CEO of VSECU, sent notification letters on Wednesday to customers.
The tapes were discovered missing from an off-site storage facility in early September after a routine inventory check. Post said the credit union conducted an internal audit investigation and determined that the data tapes had been inadvertently thrown away and ended up in a landfill. The tapes now covered in garbage, he said, are “irretrievable.”
“The investigation was extensive, there was no indication of a crime, and no indication this information was used and every indication it was thrown out in the trash and is in the landfill,” Post said.
Post says the data has not been stolen and hence there has not been a security breach. “We don’t think of it that way,” he said. “Human error caused this outcome.”
No one yet has complained of data loss, Post said. VSECU is offering a credit monitoring service to all customers for a year.
The credit union contacted the Department of Financial Regulation five days after the problem was discovered. Officials also called the Federal Bureau of Investigation and federal regulators.
VSECU is taking steps to improve its security procedures. Post said the credit union will ensure in future that all tapes in future are encrypted.
The credit union has created a temporary call center in anticipation of a large number of queries.
“We are taking a look at every point of operation to ensure this or something like this never happens again,” Post said. “The message for our members is, we want to hear from you. We will take all steps necessary to make sure this never happens again.”
Steve Kimbell, the commissioner of the Department of Financial Regulation, said the credit union was taking appropriate steps to address the security lapse. This is the first time there has been a data lapse financial institution in the two years he’s served as commissioner.
Data breaches at financial institutions fall under the jurisdiction of the Federal Deposit Insurance Corp.
TD Banknorth recently misplaced backup data tapes with personal information from customers in March. The bank notified customers in Maine and New Hampshire earlier this month.