Business & Economy

VSECU data for 85,000 customers ends up in landfill

Officials at VSECU, the state’s largest credit union, have notified consumers that two unencrypted backup data tapes loaded with customer identification information were mistakenly thrown away and ultimately disposed of in a landfill last month.

The data files contained names, Social Security numbers, addresses, driver’s license numbers, financial account information and transaction records for as many as 85,000 credit union customers. The records were from 2002 to 2012. The data has not been compromised, officials say, because the information was not stolen.

Steve Post, the CEO of VSECU, sent notification letters on Wednesday to customers.

The tapes were discovered missing from an off-site storage facility in early September after a routine inventory check. Post said the credit union conducted an internal audit investigation and determined that the data tapes had been inadvertently thrown away and ended up in a landfill. The tapes now covered in garbage, he said, are “irretrievable.”

“The investigation was extensive, there was no indication of a crime, and no indication this information was used and every indication it was thrown out in the trash and is in the landfill,” Post said.

Post says the data has not been stolen and hence there has not been a security breach. “We don’t think of it that way,” he said. “Human error caused this outcome.”

No one yet has complained of data loss, Post said. VSECU is offering a credit monitoring service to all customers for a year.

The credit union contacted the Department of Financial Regulation five days after the problem was discovered. Officials also called the Federal Bureau of Investigation and federal regulators.

VSECU is taking steps to improve its security procedures. Post said the credit union will ensure in future that all tapes in future are encrypted.

The credit union has created a temporary call center in anticipation of a large number of queries.

“We are taking a look at every point of operation to ensure this or something like this never happens again,” Post said. “The message for our members is, we want to hear from you. We will take all steps necessary to make sure this never happens again.”

Steve Kimbell, the commissioner of the Department of Financial Regulation, said the credit union was taking appropriate steps to address the security lapse. This is the first time there has been a data lapse financial institution in the two years he’s served as commissioner.

Data breaches at financial institutions fall under the jurisdiction of the Federal Deposit Insurance Corp.

TD Banknorth recently misplaced backup data tapes with personal information from customers in March. The bank notified customers in Maine and New Hampshire earlier this month.

If you read us, please support us.

Comment Policy requires that all commenters identify themselves by their authentic first and last names. Initials, pseudonyms or screen names are not permissible.

No personal harrassment, abuse, or hate speech is permitted. Comments should be 1000 characters or fewer.

We moderate every comment. Please go to our FAQ for the full policy.

Anne Galloway

Recent Stories

  • joanie maclay

    Security not breached, not stolen…just thrown in amongst the garbage in the landfill. Smells!!?? Is there another big dig on the horizon? Shame on you “my VSECU”…

  • Arthur Hamlin

    If they knew almost two months ago why did I (a VSECU customer) have to hear about this in the paper yesteerday? If SSN and driver’s license #s were stolen shouldn’t they be offering identity theft monitoring and protection? Why were the tapes unencrypted?

    “No one yet has complained of data loss” but over $500 was stolen from my account there a couple weeks ago. I’m hoping that is unrelated and someone just hacked a debit card number somewhere, but what did it mean when the member rep said there’s been a ‘spike’ in this lately?

    Are they really sure the tapes are in a landfill? Has no one there ever lost a set of keys and were sure they knew where they were only to find them someplace completely different?

  • Tracey Harrington

    I work with data for a living. Just because the tapes are covered by some dirt does NOT mean the data contained on those tapes is “irretrievable.” No one can make that statement until they physically inspect those tapes – those unencrypted tapes.

    If they know where the tapes are, they have a responsibility to their 85,000 customers to go get them – whether they were “stolen” or not. Do they know for a fact that these tapes are covered by tons of garbage or just mixed with a few pounds of dirt? Regardless, they are in an unsecured location and are unencrypted. VSECU should pay (NOT the members, mind you) to have the landfill searched and the tapes recovered. Unless, of course, they want this data to have the potential of being stolen in the future…