More media coverage of a breach I commented on yesterday. Today Lindsay Tice of BDN Maine adds some additional details to earlier reports about a breach that occurred March 30 but wasn’t disclosed recently:
The security breach occurred in March when two backup tapes from a computer server were shipped from one TD Bank location to another. Acevedo said the tapes were misplaced in Massachusetts. She declined to say whether the tapes were the responsibility of a TD Bank employee or an outside contractor at the time.
She said the bank held off notifying customers as it conducted an internal investigation. That investigation is ongoing and the bank has contacted Massachusetts law enforcement, as well. TD Bank began telling customers about the security breach a couple of weeks ago.
I expect to see some state attorneys general open investigations into what is likely an unacceptable delay in consumer notification. Connecticut has fined entities in the past, and if any CT residents are affected, I wouldn’t be surprised to see them start sending letters of inquiry to the bank. Similarly, Massachusetts is also a stickler for prompt notification and might initiate some action.
That, of course, is apart from irate consumers who will understandably not be placated by a “we’ve been investigating” explanation for the six-month delay. They may not be able to prove harm, however, so unless statutory penalties are available, I doubt any consumer lawsuit will go anywhere.
Update: And so it begins…. Maine’s AG is contacting TD Bank to inquire why they haven’t been notified of the breach.
Update 2: The breach affected 34,907 in Maine.
Update 3: And over 73,000 in Massachusetts.