On March 1, I blogged about numerous insider breaches TD Bank has reported in the past few years. I updated that report on March 9 with even more breaches that I uncovered via public records that were subsequently made available.
Today, I received a response to a public records request to the North Carolina Attorney General’s Office. In response to my request for all breach reports submitted by TD Bank between January 1, 2011 and March 8, 2014, they sent me 10 responsive documents. Of those, a number dealt with insider breaches, some of which had not previously been included in my reporting. Some had been mentioned previously, but the North Carolina reports give us the number of customers affected:
In March 2011, TD Bank reported an insider breach discovered in January 2011 that affected 591 customers. The breach was described as “employee defalcation” (misappropriation of funds) and the employee’s job was terminated. In its letter to customers, the bank noted that the employee may have provided customers’ names, addresses, Social Security numbers, dates of birth, and deposit account numbers to unauthorized party or parties not associated with TD Bank.
In August 2011, TD Bank reported an insider breach discovered in June 2011 that affected 1,861 customers. This may be the same incident I previously noted without the number affected and where federal prosecutors charged an ID theft ring including a TD Bank employee.
In December 2011, TD Bank reported an insider breach discovered in November 2011 that affected 2,339 customers. In that case, the employee was not only terminated but law enforcement was contacted.
In August 2012, TD Bank reported an insider breach discovered in April 2012 that affected 1,158 customers. This might be the same incident I previously noted as reported to NYS on July 27, 2012 as affecting 1,144 customers, but it’s not clear from the stock description whether it is or not.
On February 21, 2014, TD Bank reported an insider breach discovered on January 7, 2014 that affected 357 customers. It is possible that this is the same incident reported to New Hampshire in February, but it is not totally clear as the notification letter to customers in New Hampshire specified that the inappropriate access occurred between September and December 2013, whereas the letter to North Carolina customers merely used their stock language without any date range mentioned.
While it may seem unhelpful to go back to 2011 incidents in my chronology, I think it’s important to do so as it shows that there is a long and repeated history and TD Bank should have been taking more effective steps to stem the insider hemorrhages long before now. Will they do so as a result of any investigation by OCC? I have no idea, but I think it’s worth noting when entities have repeated patterns of breaches.
I am still awaiting a response to a FOI request to NYS for 2013 data and will update this post if I uncover additional information.