Update 1: March 9, 2014: Added some other incidents that were reported to NYS in 2012 and early 2013. These additions are underlined for your convenience. In the process of reviewing other materials, I have also identified two other banks that have recurring reports of insider wrongdoing. Eventually, I will write up my findings on those banks, too.
We were only two months into 2014 when TD Bank filed its fourth breach report of the year with the New Hampshire Attorney General’s Office. And as I had done with Experian’s breaches, which had also flown under the media’s radar, I noticed a pattern and started looking into TD Bank’s breaches more.
TD Bank’s recent report of February 18th involved an insider breach, and the description is basically identical to breach reports they filed on January 16 and January 24:
We recently learned that one of our employees may have improperly obtained customer information and provided it to an unauthorized party not associated with TD Bank. The personal information they may have obtained may have included name, address, Social Security number and account number.
The incidents reported on January 16 and January 24 involved employees who obtained and passed along customer data between July and November 2013. The incident reported on February 18 involved an employee who obtained and passed along customer data between September and December 2013. The January 24th and February 18th reports to New Hampshire residents were also reported to Vermont customers. And the wording of all of these reports was also identical to a report filed with New Hampshire dated December 16, 2013.
In every report, TD Bank indicated that the incident was being handled internally by its corporate security team. Customers were given the option of transferring their accounts to a new account number and were offered two years of free credit monitoring.
DataBreaches.net contacted TD Bank to verify that these were separate breaches and to ask some questions about them. The bank did not respond to specific questions and sent only this general statement:
At TD Bank, protecting our customers’ financial assets and confidential information is important to us and something we take very seriously. These were isolated incidents and the employees are no longer with the bank. We notified impacted customers and worked with those who may have had their personal information compromised.
They have not yet responded to a follow-up inquiry that again requested more details, including what TD Bank was doing to prevent future breaches of this kind.
Despite what TD Bank might wish us all to believe, these most certainly were not “isolated incidents.” As some digging on my part quickly revealed, TD Bank seems to have a long history of insider breaches.
The following is a partial chronology of insider breaches TD Bank has had. The chronology does not include external breaches like hacks or other types of breaches such as lost backup tapes, mailing errors, skimmers, and printing errors, although those types of breaches have occurred, too:
On June 24, 2011, TD Bank notified the Maryland Attorney General’s Office that an employee in a Pennsylvania branch improperly obtained and may have passed along 304 Maryland residents’ information to an unauthorized third party. The information included name, address, social security number, date of birth, deposit account number and driver’s license number.
In August 2011, federal prosecutors charged members of an ID theft ring that included corrupt insiders at TD Bank in South Jersey.
On January 26, 2012, a TD Bank employee from Elizabeth, N.J., was arrested on charges he conspired to commit bank robbery. See this U.S.A.O. press release. He was sentenced in February 2013.
On January 31, 2012, TD Bank notified the Maryland Attorney General’s Office that a vendor’s employee had obtained and passed along customer data to someone not associated with TD Bank. Fifty-three customers in Maryland were notified of the breach; the total number was not disclosed. Customers in Vermont were also notified.
On February 16, 2012, TD Bank notified NYS that an employee had engaged in wrongdoing affecting 209 customers. Information involved their Social Security numbers and driver’s license numbers or non-license identification numbers. The wrongdoing occurred in December 2011, and was discovered in January 2012.
On February 17, 2012, TD Bank notified NYS of another insider breach affecting 321 customers. That breach also occurred in December 2011, involved the same kind of customer information, and was also discovered in January 2012.
On April 2, 2012, TD Bank notified the Maryland Attorney General’s Office that “We recently learned that one of our employees may have improperly obtained customer information and provided it to an unauthorized party not associated with TD Bank. The personal information they may have obtained may have included name, address, Social Security number, account number and debit card number.”
In April 2012, TD Bank also notified NYS of an insider breach in February 2012 that affected 116 customers, 35 of whom are NYS residents. Due to the lack of detail in the Maryland report of April 2, it is not clear whether this is the same incident or a different one.
On May 15, 2012, TD Bank notified NYS of another insider wrongdoing breach that occurred in March 2012 and was discovered in May. That incident affected one person who experienced fraudulent activity on their account.
On June 5, 2012, TD Bank notified the Maryland Attorney General’s Office that “an employee may have provided a third party with customer data. The personal information which may have been obtained included name, address, Social Security number and date of birth.” On the same date, they also notified NYS of what is likely the same incident, reporting that it occurred in April and was discovered in April. The 460 customers affected were notified in June.
On June 25, 2012, TD Bank notified the Maryland Attorney General’s Office that “We recently learned that an employee may have improperly obtained customer information and provided it to an unauthorized party not associated with TD Bank. The personal information they may have obtained may have included name, address, social security number, account number, date of birth and deposit account number.“‘
On July 6, TD Bank notified NYS of an insider breach that affected 24 customers. The breach occurred in May, was discovered in June, and customers were notified in June.
On July 12, 2012, TD Bank notified the Maryland Attorney General’s Office that “one of our employees provided customer information to an unauthorized third party or parties not associated with TD Bank. The personal information they may have obtained may have included name, address, Social Security number, account number and debit card number.”
On July 27, 2012, TD Bank notified NYS that an insider breach in March affected 1,144 customers. The breach was discovered in April and customers notified in July.
In August 2012, Patricia Lightsey, a teller at TD Bank between July 2011 and October 2011, was indicted on charges of selling customers’ birth dates, driver’s license numbers, social security numbers and bank account numbers.
In November 2012, TD Bank notified NYS that 5 customers were affected by an insider breach that occurred in August and was detected in September. The customers suffered fraudulent charges on their accounts.
In December 2012, TD Bank notified NYS that 123 customers were affected by an insider breach that occurred in July and was discovered in July. Consumers were notified in November that the insider wrongdoing may have been responsible for the fraudulent activity on their accounts.
In February 2013, TD Bank notified NY that 6,933 customers were affected by insider wrongdoing by a vendor’s employees in January.
On April 23, 2013, TD Bank notified customers in Vermont that an employee may have provided their name, address, social security number, deposit account number and debit card number to an unauthorized third party.
On June 13, 2013, TD Bank notified the Maryland Attorney General’s Office that “We recently learned that one of our employees may have improperly obtained customer information and provided it to an unauthorized party not associated with TD Bank. The personal information they may have obtained may have included name, address, Social Security number, account number and debit card number.”
On December 10, 2013, TD Bank notified the Maryland Attorney General’s Office that “We recently learned that one of our employees may have improperly obtained customer information and provided it to an unauthorized party not associated with TD Bank. The personal information they may have obtained may have included name, address, Social Security number and account number.” It is not clear to me whether either this breach report or the one filed with New Hampshire dated December 16 are related to an incident reported in the media in December in which 8 people were indicted as part of an ID theft ring. One of the 8 was a former TD Bank employee who allegedly stole the identities of TD Bank customers while working for the bank in New York from January 2012 to May 2013.
Which brings us back to the top of this post and the four more insider breaches reported to New Hampshire between December 16, 2013 and February 18, 2014.
“Isolated incidents?” Not by a long shot.
Keep in mind that the preceding are just the insider breaches we know about from several media reports and the few states that post their breach notices online, and the chronology begins in 2011, even though I am aware of other insider breaches at TD Bank prior to 2011 (cf, this case). There may be many more insider breaches. And then there are the other kinds of breaches such as their October 2012 report about the loss of two backup tapes March 2012 that contained SSN and account information on 267,868 customers.
Taken together, I think it’s reasonable to ask why any customer should trust TD Bank with their information or accounts.
As importantly: how many times can a bank discover it has hired a rogue employee without some regulatory agency investigating their background check procedures and their auditing of employees’ activity? The Federal Trade Commission filed a complaint against Wyndham for inadequate security that resulted in several hacks affecting customer data. Will the Office of the Comptroller of the Currency (OCC) investigate a bank that has repeated breaches that harm consumers or that put consumers at significant risk of financial harm? Will the CFPB? The FTC? Who is responsible for data security enforcement in the financial sector?
In September 2013, TD Bank signed a consent order to pay a civil monetary penalty of $37,500,000.00 for failures to submit suspicious activity reports (SARs). The consent order did not contain any admission of guilt, but according to the order, their failure resulted in significant losses to the bank. Well what about all these data security breaches? Aren’t they worthy of federal investigation?
In the meantime, if you agree that this situation requires enforcement action of some kind and that a bank should not have repeated insider breaches without suffering some serious consequences for it, sound off in the Comments section below or let me know.
Dissent,
Once again, you nailed it. I have read a number of TD Bank breach notices but didn’t realize the problem was so widespread. This definitely deserves further federal investigation.
Thanks, Jeanne. I didn’t do a thorough/complete search of media reports, so there may be more if you’re inclined to go digging to do your own reporting on this, too. I haven’t called any federal agencies yet about it.