In a recent breach notification to New Hampshire’s Attorney General, TD Bank’s Head of U.S. Privacy & Social Media Compliance writes, in part:
We recently learned that one of our employees obtained and inappropriately used confidential customer information and provided it to an unauthorized party not associated with TD Bank. The personal information they obtained may have included name, address, and account number of the primary account holders and potentially their secondary signers and/or beneficiaries. This is an isolated incident that is being addressed through an internal investigation by our corporate security team and we have contacted local law enforcement.
“Isolated incident?” Only if “isolated” means “yet another instance.”
DataBreaches.net would point out that TD Bank has reported DOZENS of this type of incident to state attorneys general over the past few years. See past coverage on DataBreaches.net (start here and here, and then search the site for other references to TD Bank data breaches).
Should TD Bank be permitted to claim that each incident is an “isolated incident?” Should they be permitted to tell that to consumers when they have a history of having these breaches?
And why haven’t federal regulators done anything to secure an agreement with TD Bank to improve its security to address whatever failures they have experienced that have permitted so many insider breaches? If the CFPB won’t do something, surely the FTC can, right?