The digital world is a wonder. It allows us instant communication, research and entertainment virtually anywhere in the world. It helps speed financial transactions, track records and process huge amounts of data, enabling faster and more accessible medical treatments and education. All of that is just the tip of the iceberg.
Of course, this ease of access can be problematic as well as convenient. All that information flowing, or stored, in places anyone with the motivation, knowledge and ill-intent can reach … well, the past decade has been rife with tales of hijacked privacy. The term “data breach” has become all too familiar.
Sometimes, it’s stolen passwords; sometimes private information; and too often, direct financial secrets are lost or exposed.
Such was the case for about 5,525 individuals and organizations that sent checks to the city’s post office box for payment of a variety of bills, fines, fees or taxes. Images of those checks may have been accessed by someone hacking into records at Technology Management Resources back in June. Key information, such as account and routing numbers, along with the account-holder’s name, would make it possible to digitally link those accounts to payment services or in other ways.
It’s hard to fault the city for the breach. Rather, it serves as a cautionary tale about all that digital convenience. Technology Management Resources, which you’ve probably never encountered, actually does data processing for Mascoma Bank. Mascoma is one of several banks the city uses to process payments and handle its accounts.
The threat, then, came not from the city’s records, nor even Mascoma’s, but a third party hired to handle routine work, but which had scanned images of the checks in its database. That’s already a long way for private financial information to travel, though by no means unusual. And therein lies the issue. The breach exposed the banking account information of more than 5,000 people and businesses that didn’t even make electronic payments; they mailed them to the city’s post office box. Still, through routine business practices, their financial data wound up in a database, exposed to someone hacking into a company those people likely never heard of.
Welcome to 2020.
For their part, the bank and the city have offered those affected two years of credit monitoring services, free of charge. They also advise that while there’s thus far been no evidence the information exposed has been misused, victims should contact the bank or financial institution that the check was written from to alert it about this breach, and review the activity in that bank or financial account now and at least monthly thereafter.
One key element, echoing previous incidents of stolen or exposed data by organizations both public and private, relates to the timeline of events. The city has, since making the incident known, been pretty transparent. Among the facts divulged is that the city was not notified by Mascoma until months after the hack occurred. The bank would not comment on the incident, but it’s possible the hack was not discovered until weeks after it occurred, or that law enforcement requested time to investigate. Presumably, the city was notified promptly once that was possible.
That was in August. The city notified those who might be affected by the hack in a letter, from City Attorney Tom Mullins, on Nov. 11. Again, that’s quite a wait. Mullins explained the lag was to get the facts of the breach straight and extract information from the TMR database, adding that roadblocks arose while working with legal counsel and insurance providers for the other entities involved in the breach.
Hopefully the time spent conferring with legal counsel produced some clarity over who was responsible for any financial damage done during the months that end-users were in the dark. It’s understandable some time might be required to ascertain who was affected, what was exposed and how best to proceed. But four months between the time the breach occurred and when those paying the city found out their bank info was compromised seems a bit much.
Again, though, it’s pretty standard for organizations, finding data from their customers, clients or others has been breached, to take far too long to let those affected know. That the instinctual response is to investigate, confer, examine the legal aspects and take time to craft a carefully worded and legally vetted announcement — in short, to cover “all the bases,” a cheeky euphemism meaning to do everything BUT notify those most at risk — is unfortunate.
That is not the biggest takeaway here, however. What is most apparent in this case, as in the Hannaford, Target, Home Depot, TJ Maxx, Equifax, Facebook, Yahoo and Adobe breaches, to name a few, is that if you entrust your data — financial or personal — to anyone who will store it (for your convenience, of course), you shouldn’t be surprised if it will some day be hacked or accidentally exposed. That’s simply where we are as a society.
And for entities that entrust the data entrusted to them to third parties, as the city and then the bank did in this case, the lesson is equally simple: You’re only as secure as your partners are.