VSECU loses tapes with customers’ vital data
By PETER HIRSCHFELD
Vermont Press Bureau | October 25,2012
MONTPELIER — Two data tapes containing the Social Security numbers and personal financial information of all 80,000 customers of the Vermont State Employees Credit Union went missing last month. But officials there say they’re convinced the data is hidden safely in a landfill.
Unencrypted cassettes containing the sensitive financial information were missing during a routine inventory check Sept. 10, according to Steve Post, CEO and president of the credit union.
A weeks-long investigation by internal auditors, according to Post, has concluded that the tapes were mistakenly thrown away.
“We believe after a really thorough investigation that they’re at the bottom of a landfill,” Post said Wednesday morning. “They’re not retrievable.”
The credit union today will send letters to all 80,000 customers notifying them of the breach. While Post said he’s convinced the incident poses no threat to customers’ financial or personal security, the credit union will offer free credit monitoring for a year.
Post said the credit union had accepted the resignation of a top executive in connection with the breach.
“It was human error,” Post said. “And the appropriate people have been held accountable, and I’m not getting into personnel discussions.”
He said auditors pinpointed the cause of the disappearance after interviewing various credit union employees.
“There was no sign of a crime committed, no evidence of something being stolen,” Post said. “We have absolutely zero evidence of this information being used since it ended up in the landfill, in our judgment. So we have no indication anything other than what we believe happened, happened.”
The cassette tapes, he said, are customarily kept at a secure facility.
“It’s in an off-site storage area that we control and maintain with surveillance and alarms and systems to protect all the information there,” Post said. “What happened here is they did not get stored timely or properly.”
While Post said he has total confidence that the data will not be retrieved, the state’s deputy commissioner of financial regulation, Tom Candon, was less absolute Wednesday.
“They’ve done their investigation of it, and that’s their estimate of what has happened,” Candon said. “But I think in situations like this, if there isn’t an absolute solution to it, then they have to proceed to make sure customers are aware of the situation.”
Candon, whose office was first notified of the breach one week after the tapes went missing, said VSECU has complied with all relevant state and federal regulations. He said no sanctions have been levied against the institution, which has $600 million in assets.
“We met with them immediately ... to try to determine what they thought had happened to the two tapes and also to make sure they had been following what regulation requires when such a thing happens,” Candon said.
Post said the Federal Bureau of Investigation was also called in early on.
A form letter being sent to all 80,000 credit union customers apologizes for the breach and directs them to a toll-free number at which they can ask questions and request the credit monitoring and identity theft protection services.
VSECU has contracted with a call center to handle the high call volume and has set up a center staffed by credit union employees for customers who want to speak with someone from VSECU.
Post said lessons learned from the incident will help the credit union emerge “stronger, smarter, safer and better as a banking institution.”
“I just know that,” Post said. “Being in this business in a digital age is complicated, and we will bolster all of our defenses and all of our efforts to make sure we fulfill our commitment to the members.”
Post said the vast majority of the credit union’s expenses as a result of the breach will be covered by insurance and that the costs will not affect safety and soundness.
He said it would have been irresponsible to notify customers of the breach sooner.
“Our obligation first is to really investigate what happened and determine what happened, and that took some time, and we didn’t want to rush that,” Post said. “We can’t notify people without being able to tell them what happened.”