Dumpster Diver Finds Customer Financial Information In Bank Trash

James Hastings is a dumpster diver who has found a mother lode of consumer financial information that employees carelessly tossed in dumpsters outside of several People’s United Bank branches. He says he was trying to expose the bank for not safeguarding customer’s records. The bank says he was trying to extort them into giving him a job.

For four months, James Hastings searched through trash bins outside People’s United Bank branches in Fairfield County. He pulled out bags of paperwork with private information, including customers’ Social Security numbers and account information.

The bank last month won a restraining order against Hastings, 56, requiring him to not discuss the matter or distribute paperwork. He has since been interviewed by the Connecticut Post.

People’s Bank said Hastings is trying to extort money and claims he asked to be hired as a “fraud consultant.” Bank officials also are demanding that the information be returned.

Brent DiGiorgio, a spokesman for People’s Bank, said its primary concern is protecting the customers’ information that Hastings has taken. The bank promises to provide a year of free credit monitoring to customers whose information was taken and has contacted affected customers, he said.

That’s all well and good, but what the hell was all that information doing in a dumpster in the first place?

Taking bank trash, Fairfield man claims security lapse
[Newsday] (Thanks, Chris!)

Comments

Edit Your Comment

  1. detraya says:

    o_o

    almost makes me afraid to use a bank

  2. Toof_75_75 says:

    That’s hilarious…take a page out of Fight Club…Blackmail your way into a sweet job of doing nothing.

  3. Arkley says:

    Thst’s so strange. Something just like that happened here in Vancouver as well.

  4. MeOhMy says:

    I don’t think Hastings’s motive is at all relevant. What’s relevant is – was this information REALLY just in the trash?

  5. FrankTheTranq says:

    I only hope they take this seriously.

  6. friendlynerd says:

    Once something hits the trash isn’t it public property for the taking?

  7. mike says:

    Yeah, he may have been trying to Blackmail the bank. But you still have to answer to why so many records were in the trash.

    If my legal sources are right, once it’s trash, it’s considered public for anyone to grab.

  8. mike says:

    Link is dead. Try this one

  9. Phildawg says:

    I’m sure it was in the trash, and without Hastings stepping in, nobody would have ‘probably’ never seen it outside of it’s decomposed state.

    Hastings is a crook and should be jailed. The bank should update its procedures to this new world and not let this happen in the future.

    Anybody foolish enough to get up in arms about this situation though should seriously question whether their personal information is safe at all. Just because companies have procedures in place, you can bet a small amount of the time, your information is not processed to those standards. Humans are involved after all…

  10. mike says:

    New link

    Above link is broken.

  11. boss_lady says:

    @sohmc: I’m not 100% on the legal stuff, either, but the fact that it’s “for anyone to grab.” Legal or not, the fact remains that Hastings was able to access it, and therefore, just about anyone else could to. Oy vey.

  12. fostina1 says:

    it sounds like he wasnt being unreasonable, they really do need a fraud consultant.

  13. jimv2000 says:

    I almost feel like I should just give up now and post my own SSN and other info online just to get it over with. The anticipation as I wait for my bank, school, government, etc to lose it is killing me.

  14. CRNewsom says:

    He should have auctioned the papers off. Inform the bank of the auction, and state in the advertisement for the auction where the papers came from. For extra fun, have a friend artificially inflate the price of the auction to something in the seven figure range. The bank would pay a hefty price to get those papers back.

  15. tator says:

    I lived adjacent to a Wachovia for about a year. Their dumpster had a locking lid. I only found it unlocked twice. The dumpster was at the far side of the parking lot and was NOT covered by a camera.

  16. Whtthfgg says:

    I just don’t understand it, I work at a bank, and we are audited constantly. Things like what we do with confidential trash is looked over with a fine tooth comb. It is ground into our heads, that anything remotely confidential goes into a locked bin to be shredded onsite. I would assume ALL banks go through similar scrutiny. Only thing I can think of is that it was someone new or someone that doesn’t care, because this is surely not company policy.

  17. katylostherart says:

    i have relatives that use that bank. i’ve just forwarded this to them.

  18. Nighthawke says:

    The bank better shut its trap and start doing stringent internal audits, STAT! This kind of security breach is inexcusable and they are trying to scapegoat the diver for it. If the state or the Fed gets involved, they might as well hang it up and start working on their resumes.

  19. MakGeek says:

    People’s United is the generic supermarket bank here in CT, I used them in college and promptly switched to a national “real” bank when I got a job. Mostly high school looking and college age kids working behind counter at these places. You get what you pay for in life.

  20. MBirchmeier says:

    “Hastings is a crook and should be jailed. The bank should update its procedures to this new world and not let this happen in the future.

    Anybody foolish enough to get up in arms about this situation though should seriously question whether their personal information is safe at all. Just because companies have procedures in place, you can bet a small amount of the time, your information is not processed to those standards. Humans are involved after all… “

    Imagine what could have happened if Hastings *was* a crook. The fact that he’s been telling them for months this was an issue and that they haven’t listened, speaks volumes.

    If he knew what was going on exactly how long do you think it would have been until someone with less than honorable intentions would have figured it out.

  21. B says:

    The contents of this dumpster are protected by attorney/dumpster privilege.
    /Lionel Hutz.

  22. Jaysyn was banned for: http://consumerist.com/5032912/the-subprime-meltdown-will-be-nothing-compared-to-the-prime-meltdown#c7042646 says:

    @friendlynerd:

    No.

  23. Trai_Dep says:

    Since when does 1 year of credit checking compensate for the untold years of monitoring, faxing, arguing, and undoing the damage of these leaks? When did this become an acceptable form of compensation?

  24. jtheletter says:

    @Phildawg: “Anybody foolish enough to get up in arms about this situation though should seriously question whether their personal information is safe at all.”
    Ah yes, the good old “we can never fix everything so stop caring about anything” argument.

    Explain to us how it’s foolish to point out and attempt to fix flaws as we find them? This is not some small-time store that was tossing out one or two credit receipts, this is a BANK. You know, where many people keep ALL of their money. If even one crook got their hands on that information they could have emptied multiple people’s entire accounts. So it’s foolish for us to be upset? The bank was no doubt in violation of records security procedures and laws. But it’s foolish apparently to point that out. Just some good old fashioned law breaking by the bank that puts an untold number of people’s entire savings at risk. But it’ll never be perfect so we’re fools to try and fix it.

  25. elephantattack says:

    @CRNewsom: He should have auctioned the papers off. Inform the bank of the auction, and state in the advertisement for the auction where the papers came from. For extra fun, have a friend artificially inflate the price of the auction to something in the seven figure range. The bank would pay a hefty price to get those papers back.

    That would certainly get their attention! This bank seriously has issues with priorities. Their problems sound like they could have been solved by simply checking that all the staff was shredding the garbage.

  26. ConsumerAdvocacy1010 says:

    “Bank officials also are demanding that the information be returned.” Screw them, they let it go in the first place.

    Thought dumpster diving was legal in most states…and trash is technically not your property…

    I agree with CRNewsom: he should have auctioned off the paper (printing paper…right), though having a friend bid it up would be illegal.

    @Phildawg: You don’t know for sure who would access the trash and cannot say for sure that no one would have seen it. Another person with no/low morals could have got the information and caused some trouble. Put blame where the blame is due…on the bank. Don’t blame Hastings.

  27. People’s bank in Fairfield county?! this is a little close to home…good thing I switched to Wachovia a while back

  28. Boltonism says:

    This is really funny. Many years ago, I worked for an independent bank in Texas. We had to keep all envelopes (now empty) dropped in the night deposit or ATM machines (for proof if there was a dispute). We kept them in a large box. One night, I left that box next to a trash can and the cleaning crew threw them all in the dumpster. Envelopes had names, account numbers, phone numbers on them. My bank management made me climb into that damn dumpster (it was filty) and retrieve every single envelope out of concerns for their customer safety. In hindsight, it was nice working for some of the better guys.

  29. heavylee-again says:

    I would love to see a federal law that states that any organization that has an information breach (whether it be dumpster-dived or a hacked server) be financially responsible for damages suffered – both compensatory and punitively- by the individuals who have been negatively impacted by the organization’s carelessness.

    But it’ll never happen.

  30. Juggernaut says:

    @Phildawg: hastings was doing it for four months!! It’s not an isolated incident… but an ongoing breach of the customers basic information. He might be a dirtbag but he’s defined a lapse. People’s bank should get the information back and then their customers should find a batter secured bank.

  31. Dennis says:

    “Brent DiGiorgio, a spokesman for People’s Bank, said its primary concern is protecting the customers’ information that Hastings has taken.”

    He probably should have thought of that BEFORE dumping the customer’s private information in the trash.

  32. @Jaysyn: Actually that can depnd on local laws, but general rule is once it is in the trash, and placed on public property (or easement) then it is public property.

  33. CaptRavis says:

    The best way for the bank to ensure this doesn’t happen again is to have the loan officers stand out in the dumpster one hour each week the rest of the month and look for things that aren’t suppose to be in the dumpster. You’d be surprised how the rate of incident plummets.

  34. Dennis says:

    @Jaysyn:

    According to the following it is legal: [www.lumiere.net]

    “A better legal principle upon which to ground your claim that dumpster diving is legal is the principle that one no longer has any claim to property after he abandons it. These stores abandon the property by putting it in the dumpster, so anyone else wanting to take it can take it free and clear of their claim.”

  35. Juggernaut says:

    Batter? WTF, does that mean?

  36. jimv2000 says:

    It’s completely unacceptable. I worked for the technical support department of an antivirus vendor, and even we had a special locked bin for disposing of confidential information apart from our regular trash and recycle bins. We didn’t even deal with things like SSN’s or financial info. It was just for things like support account numbers, internal email addresses for corporate customers, etc. If we could do it, I fail to see how a bank could not.

  37. Hoss says:

    Read the article — sounds like a complete nut case going through trash for four months until they got a restraining order. If he had anything at all — which there is yet to be any evidence that he does — why did he need to make regular dives into their dumpster? Convicted drug addict and fraudster impressonating doctors, sure I believe anything he says!!

  38. SacraBos says:

    @jimv2000: Yeah, you’re right. I might as well get it over with, too. My name is Todd Davis, and my SSN is 457-55-5462.

    I don’t get the restraining order. Okay, maybe keeping him from distributing the papers, but I don’t see how they can legally prevent him from discussing the matter. The idiots running the bank need to watch the movie “Hackers”, since one of the classic “hacks” portrayed in the movie is dumpster diving. Though most divers aren’t armed with flare guns… Or look like Angelina…

  39. ConsumerAdvocacy1010 says:

    @heavylee-again: It will never happen….because our government let’s sensitive information get stolen all the time.

    How many laptops were stolen from the federal government last year alone? And you think that all government offices that have our information shred everything? Nope.

  40. @friendlynerd: There was an interesting case some time ago when the police did the same trying to catch a criminal. They had no search warrant, and the prosecutors argued in court that stuff thrown in the trash is discarded and no longer the possession of whoever used/consumed it. Essentially the prosecutor (and police) argued that anything in the trash is public information.

    In that case, a local newspaper then went on and dumpster dove into the police chief’s trash and then went to ask him about it in his office the following day. They were almost arrested.

    Funny how the situation changes when you do it “the man”.

    I think it’s pretty ingenious for the bank to claim it’s their stuff. They threw it away. However, if the dumpster diver used it to blackmail the bank, he’s guilty of extortion.

  41. ConsumerAdvocacy1010 says:

    @ConsumerAdvocacy1010: hmm, don’t need the apostrophe in let’s…..Consumerist needs an edit post option.

  42. ChuckECheese says:

    @fostina1: At the very least, this bank needs a shredder.

  43. NoWin says:

    @CaptRavis: +1

  44. CRNewsom says:

    @Juggernaut: mmmmm… Batter secured bank…

  45. flidget says:

    Once trash has been put out for collection, it’s fair game. That’s why the police don’t need a warrant to search your trash [provided, again, that it’s been put out for collection and not in your garage or backyard or whatever], because it’s been held out to the public and anyone is allowed to go through it.

  46. scoosdad says:

    @Hossofcourse: And for those who didn’t bother to go to the updated link:

    Hastings, who has served a two-year probation for trying to get drugs from a pharmacy by impersonating a doctor, denied Gniazdowski’s accusation. He said he told bank officials that People’s needs a consultant.

    “You don’t need to hire me,” he said he told bank officials.

    To me, this doesn’t exactly sound fit the profile of a public spirited dumpster-diving whistleblower.

  47. friendlynerd says:

    I’m sure the bank appreciates everyone focusing on HOW this guy got the information. Who cares? Whatever his motives were, he has exposed bad practices that could impact the bank’s customers.

    Let’s focus on the negligent bank that tossed sensitive information into an unlocked dumpster, not the guy that blew the whistle.

  48. ViperBorg says:

    @friendlynerd: Yes.

  49. scoosdad says:

    @friendlynerd: Well the bottom line is, if the world was a perfect place and we didn’t have people bent on destroying other people’s lives, banks could throw anything they want into the trash without worry, and we wouldn’t need to have shredders at home. Without people who do this kind of thing, the rest of this would have been a non-issue.

    Banks have been putting personal info into the trash since day one, and it’s only recently that the gene pool has produced idiots who take advantage of that.

    I agree though, this bank is pretty stupid for doing this in this day and age, and I hope they’re hung out to dry bigtime.

  50. marsneedsrabbits says:

    Brent DiGiorgio, a spokesman for People’s Bank, said its primary concern is protecting the customers’ information that Hastings has taken found in the garbage where the bank carelessly discarded it for anyone to find and abuse.

    There.
    Fixed it for ya.

    friendlynerd is right. The bank would much prefer if everyone focused on anything else except the fact that they are tossing sensitive customer information in the trash instead of shredding it.

    And how, exactly, has the bank “contacted affected customers” when the guy still has the papers (the bank is demanding that they be returned) and the bank apparently did this more than once.

    How does the bank know which customers were affected? My guess is that they don’t.

  51. nightmage61 says:

    Do you have questions for People’s United Bank about their security process?

    People’s United Bank 1-800-894-0300*

    People’s United Bank Directory
    203-338-7171 Monday-Friday 8:30AM – 5:00PM Eastern

    People’s United Bank,
    850 Main Street. 11th Floor
    Bridgeport, CT 06604

    custserv@peoples.com

  52. snoop-blog says:

    i always thought that trash was NEVER public property. you own the can right? so how do you not own what’s in it? if that was the case, then if the police found drugs in the can i could argue, it’s not my can, it’s public property and could be anyones.

    i was underthe impression also that if you put your trash in a dumpster, it then belongs to the trash company, and not free for the taking. i know in indiana, i’ve called the police on dumpster divers more than once, and everytime they’ve came out and made them leave. i’m assuming if it was legal, the police would just tell me to get over it. that’s in indiana anyway.

  53. booticon says:

    I think in terms of getting into shit for dumpstering, you can only get arrested for trespassing, not for, say, stealing.

  54. cde says:

    @snoop-blog: Made them leave, not fine or arrest them? There’s your proof its legal. Cops can get people to do stuff even when its not illegal.

  55. ShadowFalls says:

    I find the word usage of the bank quite funny. They use the word “taken” like he somehow compromised bank security by either infiltrating the premises and taking paper records, or by hacking into their computers and “taking” the information.

    At this point, I think the bank is likely trying to make up the extortion story as to threaten him and try to get him silenced.

    For sure, if I caught wind of such a story about my bank, I would be closing the account immediately.

    The biggest joke is this part:

    “Brent DiGiorgio, a spokesman for People’s Bank, said its primary concern is protecting the customers’ information that Hastings has taken. The bank promises to provide a year of free credit monitoring to customers whose information was taken and has contacted affected customers, he said.”

    If that was such a primary concern, why was it in the trash to begin with? Plus, he mentions he would provide 1 year free credit monitoring to customers who were affected, what if you applied for a loan there and were denied for whatever reason? That wouldn’t make you a customer, so they wouldn’t even provide the monitoring for all those people.

    Why can’t such a place as a bank have a shredder? When average consumers have shredders, you would think a bank would have at least one, mostly figuring the information they deal with on a day to day basis.

    The fact this was more than one branch goes to show that they don’t give a damn about your personal information and are likely to repeat this behavior.

  56. MeOhMy says:

    @snoop-blog: The legality of dumpster-diving/trash-picking is all over the place. For one thing laws vary from one jurisdiction to the next. In some jurisdictions it comes down to the old “Reasonable Expectation of Privacy” and whether or not the trash container can be accessed from public grounds. In other words, you may own the trash can and the land it’s sitting on, but if one can stand in the street and dig through the contents, you may not have a reasonable expectation of privacy.

    Of course if you have to trespass to get to the trash can, that’s another factor.

    Basically there is no hard-and-fast universal rule.

    And of course if there really was personal info in the dumpster, it really doesn’t matter if it was legal to take it or not – someone intent on draining bank accounts and committing identity theft is probably not too worried about whether they have to do a little tresspassing along the way. “I obtained this information illegally so I won’t use it to open credit cards in the victims’ names.” I don’t see that happening :-)

  57. snoop-blog says:

    @cde: no around here the cops don’t feel taking a homeless person to jail is worth the time. i agree. just make him leave, tell him not to come back, and i’m happy.

  58. WraithSama says:

    “Bank officials also are demanding that the information be returned.”

    Why, so they can pitch it again? I find it extremely dubious that they won a restraining order against him prohibiting him from talking about the incident or distributing paperwork. Since when is it the judicial system’s job to help companies with their PR damage control?

  59. friendlynerd says:

    @snoop-blog:
    Way to keep the public safe from those dangerous recyclers.

  60. forgottenpassword says:

    MY employer leaves boxes & boxes of former employee files in unlocked storage rooms. Accessible by any & all employees. SS#s, Addresses, phone #s …. etc. etc.. all for anyone who wants to take them. Sad thing is…. I feel like if I bring up the issue… that I will get punished for it.

  61. snoop-blog says:

    @friendlynerd: well i personally don’t prefer to have my privacy invaded, so yeah i don’t care what there doing in there, they need to stop.

    i bet you wouldn’t be too happy with me going through your trash. and even if you don’t care, doesn’t mean nobody else should either. besides attacking commenters on here is just weak. if you have something beneficial, cool, but otherwise just makes you look like a troll.

  62. dotcomrade says:

    This problem is not limited to People’s United Bank…here’s a report from May 2007 regarding JP Morgan Chase bank’s careless handling of customer data:

    [consumerist.com]

    I’ll say it again: Freeze your credit reports!

    “A credit freeze is the best thing you can do – and in fact, the only thing you can — to stop identity theft before it starts. Think of it like The Club you place on car steering wheels. Yes, the car can still be stolen, but many car thieves see a Club and move on to another target. ID thieves who face security-freeze speed bumps when trying to get credit cards or loans in your name are just as likely to move on to the next Social Security number [as in this case, taken from the dumpster].”

  63. forgottenpassword says:

    @snoop-blog:

    I automatically assume that the possibility of anyone going thru my trash is real. And dont throw away anything I wouldnt mind someone knowing about. All they are gonna find out from me is what brand of household products I use & what fast food places I frequent. *shrug*

    Any sensitive info I completely destroy. I’m kinda paranoid about that kind of stuff.

  64. FightOnTrojans says:

    @friendlynerd: I see them do it on “Law & Order” all the time. And when I say all the time, I mean ALL THE TIME. At least one version of that show is on some channel or another all the time! I love it!

  65. FightOnTrojans says:

    @Trai_Dep: Yah, I was wondering the same thing myself. Is there something magical about the 1 year mark that says “Ok, it’s been a year since some dirtbag got my info, he can’t use it to steal my identity anymore”?

  66. SacraBos says:

    @forgottenpassword: I”m with you. I shred nearly everything with my name and/or address on it, even envelopes with business names/addresses that would show what banks/etc where I might have accounts.

  67. 3drage says:

    Yeah Regs at financial institutions are pretty tight about this stuff. The bank needs to do an internal audit and get rid of the people disposing of personal information improperly. You can lose your insurance doing stuff like that.

  68. snoop-blog says:

    @forgottenpassword: well still i don’t want people going through my trash. i don’t understand what’s so hard to understand about that. maybe i do have stuff to hide, maybe i don’t. maybe i don’t want people finding used condoms, or pregnancy tests, or old bottles of motion lotion, work schedules, etc. i do own a shredder, but that’s still besides the point. my point is, even if i have nothing to hide, doesn’t mean i invite searches. i don’t let the cops in my home or search my car, why because it is my right to privacy. some people are more private than others, me being one of those people. i don’t prefer to give up my rights just because i have nothing to hide.

  69. Siegeman says:

    Man, back when it was just “People’s Bank” it was a pretty good local company. Then they decided to expand and gobble up some smaller banks to be able to go out of state. Now look at where they are. *sigh*

  70. snoop-blog says:

    even if it wasn’t my trash, but my neighbors, who would want to look out your window, and see a guy who may or may not be in his right mind going through the trash while your little kids are playing in your yard? to me, it’s not only that act of doing it, but the type of individual that does it. generally not the kind of people i want to have hanging in my neighborhood. not that they are all rapist murders or theifs or criminals, but they are obviously desperate, and i’ve seen desperate people do awful stuff. maybe i just live in a nicer neighborhood and that’s why it’s so unusual to see happen. if i lived in a place where it was more of a common occurance, than i would be more callous to it i guess.

  71. u1itn0w2day says:

    What if it was in the trash because somebody already rifled through it inside the building and didn’t take the time to put it in a ‘destroy’ or ‘shred’ bag.That’s just as scarey as a careless or ignorant employee.

  72. MoreIceCream says:

    I would like to confess as a homeowner I sneak rocks into my trash. I have no place to put them (1/3rd of an acre) and the cities only solution is to suggest I pay to dump them (by the pound). I could “drive them to the country” but it is so much easier to hide them at the bottom of my leaf bags or throw a few in the trash when I get them. It is Connecticut, it is not too hard to find them.

    I really feel a sense of relief confessing this year. Please don’t inform my city. It is grounds for banishment from the city transfer station.

    PS. I like People’s United Bank. I hope they publicly address this security breach though.

  73. RandomHookup says:

    Expect to see more dumpster diving as the cost of raw materials (aluminum, paper, copper) go up. It will be more so if we are required in the future to sort our recyclables.

  74. kapow! says:

    Hello from your friendly Compliance department! I have tried over and over and over and over and over and over and over and over x infinity to get people to discard of confidential information in the proper way. Of course since my company babies it’s loan officers, leaving stuff “lying around” is not a fireable offense (although it damn well should be). This is nothing new, and as long as people get away with it, it won’t change.

  75. Blinker says:

    @Trai_Dep:

    The easy solution would be to get rid of credit reporting agencies and treat everyone the same. Then your SSN becomes useless. If someone doesnt pay their debt then just garnish their wages

  76. ManPurse says:

    @RandomHookup: It’s weird to me that there are places where people just throw away recyclables. I don’t know if this is what you mean – or if you live some place like California where all recyclables go into one big container.

    But there are still places people don’t recycle at all. So strange.

  77. snoop-blog says:

    @Kristinap815: i’ve never met a friendly compliance dept. lol. the one at my office makes my life a living hell, and enjoys doing so. i find it humorus to see it doesn’t change much elsewhere.
    @ManPurse: i live in one of those places. nobody, not even %5 of the city population recycles. it kinda blew my mind to find out there were places where almost everyone does. but the area i live in is mainly ignorant rednecks. good luck trying to get them to change.

  78. S-the-K says:

    I think the bank is being a bit disingenuous here. I think it is less “extortion” as “you have a problem and here’s proof”.

    Considering the bank threw out the sensitive documents and they were found in a dumpster where anyone has access, he shouldn’t return the documents. After all, the way they discarded the documents they didn’t care who got them afterwards, why should they care if he has them?

  79. Spooty says:

    An update: check the 4/21/08 item on this legal news page:
    [www.breakinglegalnews.com]

    A local law firm filed a class action against the bank on behalf of customers whose data was exposed. The story also mentions that the dumpster diver was being sued by the bank and that the trial was under way.
    3.5 months later, I don’t know what’s up with either action.