BREAKING: Wells Fargo Loses Laptop With Customers Private Data

Lee received a letter today from Wells Fargo notifying him that they lost a laptop containing his and other customer’s private data.

The laptop contained his name, address, Social Security number and Wells Fargo Home Mortgage Loan Account information.

The letter states that, “the computer had two layers of security, and [Wells Fargo has] no indication that the information has been accessed or misused.” That part is underlined.

The computer was being shipped by a global express shipping company between Wells Fargo facilities. According to the letter, Law enforcement directed Wells Fargo to delay notifying all affected customers because they were concerned it would jeopardize their investigation. The missive goes on to detail and advise on various ways in which Lee could safeguard his data against identity theft.

Here’s the letter Wells Fargo sent him. [PDF]

Seems like a lot of laptops containing customers personal data have gotten misplaced lately. Maybe now is about time to stop putting customers data on them. Whaddya say, boys?


Edit Your Comment

  1. Hawkins says:

    Companies that store sensitive customer data on laptops, no matter how encrypted, are grossly irresponsible.

    Once the encrypted files are in the hands of an attacker, brute-force and dictionary methods can be applied by any twelve-year-old with some simple tools, with a fair expectation of success.

    Simply forcing them to admit that the laptop is lost doesn’t seem to be much of a deterrent, particularly now that such losses have become so frequent.

    The extra-stupid part is that there’s generally no good reason to do this. If Mr. Analyst’s analyses are so fucking important that he needs to have access to the raw data from Starbucks, then provide Mr. Analyst with a wireless card and a VPN connection to the server on which the data resides.

    Stupid, stupid, stupid.

  2. LTS! says:

    Hawkins – are you daft? Are you attempting to tell me that the level of encryption used by these programs is that easy to crack? You know, that level of encryption that every government agency around the world uses to protect their data? Hell, if it was that easy I doubt there’d be so many secrets.

    The point is that the programs used, Like PointSec, Utimaco, SafeBoot, WinMagic, etc. are all quite capable at protecting the data that is stored on a laptop. Without knowing the encryption technology Wells Fargo is using it’s irresponsible to make statements like yours.

    One more item, when you VPN into the network and then access the files, the files are stored locally. If you aren’t using a hard disk encryption method those temp files remain on the local drive. Even when they are deleted they can be recovered. Disk encryption is the only way to prevent that.

    To my knowledge AES, CAST, Blowfish and the like have not been broken. So you’re gonna need a lot of luck or a hell of a computer array to break the encryption key by brute force.

  3. Hawkins says:

    Fancy-schmancy encryption is only as strong as the passwords.

    Dictionary attacks work, on regular computers, often in just a day or two, because the puny humans use weak, guessable passwords.

    Attempts by the security Nazis to enforce strong passwords meet resistance from the PHBs because they’re too hard to remember.

  4. Ben Popken says:

    Steve writes:

    “Nothing in letter from Wells Fargo mentions “laptop”. They use the term “computer” so it could be a desktop or server. Could it have been a laptop? Sure, but this instance wasn’t as neglectful as previous examples of laptops stolen out of cars. but you still have to question the judgement on their shipping choice.”

  5. dukerayburn says:

    Thanks once more, Consumerist. As soon as I read this, I changed all my information, from my online banking sign-in name and password to my PIN number. I’ll probably change them again in a week’s time, just to be completely sure.