PORTLAND, Maine — TD Bank is notifying an unknown number of customers that backup computer tapes containing their confidential personal information, including bank account and Social Security numbers, have been “misplaced,” putting them at risk for identity theft.
Although the security breach occurred in March, the bank only recently began sending letters about it to customers. TD Bank spokeswoman Rebecca Acevedo said the delay was necessary as the bank conducted an internal investigation. But at least one customer called the lag “unconscionable.”
“So what has happened to my personal information for the past seven months?” asked Lew Alessio, a Lewiston-Auburn area businessman who has both business and personal accounts with the bank.
The security breach occurred in March when two backup tapes from a computer server were shipped from one TD Bank location to another. Acevedo said the tapes were misplaced in Massachusetts. She declined to say whether the tapes were the responsibility of a TD Bank employee or an outside contractor at the time.
She said the bank held off notifying customers as it conducted an internal investigation. That investigation is ongoing and the bank has contacted Massachusetts law enforcement, as well. TD Bank began telling customers about the security breach a couple of weeks ago.
“We weighed everything as far as the investigation and what was going on. We figured now was a good time,” Acevedo said.
Acevedo declined to say how many customers were affected, though she said they live throughout the bank’s East Coast coverage area, from Florida to Maine. Notification letters are going out now and will continue until late October. Only affected customers will get a letter.
The two-page letter calls the security breach an isolated incident and notes that the bank has no evidence to suggest customer data has been misused.
Alessio received his letter Saturday. It told him TD Bank may have lost track of several pieces of his personal information, including his credit card number. He called TD Bank customer service to get more information, but he said representatives couldn’t answer his questions.
“All they kept on doing was repeating the same information that was in the letter about how much they care about security,” he said. “So now what do I do? Obviously I monitor my credit information, but do I really want to stay with this bank?”
Among his questions: Why did TD Bank wait seven months to tell him about the breach?
It is unclear whether such a delay is allowed. Maine law permits businesses to conduct an investigation before notifying customers of a security breach, but that notification must be made “as expediently as possible and without unreasonable delay.”
The law provides no timeline, except that customers must be notified no more than seven days after law enforcement determines that such notification won’t compromise a criminal investigation. It’s unclear when TD Bank called in Massachusetts law enforcement and whether the bank waited to notify customers to get the OK from police.
In its letter, TD Bank offers affected customers a year’s worth of free credit monitoring. However, Alessio said he tried to set up his monitoring Monday and was told he would be charged.