Another breach at Wells Fargo

Wells Fargo has now experienced at least six significant security breaches in less than three years


Have we reached the point where stolen laptops and missing consumer data have become so commonplace, they're no longer news? It's starting to seem that way.

But that doesn't diminish the seriousness of the problem -- or the profound impact such incidents can have on people in terms of the threat of fraud and identity theft.

The latest installment in this long-running drama involves Wells Fargo, which has now experienced at least six significant security breaches in less than three years.

The latest, which the San Francisco bank disclosed in letters dated Aug. 28 to employees, involves the theft of a computer and data disk from the trunk of a car belonging to an outside auditor.

According to Wells, the disk contains the names and Social Security numbers of an undisclosed number of bank workers, as well as information about prescription drug claims made through the company's health plan last year.

Wells isn't saying where or when the theft took place. It says only that the bank has "no indication that the information has been accessed or misused." Employees are being offered one-year subscriptions to a credit-monitoring service.

"The auditor had this information because we are required by the Internal Revenue Service to have our health plans audited by independent, qualified public accountants," said Julia Tunis, a Wells spokeswoman. "The auditor is no longer auditing any of our plans."

She said the auditor "contacted law enforcement when it learned of the situation, and both the authorities and Wells Fargo corporate security are investigating."

The incident is a virtual rerun of a security breach disclosed last month by San Ramon oil giant Chevron. In an e-mail to U.S. workers, the company said a laptop "was stolen from an employee of an independent public accounting firm who was auditing our employee savings, health and disability plans."

A Chevron spokesman said the missing data include names, Social Security numbers and other sensitive data.

A key vulnerability

Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego advocacy group, said it's become clear that corporate third parties -- and especially auditing firms -- represent a key vulnerability when it comes to keeping customer data under wraps.

"In the old days, auditors would come in and practically live in your office for a week or two," she observed. "Now they take the work home."

While many companies have experienced security breaches in recent years, Wells has had an especially rough run of bad luck.

In May, the company alerted mortgage customers that their name, address, Social Security number and account number were stored on a computer that disappeared while being transported by "a global express shipping company" from one Wells Fargo office to another.

It didn't say how many of the bank's 23 million customers were affected. (Bank insiders have since told me the shipping company in question was DHL.)

Prior to that, about 700,000 people had their personal data jeopardized due to a string of security breaches affecting Wells Fargo, according to the office of the comptroller of the currency, which regulates federally chartered banks.

These incidents include an October 2004 theft of four computers from the office of a bank affiliate, a March 2004 computer theft from a bank office, a February 2004 computer theft from a rental car driven by two bank employees, and a November 2003 computer theft from the Bay Area office of a bank consultant.

In an e-mail to workers Tuesday, Avid Modjtabai, Wells' director of human resources, said the bank isn't saying more about the latest incident "because doing so may jeopardize the investigation."

Return to sender: Then there's the matter of Alameda resident David Cassel, who exited a job at a Bay Area tech company in June 2005 and then, a few months later, received a check for $262 from Wells Fargo, which administers the tech company's 401(k) plan.

This content continues onto the next page...