Another breach at Wells Fargo

Sept. 6, 2006
Wells Fargo has now experienced at least six significant security breaches in less than three years

Have we reached the point where stolen laptops and missing consumer data have become so commonplace, they're no longer news? It's starting to seem that way.

But that doesn't diminish the seriousness of the problem -- or the profound impact such incidents can have on people in terms of the threat of fraud and identity theft.

The latest installment in this long-running drama involves Wells Fargo, which has now experienced at least six significant security breaches in less than three years.

The latest, which the San Francisco bank disclosed in letters dated Aug. 28 to employees, involves the theft of a computer and data disk from the trunk of a car belonging to an outside auditor.

According to Wells, the disk contains the names and Social Security numbers of an undisclosed number of bank workers, as well as information about prescription drug claims made through the company's health plan last year.

Wells isn't saying where or when the theft took place. It says only that the bank has "no indication that the information has been accessed or misused." Employees are being offered one-year subscriptions to a credit-monitoring service.

"The auditor had this information because we are required by the Internal Revenue Service to have our health plans audited by independent, qualified public accountants," said Julia Tunis, a Wells spokeswoman. "The auditor is no longer auditing any of our plans."

She said the auditor "contacted law enforcement when it learned of the situation, and both the authorities and Wells Fargo corporate security are investigating."

The incident is a virtual rerun of a security breach disclosed last month by San Ramon oil giant Chevron. In an e-mail to U.S. workers, the company said a laptop "was stolen from an employee of an independent public accounting firm who was auditing our employee savings, health and disability plans."

A Chevron spokesman said the missing data include names, Social Security numbers and other sensitive data.

A key vulnerability

Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego advocacy group, said it's become clear that corporate third parties -- and especially auditing firms -- represent a key vulnerability when it comes to keeping customer data under wraps.

"In the old days, auditors would come in and practically live in your office for a week or two," she observed. "Now they take the work home."

While many companies have experienced security breaches in recent years, Wells has had an especially rough run of bad luck.

In May, the company alerted mortgage customers that their name, address, Social Security number and account number were stored on a computer that disappeared while being transported by "a global express shipping company" from one Wells Fargo office to another.

It didn't say how many of the bank's 23 million customers were affected. (Bank insiders have since told me the shipping company in question was DHL.)

Prior to that, about 700,000 people had their personal data jeopardized due to a string of security breaches affecting Wells Fargo, according to the office of the comptroller of the currency, which regulates federally chartered banks.

These incidents include an October 2004 theft of four computers from the office of a bank affiliate, a March 2004 computer theft from a bank office, a February 2004 computer theft from a rental car driven by two bank employees, and a November 2003 computer theft from the Bay Area office of a bank consultant.

In an e-mail to workers Tuesday, Avid Modjtabai, Wells' director of human resources, said the bank isn't saying more about the latest incident "because doing so may jeopardize the investigation."

Return to sender: Then there's the matter of Alameda resident David Cassel, who exited a job at a Bay Area tech company in June 2005 and then, a few months later, received a check for $262 from Wells Fargo, which administers the tech company's 401(k) plan.

"I assumed they were sending me some sort of end-of-the-year profit sharing," Cassel said.

He deposited the check in his bank account (BofA, not Wells) and that was that. And then a whole year went by.

That wasn't the end

And then, just the other day, Cassel received a letter from Wells Fargo saying that the $262 had been sent to him in error and that the bank wants its money back. That raised an interesting question (several actually).

"Do I have to give it back?" Cassel wanted to know. "Even if it's their mistake? Isn't there a statute of limitations or something?"

The answers: Yes, yes and, surprisingly, yes.

"If he was truly paid in error, he needs to pay it back," said Fred Keeperman, a Moraga attorney who specializes in debt collection.

But there is a statute of limitations on this sort of thing, he said, and in most cases that's four years. So Wells Fargo is still within its rights in demanding the money back 12 months later.

The bank agrees.

"If the assets of a plan are distributed incorrectly, for whatever reason, fiduciaries have an obligation under federal law to try to collect those assets and have them returned to the plan," said Susan Stanley, a Wells spokeswoman.

But wait, as they say, there's more:

Cassel has just received another letter from Wells, this time stating that "not all (retirement plan) participants who received a letter should have received a letter." After further review, the bank has decided that Cassel doesn't have to send the money back after all.

"Wells Fargo Retirement Solutions is truly sorry for any inconvenience the earlier letter may have caused," the bank said.

That's OK. Nobody's perfect.

News stories provided by third parties are not edited by "Site Publication" staff. For suggestions and comments, please click the Contact link at the bottom of this page.