Scale of bank data loss take three months to reveal
The Bank of New York Mellon took almost three months to assess the full impact of the loss of two data tapes on its customers.
New York Mellon last week began contacting 8 million customers newly identified as being at risk, following a detailed forensic analysis of the content of the tapes.
The tapes contained personal details including social security numbers, names, addresses and dates of birth of the banks customers.
The bank disclosed that third-party couriers had lost the two back-up tapes in May, putting the number of customers affected at 4 million.
But after nearly three months of forensic analysis, the number of affected customers has risen to 12 million. The wide range of files and formats and the complexity associated with extracting data from back-up tape, meant that the analysis took some time, the bank said.
"A subsequent re-examination by an industry-leading forensic investigation firm of the analysis applied to the lost tapes led to the identification of additional individuals," said a statement from the bank.
"When we first became aware of the data loss we committed to a review of our data handling procedures and as part of this we re-reviewed the auditing of what data was lost," said a spokesman at the bank.
The second review was able to identify additional information that was on the back-up tapes. "The nature of back up meant there was an extraordinary amount of information that is stored in a wide variety of files and formats," he added. "It took us a long time to complete the second data forensic review and it is only now we can get on with notifying individuals affected."
The bank has reviewed its policies, procedures and controls, since the incident was first reported. This includes a programme where confidential data transferred within the company is only carried out through direct encrypted electronic transmission.
Bank New York Mellon said there is no evidence that the data has been misused and has offered free fraud protection to the customers affected.
Earlier this week a server containing the personal details of over one million customers of the Royal Bank of Scotland, Natwest and American Express was bought on eBay.