An American bank has come under fire for sending a “vague and deceptive” breach disclosure letter to its customers.
In a letter sent to an undisclosed number of customers, Fifth Third wrote that a “small number of employees” had stolen customer information and given it to a third party from as early as Summer 2018.
The stolen information included names, Social Security numbers, addresses, dates of birth, phone numbers, mothers’ maiden names, driver’s license information, and account numbers.
Fifth Third said that the theft was uncovered following an internal investigation, to which law enforcement were notified. However, the bank explained that it cannot provide much detail in light of the active investigation.
“Incidents like this are rare,” Fifth Third said. “Nonetheless, we are reviewing our current preventative measures to determine how we might further increase their effectiveness.”
The head of the Consumer Federation of America, Jack Gillis, slammed Fifth Third’s disclosure letter: “Fifth Third is only telling half the story – it’s vague and deceptive to customers because it’s just not their Fifth Third accounts that will be impacted.”
Particular text from the letter reassuring customers that no fraudulent activity had been detected on their accounts was criticised by Gillis, who argued that threat actors could use the compromised data outside of the bank accounts.
The information that was stolen could be utilised to create credit accounts outside Fifth Third, to which fraudulent charges wouldn’t be noticed until they were reported to credit reporting agencies.
Gillis has urged customers to immediately sign up for the bank’s identity alert protection, in addition to contacting a credit reporting agency.
“Our primary concern, as always, is for the protection of our customers’ assets and personal information,” Fifth Third said. “We apologize for any inconvenience as we work to resolve this matter.”
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/