Security Watch

Keeping Track of patches and hacks in the IT security world.

Labor Union Posts Video of Bank Docs Pulled from Trash

After receiving copies of documents pulled from the trash earlier this week, JPMorganChase will be contacting customers whose identities may have been compromised.

The documents included what looks like loan applications and other paper printouts. They were taken from the trash by the SEIU (Service Employees International Union), according to Tom Kelly, a media representative for the bank.

The SEIU, which Kelly said is in a dispute with the bank over its hiring of vendors to provide cleaning and guard services, posted a video on YouTube that shows an unidentified man pulling documents from a trash can earlier this week.

The documents are fuzzy on the video, but a man—presumably the same one pulling documents from the trash, although his face is not shown in the video—reads from the documents what he claims are Social Security numbers, names, addresses, business names and addresses, phone numbers, dates of birth, savings account numbers, balance information and transaction histories.

Some visitors to the YouTube site, where the video was posted on May 1, claim to be bank employees and dismiss the legitimacy of the documents being found in the trash. PeesaLisa989 on May 2 wrote that "As an employee of Chase, I know they go above and beyond to dispose of their trash in secure locked bins. And I was talking about the statements in the trash. Nothing we print off the computer has a complete account number on it."

That description of the bank's handling of sensitive documents matches the one provided by Kelly, who said that the bank's official procedure is to train employees to put confidential documents in large locked bins that have slits on the top. When those bins are full, they're removed, and the documents are shredded, he said.

Kelly added that the bank, which hadn't immediately received copies of the documents from the SEIU, is now going through the documents to determine their legitimacy, as well as how many customers may be affected. The bank will contact customers after determining these points, he said.

The SEIU has told reporters that it posted the YouTube video in an effort to get JPMorganChase's attention, as opposed to immediately alerting the bank as to the possible improper disposal of sensitive documents.

"If customer security was their main concern, they'd have come to us first," Kelly said.

On the evening of May 1, the bank had a conference call with 800 branch managers in the New York Metro area, to compile information and determine what may have happened, Kelly said. With about 10 employees per branch in that particular area, the number of employees to question amounts to some 8,000 individuals.

Kelly said that the bank is still compiling information, but that it will be a matter of days, not months, before it gets on the phone to affected customers.

The bank will also determine whether to issue one year of free credit monitoring to affected individuals, as is the industry standard, Kelly said.

The SEIU had not returned calls by the time this was posted.