This revelation follows the bank saying in May this year that it had been hit by a security breach where data relating to 4.5 million accounts had been compromised.
The bank's spokesman, Kevin Heine, admitted that a forensic review of the loss showed that the breach was much larger than initially thought.
Details such as names, addresses, social security numbers and dates of birth were lost. The data was on between six and 10 unencrypted backup tapes being couriered by a third party. The box of tapes was one of 10 being moved from BNY Mellon to an archive. The loss was noted when the vehicle reached its destination.
Bill Beverley, security technology sales manager, F5 Networks, told SC: “The number of customers affected by the BNY Mellon breach is astounding; over 12 million customers compromised is no laughing matter and needs to be addressed through legislation.
“When will these lessons be learnt? The ICO (Information Commissioner's Office) reported earlier this year that the biggest data breach incidents were connected to unencrypted data, but neither the ICO nor FSA (Financial Services Authority) have effectively helped companies secure sensitive data. Best practice on how to store sensitive data should be enforced by legislation. In this instance BNY Mellon has admitted having to overhaul its security policies, highlighting that existing policies were not effective.
“The introduction of strict policies and processes around storing data will help avoid future repercussions. BNY Mellon had a clear gap in processes in their handling of unencrypted back-up tapes. If organisations want to avoid data breaches of this nature they are going to have to reconsider their storage options, policies and procedures.”
BNY Mellon has reportedly revamped its security measures so that sensitive data is transferred within the firm in an encrypted format.