Data Security Breached at Wells Fargo

Four computers containing the Social Security numbers and other personal information of some Wells Fargo & Co. borrowers were stolen last month in the third such security breach in a year, the San Francisco bank said Tuesday.

Wells Fargo said the thefts occurred in early October from the Atlanta office of Napa, Calif.-based Regulus Integrated Solutions, which handles billing for banks.

The computer files included the names, addresses, loan numbers and Social Security numbers of some Wells Fargo customers with student loans and mortgage escrow accounts, according to bank spokeswoman Julia Tunis.

Identity thieves frequently use Social Security and loan numbers, but Tunis said there was no indication that the stolen information had been misused.

She said a “relatively small percentage” of Wells Fargo’s 4.9 million mortgage customers and 890,000 student-loan borrowers were affected but declined to be more specific about the number of victims or about the circumstances surrounding the theft.

Wells Fargo, the largest bank based in California, is a longtime customer of Regulus, Tunis said.

Regulus executives declined to comment.

It was unclear whether any of the stolen computers held information about people who bank at institutions other than Wells Fargo. The Gwinnett County Police Department in Georgia is investigating the thefts.

Founded in 1995, Regulus is one of the largest U.S. companies focusing on billing and money transfers, with 2,700 employees and 4,000 clients, according to its website.

As required by a California law that took effect last year, Wells Fargo notified affected customers in letters sent out last week. Tunis said they lived throughout the nation but were concentrated in the Western and Midwestern states where Wells Fargo has full-service bank branches.

The letters were the third batch Wells has had to send out in 12 months to notify customers that financial secrets were compromised, each time as the result of stolen computers.

The first incident occurred last November in Concord, Calif., when a burglar stole a laptop computer from the office of a marketing consultant working for Wells Fargo. The laptop contained names, addresses and account and Social Security numbers of thousands of customers who had taken out personal lines of credit, Concord Police Sgt. Steve White said.

Police recovered the laptop and arrested a Concord man two weeks later after he allegedly logged onto the Internet using a stolen computer and was traced. There were no reports of fraudulent use of the Wells Fargo data, White said, adding that the man pleaded not guilty and was awaiting trial on charges of burglary, identity theft and possession of stolen property.

The second theft took place in the St. Louis suburb of Edmundson in February, when two Wells Fargo Home Mortgage employees stopped at a gas station and convenience store on the way to return a rented Mustang.

“They got out of the car, filled it up, went inside to pay the tab or get some munchies, and left the keys in the car. Someone just came along and stole it,” said Edmundson Police Chief Ron Hawkins.

When the abandoned car was recovered a week later, a laptop -- which contained information on thousands of borrowers -- was missing from the trunk. Hawkins said it was never recovered but that there were no reports of fraudulent use of the information it contained.

In the most recent letters, Wells Fargo advised customers to file a “security alert” with the three major credit bureaus, asking them to increase their scrutiny of activity in the customers’ names. That would make it easier for the agencies to detect fraud. The bank isn’t permitted to contact the credit bureaus directly, Tunis said. But she said that Wells Fargo offered the customers a free year of its credit-monitoring service, a kind of early-warning system for identity theft.

Representatives of consumer groups and California’s Office of Privacy Protection praised that move. At the same time, they said they couldn’t point to any other large financial institution that had had so many instances of breached security in rapid succession.

“Three instances in a year for one financial services company is extraordinary,” said Beth Givens, director of the nonprofit Privacy Rights Clearinghouse in San Diego. “It makes me wonder what kind of culture of confidentiality Wells has.”

Tunis said the incidents didn’t suggest a pattern of security problems.

“All three of them were isolated incidents,” she said. “We deeply regret and apologize for any inconvenience this has caused our customers.”

Joanne McNabb, chief of the California Office of Privacy Protection, said the theft of computers bolstered the case for requiring financial institutions to encrypt data they share with service providers and affiliates.

“The users find that encryption is a hassle,” McNabb said. “But it’s not nearly as much hassle as this” type of security breach.

Tunis declined to address encryption specifically but said the bank had “comprehensive guidelines and policies” to protect customer information.

McNabb said individuals, companies, schools and government bodies had reported about 40 major cases in which confidential information was breached since the state law requiring notification of victims took effect in July 2003. Of those, about 60% involved stolen computers or burglaries, she said.

Colleges, where information traditionally flows freely, pose the biggest problem, she said. Bank of America Corp., Merrill Lynch & Co. and H&R; Block Inc. had one instance each of these major breaches, involving 1,000 or more people.