The Service Employees International Union, said to be protesting low wages of Chase bank security guards, are recorded searching plastic trash bags and discovering a number of documents, including bank statements, loan applications and transaction reports, that contain sensitive data such as Social Security numbers.
The "dumpster divers" blurred out the confidential data on the
YouTube clip, which has received more than 5,000 views since being posted on Monday.
"We're going through the trash here to make sure they properly dispose of their customer information," one of the protesters said on the video.
The incident emphasizes the need for financial institutions to not only invest in technology, but also to ensure employees are complying with policies, Avivah Litan, a Gartner analyst, told SCMagazine.com. She said Chase has led the pack in online banking security but appears to have made a major mistake here.
"That's amazing that in this day and age, they would allow these kinds of documents to go into the garbage," Litan said. "That's really a bad slip-up."
Tom Kelly, a Chase spokesman, told SCMagazine.com today the bank is waiting for the union to report which customers were identified in the documents, at which time the bank will send notices to the victims. He expected the number of affected individuals to be in the dozens, or hundreds at most; all will be offered a free year of credit monitoring.
Kelly said he has no reason to believe any of the data will be misused.
He said established protocols call for such documents to be locked in bins, then shredded.
All New York branch managers were told on Monday to revisit their security policies to ensure this does not happen again, he said.
Gartner reported in March that about 15 million Americans were victimised by identity theft fraud during a 12-month period ending in the middle of 2006. Litan said paper document theft, such as dumpster diving, is responsible for a majority of new account fraud and check forgery.
Companies must do a better job at information lifecycle management, ensuring data is protected from creation to destruction, Jared Pfost, vice product of product management for biometrics authentication provider BioPassword, told SCMagazine.com.
"Identity theft can come at any stage in that lifecycle, whether [the data] is in electronic or physical format," he said.
Kelly said he was upset the union posted its findings on the internet instead of first notifying Chase. A union spokesman could not be reached for comment today.