For various reasons I started to open a bank account with Mercury, before deciding to use another provider.
When I said I'd no longer be finishing the application and to please delete my passport info, first they ignored the second part.
When I replied again asking them to delete my data they replied about KYC laws and assured me the data was securely stored of course.
At that point I gave up. Maybe they could delete the data if I fought, maybe their hands were tied, maybe me fighting would end up flagging my info as a money laundering risk. But I immediately imagined exactly this leak happening.
They're not the only vendor affected that had my data, nor is this breach the first, but that's the one that stings the most.
Anecdotally I'm being swarmed by text message spam for the first time in months. I have to assume people are running through new breach data to find live numbers.
GP was never their customer, though. They started filling out the application to open an account, got past the ID verification step, and then decided not to complete the new account process.
Likely the issue is that they just didn't think of this possible case, and there's no way to delete the ID information, and the CS person didn't want to go through the extra work to find someone who could approve it and/or get it done.
IANAL, so I'm not gonna attempt to interpret it, but here's how it's phrased:
> Recordkeeping. Section 326 of the Act requires reasonable procedures for maintaining
records of the information used to verify a person's name, address, and other identifying
information. The proposed regulation sets forth recordkeeping procedures that must be included
in a bank's CIP. Under the proposal, a bank is required to maintain a record of the identifying
information provided by the customer. Where a bank relies upon a document to verify identity,
the bank must maintain a copy of the document that the bank relied on that clearly evidences the
type of document and any identifying information it may contain.6 The bank also must record
the methods and result of any additional measures undertaken to verify the identity of the
customer. Last, the bank must record the resolution of any discrepancy in the identifying
information obtained. The bank must retain all of these records for five years after the date the
account is closed.
When I said I'd no longer be finishing the application and to please delete my passport info, first they ignored the second part. When I replied again asking them to delete my data they replied about KYC laws and assured me the data was securely stored of course.
At that point I gave up. Maybe they could delete the data if I fought, maybe their hands were tied, maybe me fighting would end up flagging my info as a money laundering risk. But I immediately imagined exactly this leak happening.
They're not the only vendor affected that had my data, nor is this breach the first, but that's the one that stings the most.
Anecdotally I'm being swarmed by text message spam for the first time in months. I have to assume people are running through new breach data to find live numbers.