Financial services firm JP Morgan Chase is investigating claims by a trade union that it dumped documents containing customers’ personal financial data in bin bags outside five branch offices in New York.
The Service Employees International Union, which has more than 1.8 million members in the US, has posted a videa on YouTube that appears to show documents containing account data - including full customer names, addresses and social security numbers - being retrieved from bin bags outside the bank branches.
The apparent US data breach follows sharp criticism from the UK information commissioner last month after 11 high street banks were found to have dumped customers’ personal data in rubbish bins outside their premises.
The banks - HBOS, Alliance & Leicester, Royal Bank of Scotland, Scarborough Building Society, Clydesdale Bank, Natwest, United National Bank, Barclays Bank, Co-operative Bank, HFC Bank and Nationwide building society had breached the Data Protection Act , the commissioner found after investigating complaints.
Among the JP Morgan Chase documents the video purports to show being recovered from the bin bags are a loan application with the borrower's name, address and social security number, a cheque account profile with similar details, a partially ripped account summary with personal data and a business credit application.
The video ends with a message urging viewers to call Tom Kelly, the bank's head of media relations for retail financial services and the US region.
JP Morgan and the SEIU union are currently locked in an industrial dispute over the hiring of security guards.
Kelly said the bank was investigating the claims made by the union in the YouTube video. The standard procedure for disposing of financial documents at Chase branch locations was to put them into a large padlocked bin with an opening on top for inserting the documents, he said. The papers were then later recovered from the bins and shredded. He added that the bins were not placed outside the facility.
"We don't know what happened here, we are trying to find out," he said. "We had a conference call with all of our branch managers and reiterated what our policies and procedures are."
Kelly added that the bank had contacted the union’s lawyers and asked them to share the customer information it claims to have recovered,. "If those customers are at risk, we want to contact them," he said, adding that so far the bank had not heard back from the SEIU. "It is not clear that customer privacy was their first priority in this."
The union was not available for comment at the time of going to press.
Two weeks ago, in a separate incident JP Morgan Chase began warning around 47,000 customers and employees in the Chicago area that their personal data may have been compromised after a disk containing the data was reported missing late last year.
The missing data was from JP Morgan's private client services business, which provides financial services to wealthy customers with a net worth in excess of $1m (£500,000). Kelly said the storage device was delivered to a secure off-site facility for safekeeping but went missing after that. There is no evidence so far that the data had been misused, he said.
JP Morgan is offering a year's worth of credit monitoring services to affected clients. Kelly said the bank had taken a long time to inform affected individuals of the potential compromise because it needed to reconstruct the information contained on the device.
Find your next job with computerworld UK jobs