Some Wells Fargo customers who opened their accounts in Florida or South Carolina are getting an unpleasant surprise when they open the monthly statement they receive in the mail: At least some of the statement pages inside don’t belong to them. What’s more, it turns that some of their own potentially sensitive account information has been mailed to someone else. Wells Fargo spokeswoman Aimee Worsley wouldn’t say how many customers were affected, but a South Carolina newspaper put the number at 30,000. The misdirected information didn’t include PINs, but it did include other personal information: names, addresses, transaction details and balance information. The biggest concern, Worsley says, is that some customers who receive direct deposit of their wages or benefits may have had their Social Security numbers compromised, since some organizations use that number to identify payees.
As a result, she says, “We’re treating this matter like an information security breach. We believe the risk of compromise to customers’ accounts is low, but we are providing all customers affected by this issue a free year of identity theft protection.” Worsley added that Wells Fargo doesn’t plan to change affected customers’ account numbers.
But a consumer advocate says that while the monitoring may give consumers piece of mind, it doesn’t protect them from likelier scenarios if their information falls into the hands of someone who wants to use it illegally. “The more likely thing is someone trying to get access to their money,” says Edgar Dworsky, founder of ConsumerWorld.org. He says a crook could take the information in a misdirected statement to make a fake check or mount a phishing attack to gain more valuable data like a PIN or Social Security number.
For customers who don’t already use Wells Fargo’s website, Dworsky says maybe it’s time to start. “You want to gain online access so you don’t wait 30 days to check your written statement,” he says. Wells Fargo’s Worsley says the bank mailed out an explanation and apology — along with correct statements — on Thursday, so customers should be suspicious of any further request for personal information that comes via phone or email.
Dworsky does add that most customers, although they might be justifiably alarmed, won’t experience any loss as a result of the mistake. He draws a distinction between this glitch, which Worsley attributes to a malfunction in one of the machines that collates the printed statements, and a hack, where the criminal intent is there from the outset.
Still, affected accountholders have a right to be angry. “It’s the invasion of your financial privacy,” Dworsky says. “I don’t want people knowing what I buy, what I pay and where I shop.”