Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Your Banking Information Accidentally On Ebay?

Posted by timothy on from the banking-information-eh dept.

GraWil writes "The Toronto Star is reporting how two Bank of Montreal computers containing thousands, of sensitive customer files were sold to a student who fixes up machines and then resells them on eBay. It seems that the company responsible for scrubbing the disks (Rider Computer Services Ltd.) misfiled the machines in their warehouse and it was assumed they had been erased." It's not the first time this sort of thing has happened.

19 of 205 comments (clear)

  1. My take by Matrix2110 · · Score: 3, Insightful

    My take on the whole issue is that somebody caught it and went public with the information soon enough to prevent damage.

    Lets hear it for the unsung heroes in life.

    1. Re:My take by Mysticalfruit · · Score: 2, Insightful

      Damn, this sounds like a really good gig! 800 bucks canadian for two Netfinity servers?

      As to the the data scrubbing company. Come on! Who the hell designed they're process management at that company? You'd think, because of the sensitive nature of the data that company is responsible for destorying that they'd have a procedure in place that says "If your not sure of a machines status, scrub harddrives as if it just came in the door".

      --
      Yes Francis, the world has gone crazy.
    2. Re:My take by Melantha_Bacchae · · Score: 2, Insightful

      An AC wrote:

      > Publishing credit card information on ebay etc etc, yadda
      > yadda - is just plain dumb. It's all moronic behaviour
      > that's only gonna lead to trouble for the "unsung hero" -
      > how is that clever? Why should that be rewarded with
      > street cred and trend points?

      He didn't put the credit card information on Ebay. He put two computers up for auction on Ebay, assuming their hard drives had been professionally wiped clean.

      When he found out that was not the case, he could have just tried to erase the disk himself, and sold it anyway. What made him a hero was that he immediately yanked the auction, and took the risk to himself of contacting the reporter and the bank (if he had not been believed, he might have wound up in a whole mess of trouble). Because he did this, the bank could trace back where the problem was and fix it so no other hard drives fell into possibly the wrong hands, and the public was notified of the problem. He may well have saved thousands of people from identity theft.

      That is why he is a hero.

      "There is something important to do, no matter how hard or painful."
      Mothra (via Moll) "Mothra 3: King Ghidora Attacks" (Japanese version)

  2. I don't get it.. by Heartz · · Score: 4, Insightful
    But why don't banks just destroy the Hard Disks before selling off the Machines? No matter how much one scrubs off a HDD there's always the risk of exposure of private details of clients.

    They should just get rid of it and save us all alot of headaches while recouping some money from the second hand machine.

    1. Re:I don't get it.. by Anonymous Coward · · Score: 0, Insightful

      It's a workflow problem, not a technical problem. With shredding there is no way an "improperly" disposed disk can get into the wrong hands, because then disposal never means reuse. Whole harddisks leaving a shredding service company is much easier to catch than unscrubbed harddisks leaving a recycling company.

    2. Re:I don't get it.. by gl4ss · · Score: 4, Insightful

      most countries armies don't have such a problem of making sure of it(that harddrives don't leave the place, even if other computer scrap leaves).

      heck, everyone should make sure of it.

      it's not like you can set the company premises on fire even if you're not the one set to the ceromonial position of "the one who does not set the premises on fire".

      anyways.. they outsourced that problem to somebody who was willing to say to them(bank) that they're clean.

      --
      world was created 5 seconds before this post as it is.
    3. Re:I don't get it.. by SmallFurryCreature · · Score: 2, Insightful
      Who don't they just destory the disks? Mmm, yeah after all destorying a HD is pretty easy, screw it open and shred the platters. I found out a few years ago that my laptop drive contains GLASS platters. Well I say platters, mine contained shards but I presume they once were platters.

      Anyway so why don't banks do it? I think they may walk into a whole mess of employment rules. You see you need proper equipment, proper safety equipment, proper enviromental protection. Banks just ain't equipped to handle this. So they outsource it. Handling it internally costs to much.

      Secondly what do think sells better, a complete second hand machine, or one that needs to be fitted with expensive new disks?

      Remember: Where's the money!

      --

      MMO Quests are like orgasms:

      You may solo them, I prefer them in a group.

    4. Re:I don't get it.. by Pig+Hogger · · Score: 2, Insightful
      And more importantly, why do the bank trust a third party (Ecosys) with the scrubbing, rather than doing it themselves?
      Because some fucking asshole with a MBA on the wall figured it would be cheaper than do it in-house.
  3. Destroy, don't sell by Ckwop · · Score: 5, Insightful

    Personally, i think that any hard-drive that has been used for that purpose should be securely destroyed instead of being sold. Simon.

  4. PR Shills by CaptainZapp · · Score: 5, Insightful
    "Our number one priority as an organization is the protection of customer information," said Dina Palozzi, chief privacy officer for the bank, which swiftly seized the computers' hard drives on Saturday afternoon within 24 hours of learning their whereabouts. "This kind of issue we take very, very seriously."

    Don't you just love it? If protection of customer information indeed is your number one priority then why the fsck don't you have procedures is place, which make such a blunder outright impossible? And if you do have such procedures in place why don't you enforce them?

    Are those PR liars (and what else could such a "chief privacy officer" making such an outragous statement actually be?) all cranked out by the Forked Tongue Institute for Marketing & PR, or what?

    --
    ich bin der musikant

    mit taschenrechner in der hand

    kraftwerk

    1. Re:PR Shills by Rogerborg · · Score: 3, Insightful

      Never mind, they can console themselves with the thought that despite bungling their number one priority, they still managed to hit their number two goal, which is to turn a metric assload of other people's money into an assload and a half simply by shuffling it around.

      --
      If you were blocking sigs, you wouldn't have to read this.
  5. not much of a worry.... by Lumpy · · Score: 4, Insightful

    First off unless the entire IT department of the bank are complete morons, most financial data is NOT kept on loacl machines but the file server and the main database machines.

    I know that the caches and things MAY hold some sensitive data but it's highly unlikely.

    Unless the person that used that PC in the bank was also a incompetent boob and say saved a spreadsheet of 200 credit card numbers and information in the local drive (why the hell are you making an insecure document like that?) it's only a mild security breach.

    It shakes the confidence of the customers more than anything else.

    --
    Do not look at laser with remaining good eye.
  6. Ethical and Legal Dilemmas by G4from128k · · Score: 2, Insightful

    There are valid reasons for checking out the contents of the HD -- if you think a machine might have been stolen, then finding the prior owner is the right course of action. I know of one dumspter diver who tried to reunite an old PC and its data with its former owner. The former owner was pleased by the honesty of the finder and upset that the HDs had not been wiped as promised by a PC recycling company.

    The hardest case that I heard was a used computer buyer that ran across some very disturbed writings on a old machine. Violent written fantasies could have been just someone letting off steam, writing fiction, or a prelude to going postal. Finding potential evidence of a forthcoming crime places a severe ethical burden on the finder of the computer files.

    Personally, I don't make a point of snooping and tend to just reformat the HDs of old computers that I buy. This also forestalls the licensing issues with old software on old computers -- that old copy of M$ Office may (or may not) be legal.

    --
    Two wrongs don't make a right, but three lefts do.
  7. Environmental Hazards of Physical shredding by G4from128k · · Score: 2, Insightful

    As appealing as physical destruction of an HD is, it is not a wise course of action. As with most electonics, HDs contain lead, glass fibers in the circuitboard, and caustic chemicals in the electrolytic capacitors. And I have no idea of the potential toxicity of the materials coating the platters or used in the rare earth magnets in the actuators and motor.

    Turning data into dust creates an environmental hazard. Therefore, it's better to send old electronics to an institution that has the tools and procedures for safely recycling/recovering/reprocessing the materials in the HD. Yet we obviously cannot and should not enrtust these companes with our sensitive data. That is why some form of encryption (either in hardware or software) is the solution to making the data unrecoverable.

    --
    Two wrongs don't make a right, but three lefts do.
  8. Copyright? by Quixote · · Score: 5, Insightful
    Here's a question. Why is it that the RIAA can (with a straight face) claim that each of their songs that a person shares is worth $150K, and yet my private information with the bank is worth zilch? Why is it that the RIAA can get $12K from a 12-year old girl and yet the general public can get nothing from these companies that share our private information?

    Shouldn't customers' private information have at least as much rights as some stupid Brittany Spears song?

  9. The bank thanked Ellis... by dpbsmith · · Score: 3, Insightful

    Bravo to them! A refreshing change from all the stories of corporations responding to security issues by shooting the messenger.

    --

    "How to Do Nothing," kids activities, back in print!

  10. Secuirty Check by failedlogic · · Score: 4, Insightful

    Gov't employees, military personnel and law enforcement in sensitive areas have to go through a background check.

    This begs the question, what sort of background checks are performed on the technicians fixing the computers? And what sort of computer security experience do they have?

    I would at least expect a "student" not be employed in this type of position. Give it only to a qualified full-time employee w/ good compensation and benefits - that in itself should be a deterrent.

  11. wonders how this patches in with canadian law by perlchild · · Score: 2, Insightful

    Since the Bank is responsible to Canadians for how it uses our information, why didn't it just scrub the disks in house, even something like format c:
    then send the box to the outsourcers?
    If this keeps happening, you bet Canadian Bank Law will mandate they do their own scrubbing...

  12. It's not the reseller's fault by Awptimus+Prime · · Score: 3, Insightful

    The banks should have 0'd or trashed these drives before selling them. I see this type of neglect as soley the responsibility of the bank.

    Why? Well, if you hire an accountant and don't double check his work, it's your arse. Why should it be any different with a corporation's responsibility when it comes to guarding customer data?

    Personally, I would like to see more laws guarding US. Not slapstick anti-terrorism laws directed at destroying personal privacy, but real laws that protect real people. As we are the source of America's economic might. At the point where citizens don't have money to throw at giants, then the giants won't exist anymore. At least, not inside our borders.