Slashdot Mirror
UK Banks Dump Credentials in Bin Bags
Plutonite writes "BBC news is reporting that several UK banks face 'unlimited fines' for careless handling of sensitive client information. This apparently came after investigators found account details while rummaging through the trash outside the banks involved. In this age of online banking and related security problems, and in light of this scandal, where can we expect to find the greatest threat of ID theft?"
I am the real Anonymous Coward. Any other posts by Anonymous Coward in this topic have been made by an ID thief!!
Frank: Gentlemen, I propose we send a message to tobacco companies by fining the El Dorado Cigarette Company infinity billion dollars!
Congressman: That's the spirit, Frank! But I think a real number might be more effective.
Women are like electronics: you don't know how damaged they are until you try to turn them on.
I don't use banks, I hide all my cash underneath my cat's litter box in my parents basement.
Nobody steals my identity!
I wish they would... I'm sooooo lonely down here...
Actually the Data Protection Act is UK law, and makes these fines possible. We have all the protections that USians on /. frequently wish for. From the relevant Act:
2.1 Regarding the release of personal data to third parties without specific consent (or publication with the same effect), the assumption is that this is not permitted, except where specific exemptions apply. These exemptions now include:
- where required by law or statutory instrument;
- where required to prevent or detect crime;
- where required to assess or collect tax or duty;
- release to a third party who is sub-contracted to process the data in a way that meets DPA rules.
2.2 With regard to subject access rights, the data subject is presumed to be entitled to access all personal data held about her/himself that falls under the scope of the new Act, with the following main exemptions (i.e. cases where the controller of the data may decline to release certain data, but must justify doing so):
- where disclosure unavoidably identifies a third party;
- where the data was supplied in confidence e.g. references and similar judgements (but please note that examiners' marks and/or comments cannot be assumed to be exempt from disclosure.)
What else could you want? The Act allows for both civil and criminal penalties, so the banks may well be in for quite the can of whoopass.
"To any truly impartial person, it would be obvious that I am right."
Many financial institutions' IT departments in the US have no policies for paper shredding. I was always mindful to shred account information, but many of my coworkers were not. No rules were published and I've never heard it brought up as an issue by management.
You might be wondering why IT staff would have account information on paper. There are a variety of reasons. Periodic statements still go to most customers by paper, and the IT departments are responsible for their automation. A large percentage of people on the business side still like to see reports on paper and often the IT department is responsible for generating them. We are very far from having paperless companies. And in my experience paper disposal policies are largely missing or ignored.
Developers: We can use your help.
time to store all my money under the mattress now.
its not really easy to get money out the banks though. they open after i start work, close before i finish, they're difficult during the lunch hour. hell, they only people they're accessible to is bank robbers.
Why UNIX?
Most corporate Windows machines are behind firewalls. They're not perfect, but they're pretty good. Windows servers are almost always set up behind even more strict firewalls. Ideally servers exposed to the internet are on a different network segment than the internal servers containing even more data.
The greatest threat to ID theft has always been humans. The vast majority of security breaches are from social engineering.
Developers: We can use your help.
Its ok, I saw a whole load of fun data (like copies of client passports, proofs of Name and address) being sent from the US to the UK for processing using that well known data protection technique of a FedEx envelope for a the CDRs. The Information Security people hit the roof when they heard and insisted on proper encryption. The point is that neither the business nor the IT people concerned had the foggiest idea that there was a duty of care involved.
See my journal, I write things there
As long as we have stupid people who fail to understand that the information stored on the computer is much more valuable than the computer itself, we'll continue to have people throw away stuff like this, store information on unpatched machines, etc.etc.etc.
Therefore, don't deal with a company that employs, or outsources to companies who employ stupid people.
Of course....this is much easier said than done......
"City hall" in German is "Rathaus" Kinda explains a few things......
They should not have dumped the files in /usr/bin, but in /dev/null.
Maybe they got the idea from the airline industry, who in turn might have gotten it from the USA Dept of homerland security.
"We are all geniuses when we dream"
- E.M. Cioran
Oh these Microsoft bastards!
If they never existed people would never throw away printed plain-text passwords, never stick access codes on post-it notes to their monitor, and everyone would be immune to social engineering.
5 or 6 years ago my father came down with cancer, and his wife (now ex) took over the regular task of managing the finances of the household, etc. (This was in Wisconsin.) She also took it upon herself to fraudulently clean out his "Federally Protected" IRA, all of his *non-joint* accounts, filed false tax returns, and then ran up tens of thousands of dollars in debt in his name (hiding the statements and records to keep the game going as long as possible). She even bought a $20,000 diamond ring and a Mercedes for herself -- all while my Father was going through radiation treatment and surgery, etc. Finally, the house of cards came tumbling down, the police were notified, and she admitted everything.
The result, 5 years later: We found out that the bank had known this fraud was taking place on his accounts (we have one of their internal documents explicitly stating this), yet they covered this up during the discovery process and only gave it to us years later. She's never been arrested nor paid any restitution for what she did, the "Federally Protected" IRA was never reinstated, and a judge in Wisconsin had my father put in jail for refusing to give her his car, which the judge had mistakenly awarded to both of them during the divorce trial. My father sued the bank and has recovered nothing to date.
Your money is not safe, and no one cares.
2. I treat my personal data like it's already on billboards. Obviously the banks don't care about our privacy, so I try to use services where my personal information isn't needed. Using prepaid credit cards instead of a credit line at the bank, or money orders instead of a checking acount may be the way of the future if banks keep giving away our social security numbers.
The criminals already have all or our personal data. Now we need to act accordingly.
Conspiracy theory: the government told them to do it in order to increase identity theft, thus hoping that the public will become more accepting of the national identity register, and more willing to carry biometric ID cards.
-Stephen
Sorry but the conspiracy goes much deeper than that. Your (USD) cash is a fEDERAL rESERVE nOTE; which is what?.. A private bank. USD only has worth because the fED says so. It's a private bank designed to rob you of your real income.
So you will have to convert that stash under the litter box to gold if you want to be free from the talons of corrupt banking institutions.
Believe it.
What I would love is for people to be able to bring private prosecutions under the Act. Currently the only person who can prosecute is the Information Commissioner IIRC and they seem reluctant to do so. If the average Joe could instigate actions then the banks would have no way of controlling this, save from cleaning their act up and not actually screwing up. Me since I bank with two of the offenders will be making my displeasure with them felt Monday lunchtime, and I won't be taking their offer to discuss in a private room either.
People that don't care about or don't know how to secure their personal data, institutions run by people with shoddy security practices or that just don't give a damn and all levels of government run by people that seem to refuse to use readily available, inexpensive and reliable security techniques and technology.
So I take it that the garbage company is not certified under DPA rules? If they were, then release to them would be OK, right?
Interesting someone should mention that, there's a site that explains why bank charges in the UK are most likely illegal penalty charges and classed as unfair contract terms
http://www.bankcharges.info/
I'm sure UK readers will really enjoy reading the site and sending off those letters to their banks.
In principle, the law is simple: you can only use personal information about people if they are a) dead or b) give you permission to do so. You then have a duty of care to make sure the data is not stolen, etc; and you have to say to the Data Protection Registrar that you are holding personal data.
Actually the law is not that simple really, because of the definition of "personal data", and a whole load of exceptions. Plus theres some other stuff about direct marketing and stuff.
Wikipedia:
http://en.wikipedia.org/wiki/Data_protection_act
Full text:
http://www.opsi.gov.uk/ACTS/acts1998/19980029.htm
If only I had mod points :(
I suspect you're being a little harsh on Richard Thomas and his team. If you look at the position statements on the ICO's web site, they're generally very reasonable, and the office does take action against organisations that don't respect data protection and freedom of information rules. However, he has stated that to do the job properly, he would need 3x the team he's been given, and unlike most government empire-builders, I'm actually prepared to give him credit for being realistic there.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
A former manager of mine used to be the IT director at a bank. There, when they upgraded computers, they went out to the dump and had a 'hard drive party". They removed the hard drives from the computers before tossing them in, disassembled them, and beat the platters throughly with hammers, then frisbee'd them into the hole and watched them be coverd up by the dozer.
I was under the impression that banks always were anal about destruction of customer records.
The US Navy has an interesting method also. They have these three level shredders. First level does strips. Second level does squares. Thrid level can best be described as "paper dust", it's the consistency of fine sawdust. Then they flush that out below decks directly into the water. Good luck getting that back.
I work for the Department of Redundancy Department.
I don't doubt that they are understaffed and overworked but the simple fact is that there are plenty of cases for abuse of personal information where they simply don't care. They essentially said recently that they will just go after the big guys/cases and the little ones will be left by the wayside due to the staffig problems. They've ignored it would seem proven cases of information being sold from both overseas and UK call centres as well which to me is more worrisome than accidentally leaving information in a bag that's due to go to be burnt/buried. They either need to get more staff and start kicking some backside or other people need to do it was well.
Okay, why does this get an Interesting-Rating?
As if it was Microsoft's fault that managers came up with the idea that passwords were the culprit in our security problems. Sure, some users have quite weak passwords. That's sub-optimal. But when you make them use like 8 digit passwords with letters, special characters and at least one capital letter they will immediately start writing them down. Especially when they have to change it every month.
Happened in my company. Why? Because there's data from the italian branch of our company on our system. And they require us to have this "security".
I have to remember a shitload of passwords myself. None of them are exceptionally strong and it's hard enough to remember them. How can people expect users would be able to remember such passwords when they have trouble even comming up with them?
Sounds like an excellent argument for the Paperless Office. Yeah, that's not a perfect solution, but it could sure put an end to dumpster diving.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
The Chief Executive of the British Bankers' Association was interviewed on the BBC's (RAM) flagship radio news programme this morning. He claimed that the problem was either: (a) it was a very small number of rogue employees, or most likely (b) the customers' fault! The journalist doing the interview was rendered close to speechless by this anwer. The BBA was upholding a long-established UK tradition whereby banks claim that their systems are infallible, and accuse customers who have the cheek to complain (about, e.g. phantom withdrawals) of commiting fraud.
so you are assuming a A+B=C thing
A: roll 60 on a d100 (no save)
B: roll 90 on a d100 (no save) hmm grabbing my pda and doing 5 sets
27 and 50
72 and 17
39 and 62
84 and 29
51 and 74
looks like somebody needs some class bonuses or something
Any person using FTFY or editing my postings agrees to a US$50.00 charge
When I worked at the processing center of a bank, there was one big rule: cash slips (internal documents with no personal info on them that only represent money put into or taken out of vaults) can go in trash, everything else in shred box..... Stupid banks.....
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
What would you do in their position? Not going after cases affecting a few people because you only have the resources to pursue cases affecting many people is probably the least of evils, and it's very different to not caring about the cases you can't follow up.
They do need to get more staff if they're to fulfil their mandate, it's true, but it's not like Thomas can just say "OK, I'm increasing the size of this department by 200%" on his own authority.
As you say, the other obvious alternative is to allow the public to initiate direct legal action against those breaching the data protection or freedom of information legislation. I'm not sure I agree with going down the regulatory route instead -- any law where a breaker cannot be taken directly to court by a damaged party has questionable value -- but on the other hand, I can see some sensible reasons for it as well. For example, while organisations should be required to meet reasonable data protection obligations, they're also entitled IMHO not to suffer a "DoS attack by court", where an aggrieved party can file repeated claims against them at relatively little cost, just to keep their resources tied up.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
The first line of the summary says that they "face 'unlimited fines'" - doesn't that imply to you that there are laws dealing with this in the UK?
It's official. Most of you are morons.
>>> ... so the banks may well be in for quite the can of whoopass.
... fined them a tiny percentage of their profits.
c le346803.ece). You can buy quite a lot of lawyers (and probably politicians, at least in the European Parliament) for that.
Or not. Just look at what the water regulators have done to the water companies that allow their pipes to leak so much that they have to impose hosepipe bans and standpipes in some places
A reasonable sum to hurt a bank and make them be careful is going to be about 10% of their profits : 25 million or so for Barclays highstreet banking I gather (http://news.independent.co.uk/business/news/arti
I think management should be held to account for such failures as with corporate manslaughter. I predict however that the regulator will either do nothing but make a suggestion ("naughty banks") or fine them something like £50k (twice the annual paperclip bill!).
Interestingly HSBC is the 3rd most profitable UK company (source: http://news.bbc.co.uk/1/hi/business/4303653.stm, one site says they make £1m per hour) yet they don't produce anything! That to me is like paying your richest employee the most even if he does nothing, screwy.
Comment removed based on user account deletion
I don't need to be able to quote law to notice that the only buisinesses in my neighborhood that don't have outdoor trash collection are the banks. Anyone with common sense would avoid a bank that had dumpsters. This isn't a new thing, I'm almst 50, and I've never seen a bank that set its trash outside. Of course, the secure trash truck, I'm not sure where it goes, and I've seen quite a few businesses with so-called "secure dumpsters" out back that were easy to get into for dumpster diving. But, they weren't banks.
If you must moderate, please moderate as irrelevent, not something bad, because I'm sure someone will find this interest
But when you make them use like 8 digit passwords with letters, special characters and at least one capital letter they will immediately start writing them down.
Requiring special characters, capital letters and such just makes the keyspace smaller and makes it easier to do a brute-force attack on a password. The only somewhat sensible requirement in there is a minimum length.
no what the should have done is mulched the paper first and heat sealed the bags
Any person using FTFY or editing my postings agrees to a US$50.00 charge
I wish the sods would dump some of mine, maybe then I'd stop getting the vast number of unsolicited invitations to take out loans, credit cards and various insurance/assurance deals that I do now. One look at my balances and they'd run for the hills!
Democracy is being able to elect your own megalomaniac, a dictatorship cuts out the middle man.