Slashdot Mirror
Computer With UK Bank Customer Data Sold On eBay
Walpurgiss tips a BBC News story about a man in Oxford who paid $140 for a computer on eBay, and was shocked to find on it bank records of several million customers of the Royal Bank of Scotland, its subsidiary Natwest, and one other bank. "Mr. Chapman said anyone with a basic knowledge of computer software would have been able to find the data fairly simply. 'The information was in back-up CDs and in ISO files so it would have been possibly quite easy to find...,' he said."
Kudos for him for speaking up rather than trying to abuse the situation.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
...Really Bad Security instead of Royal Bank of Scotland.
I bought a pair of SGI Origin 200 machines that contained names, credit cards, and enough data to be a real problem for many thousands of people. The labels on the machines listed them as from @home which had closed their doors. I did the dd if=/dev/zero dance and reinstalled IRIX.
Somebody should have set a much higher reserve price.
Once again I am reminded of the boundlessness of human stupidity.
Selling a computer with sensitive information on it without destroying said information is understandable, if seriously negligent and worthy of termination (the employment kind, not the Schwarzenegger kind, although it's a close call).
But selling the backups of that sensitive information with the computer? Who the hell thought that would be a bright idea?
If you're dumb enough to make a backup CD and then save the ISO onto the hard drive just in case the hard drive crashes, you're dumb enough to sell it on ebay without wiping it. I suppose this could have been some sort of backup storage server and not the computer that actually contained the data to be backed up but for that price it's a little unlikely.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
I see we have some users from Scotland among us...
Should I have not done that?
Help stamp out iliturcy.
So in the article, they say that they expect him to hand "it" back.. does that means that the poor guy who paid 77£ to give back the computer for free?
Personally i'd charge a hefty sum to make them get back that computer, just to make them remember that he paid and he was nice enough to tell them.
Oh, crap.. i was outbid by £10. If only i knew the content..
How many days do you think it will be before the government tries to charge him with something or the bank in question tries to sue him? I'd be pleasantly surprised if neither happened.
Also, the summary leaves out something that might affect those of us on the other side of the pond:
Bold mine. I know they have different branches for countries and such, but I wonder if any of this data crossed international bounds.
Perhaps they should re-evaluate their slogan of, "Less talk, more action" in their IT security meetings.
I bought a sun box at goodwill once and besides an intact customer database for several large companies, it also had the admin's personal backup files, including his "My Documents" folder, his Palm cell phone, and 1200 dpi scans of his passport. Oh, and some file called "passwords.doc". No idea what is in there...
More details here:
http://lfnet.net/blog/?p=41
But yeah... wipe it before you get rid of it.
I was just going to pick up a cheep 1U server for a Mod Project! Now i've no chance! Everyone will be buying up every server hoping for Disks full of Banking details now!! :(:(
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
"Wiping" it is not sufficient.
Do not sell/give systems with storage drives.
Shred them.
Maybe we can find the missing Virginia laptops on ebay too!
slashdot rocks
A deleted file including an ISO can live on the hard drive forever in recoverable or partially recoverable form. Criminals routinely buy PCs from surplus and then re-sell the uninteresting ones in hopes of garnering some profit from deleted data - in many cases turning a profit just on the turnaround process. Security researchers do it also, to gain fame and credibility from pointing the finger of shame which leads to step 3: consulting profit! A PC that's been "quick formatted" and then had an OS installed on it still has considerable valuable data on the "blanked" space - and on the disk the valuable user data almost always occupies the same space on the disk in the space that would still be blank after an OS install, it would be easy to find. The correct course for personal data is some low level drive wiping program like DODWipe (a commercial application) or Darik's Boot and Nuke DBAN (free). These programs overwrite every byte on the disk they can access, but cannot overwrite blocks "marked bad" by the hard drive itself - which is a much lower risk because those blocks are almost never readable anyway. Just using the software is no panacea either. It has to be used correctly.
For a drive that may have had a credit application, job application or similar data on it (even just one) the risk is too great to take chances with. So:
Just handle that data as if it were a level 4 biohazard that would wipe out your company if it were released, and you'll have the general idea. Wiping before chipping or smelting, though, is just paranoid and should be left to the TLA and tinfoil hat types, and swiss banks where disclosure of data is a capital offense.
Are you seeing the irony here yet?
Help stamp out iliturcy.
Its tough to sell a machine with no O/S on it. Most buyers will take one look at the retail price of XP (for example) and subtract that from their eBay bid. Most sellers are unwilling to risk a complete disk scrub and reinstall. Even if they are, its doubtful that they still have (or ever had) media to do an install on a clean system. The most that the non-tech savvy will attempt is to drag the contents of 'My Documents' to the trash can icon.
This is an opportunity for a Linux distro. Include an easy-to-use boot/nuke/install mode and offer them to people who put systems up for sale on various web sites.
Have gnu, will travel.
That's the bank where Pokerstars keeps their money.
You could have wiped the data and kept things quiet. You could have walked into a local branch and asked to speak to the manager, carrying the drive.
But no. You chose to help ruin the second hand market for machines by going public. It's bad enough that we have WEEE regulations meaning now "give them to hobbyists" is more convoluted, and crappier solder meaning equipment won't last the 20 years it used to anyway (yes, that's right, people under 30, SOME equipment does actually remain useful for that long).
You know what'll happen now? They'll just implement the more secure practices of UBS etc and crush whole machines, when in fact all they would have to do is destroy the drives at worst.
I've had machines ranging from Pfizer and Racal (military electronics) land in my hands with unwiped drives with confidential data, though not through public channels, and I was trusted to "remove everything on the drive" - god knows why the admins didn't wipe the drives on decommission, but there you go. In the Pfizer case, it was as simple as management telling employees "we're getting rid of everything *there* - feel free to take it home", and then an employee totally unrelated to IT passing to me.
But I wasn't enough of a fuck to go to the media about the huge mistake.
bada-boom
[ducks]
I'm going to have to plead ignorance here...nobody told me that this sort of thing was frowned upon.
This is nothing less than bad management.
It should be understood by all involved in the disposal of surplus that a random few samples will be removed from the pallets at the last minute and tested for thorough data shredding outside of their organizational group, and this testing will complete before the surplus is released. It's very important that this testing actually be done. It's more important that this testing is believed to be done. The people responsible for doing the wiping should be trusted members of the team, but information is cash. You audit the cash, don't you?
The correct policy is that if wiping is required and for whatever reason (machine failure, drive failure) the wiping cannot complete successfully, then the platters must be thoroughly physically destroyed by smelting, sandblasting or other certain method. Everyone should understand that indefinite storage is preferable to giving proper wiping a kiss and a promise.
I'm also a big fan of full disk encryption for machines that are expected to handle sensitive data and all notebooks. It's a 1% performance hit. You can afford paying extra for the faster machine for the confidence that there was never any unencrypted sensitive data on the disk to begin with. If you're not using FDE on laptops at this point, you're crazy. No employee has no data on his laptop that is in some way useful or profitable to a thief except maybe junior vice presidents.
So if this happened on your watch, you've failed as a manager. This applies for several levels up from the person actually responsible for wiping the drives.
Help stamp out iliturcy.
I would have reformatted the drive and kept quiet about it, rather than get myself involved. Of course, I'm an American, and I'm terrified of my own government right now, certain that I'd somehow get tarred and feathered for being the one who spoke up.
Learn it, know it. A very simple utility for wiping drives that you can run as a boot disk.
I swear to God...I swear to God! That is NOT how you treat your human!
When I worked for a computer repair shop many years ago, we had a customer bring in a PC with a dead hard drive. It was a Maxtor, and we didn't sell that brand in store, so all we could do was handle the online RMA in their name.
After getting a 'new' sealed replacement drive, I plugged it into the machine and booted it. I forgot to put in the Windows boot CD to run the install. Upon looking back at the screen, the PC was booting into Win2K!! Letting it continue, and checking around, I found that the harddrive belonged to a Ford dealership. It had all sorts of sales and customer information in it.
I called Maxtor and explained the situation, more upset about receiving a used drive as a replacement. They informed me that it's standard practice to issue refurb drives for warranty replacement. And, it's common to receive 'failed' drives as warranty returns that have nothing wrong with them. They just wipe them, and send them back out as refurb. I got one of those drives. She told me there was nothing they would do, unless I wanted to do another RMA, and pay shipping to return the drive.
Just like Paul White, a New Zealander who, in the early '90s, bought a used computer full of highly sensitive Citibank data, which included information detailing some major tax fraud, as well as stuff linked to the NZ Security Intelligence Service.
White was just a two-bit Computer Broker-wannabe who tried to gain financially from the situation by ransoming the data back to Citibank. Very soon after acquiring the data and offering it back to the bank for a price, he died in a highly mysterious car accident, one which still remains unexplained and uninvestigated.
I found a stack of customer record printouts with names, numbers, addresses, financial info, and SSNs in a house I bought just this year.
..I also found the former owner's hidden pot grow equipment.
OK, I have to pipe up on this one.
I've previously worked a few freelance tech gigs at RBS and the one thing I can say with certainty is that their internal security is extremely tight. Tighter than anywhere else I've worked in my time. The fact that anything gets done, EVER, is a minor miracle in the face of the mountain of red-tape, security, bureaucracy and general faffing with sign-offs and corporate governance that is needed to do pretty much anything.
So, I'm going to pipe up on behalf of RBS, your honour... :-)
Thing is, one thing I categorically don't believe is that the responsibility for handling customer data like this would fall to one individual without direct accountability. Knowing RBS, there would be forms to fill in, checks made, audits done and any handling of customer data would need to be signed off at a high level, and would be entirely traceable. Which is to say that if there's a breach, I don't think it's likely to be a break-down in procedure.
Now, you might laugh about this, but I know how many hoops I had to jump through to get things like dev rights on a developer box ("so, let me get this straight, sir, why do you need to be able to write to the C: drive?" - that sort of dumb thing) so I really doubt that a half-wit in marketing or HR or whatever would be entrusted with such data. It is kept under lock and key and it would certainly be VERY UNUSUAL to be allowed to make a cd copy of customer data. To do so would require sign off from Very Senior Management (at Director level), and hence visibility at EVERY STAGE and accountability for EVERY ACTION would be enforced with *GREAT RIGOUR*...
So my money is that this isn't what it at first appears to be - it could be the case that this is something else and the press have got the wrong end of the stick.
Or maybe I'm wrong. Often am, you know... ;-)
... maybe.
In the UK, of course, the government distributes your information to everyone by USB key ;-)
Srsly, the Information Commissioner is getting very shitty about this sort of thing and seriously talking about prosecuting government departments (i.e., senior civil servants) for data breaches. You can be sure a few private companies will make good notches on his Clue Gun.
http://rocknerd.co.uk
IANAL... If he bought the system, does he now also 'own' the information stored on it? Presumably not since it was not what was offered and what was presumably payed for in the transaction, but still... could there be a case here?
Yes and it's still being covered up today. That's why we've modded you -1. :)
He's a computer tech, and bought 3 systems at an auction, to fix up and resell.
Every one of them booted up to Win2K, every one of them had enormous amounts of customer data for a local branch of a large stock/securities brokerage -- people's names, social security numbers, account numbers, account contents, you name it. The mother lode of high-$ personal information.
He said that what really worried him was that his sample size was 3 out of 3 computers he'd purchased, all loaded with personal information, but there were over 100 other computers being sold at the same time.
My company doesn't let an old computer leave the building with its hard drive. The hard drives are taken out and a hole is drilled through them, then they sit in the IT guy's office until there are enough for a shipment back to corporate headquarters, where they're all melted down.
Nostalgia's not what it used to be.
You have a link? I can't find any reference to it on these here internats.
Bullish Machine Tzar
If you pay attention to the news reports it gets a little bit more worrisome. The laptop didn't come from the RBS. It came from the company RBS uses to archive data.
Legally the bank is in a rotten place (actually, the contractor even more so). If this was original data someone would have missed it by now given the volume, but it is a copy. He bought the system as-is, so he did not establish a provable record of intention.
He has been honest in reporting the find, but the fact is that the hardware is still his. If the bank wants to do ANYTHING with that data they will have to compensate him, and the nature of that compensation is very much a matter of debate.
It's a difficult balance, though. The bank can't be too happy with the disclosure, but to get it out of the media spotlight they can't wait too long either. He shouldn't give it to them for free (IMHO), but he can't be asking too much for it either. If I were the bank I'd give the guy a brand spanking new top-of-the-line system in exchange - the bank buys it cheap and the guy gets a lot of kit for his ebay spend.
However, there is at least one happy party here, they must be thanking the bank on their knees for taking over the headlines..
Insert
Encryption must be dead. I mean, if even banks don't think to routinely encrypt sensitive data, what hope is there?
Surely it's not that hard to get into the groove of encrypting stuff like this? I would have thought that by the year 2008, all servers, however mundane, would have their drives encrypted to at least remove the possibility of them turning up on eBay with their data hanging out.
Yes, encryption won't protect from an inside job, and yes, most people forget passwords and put them onto stickies, but beejus - just having real serious personal data lying around in plain text all over the place is hopeless. Come to think of it, the news report said they were scans of balance transfer applications, so that means the hard copies could even now be being tossed into a garbage truck and strewn around town on the way to landfill.
Sigh.
"And the meaning of words; when they cease to function; when will it start worrying you?"
They go to the crusher.
Problem solved.
qz
I read in Scientific American that a researcher bought 100 hard drives off eBay. After he checked them for data, he found that one of them had been in a supermarket's MAIN COMPUTER BANK and had recorded THOUSANDS of credit card numbers. Another had been in an ATM and had recorded MILLIONS of credit/debit card numbers and PIN's. How stupid are these companies?