Slashdot Mirror
Computer With UK Bank Customer Data Sold On eBay
Walpurgiss tips a BBC News story about a man in Oxford who paid $140 for a computer on eBay, and was shocked to find on it bank records of several million customers of the Royal Bank of Scotland, its subsidiary Natwest, and one other bank. "Mr. Chapman said anyone with a basic knowledge of computer software would have been able to find the data fairly simply. 'The information was in back-up CDs and in ISO files so it would have been possibly quite easy to find...,' he said."
Kudos for him for speaking up rather than trying to abuse the situation.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
If you're dumb enough to make a backup CD and then save the ISO onto the hard drive just in case the hard drive crashes, you're dumb enough to sell it on ebay without wiping it. I suppose this could have been some sort of backup storage server and not the computer that actually contained the data to be backed up but for that price it's a little unlikely.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
The thief who stole it?
Once again I am reminded of the boundlessness of human stupidity.
2 or more departments in the chain, that don't talk to each other.
IT, who removes it from the desk or floor. They are 'supposed' to wipe it. They don't, for whatever reason.
Disposal dept, gets a stack of random PC's to dispose of. "IT", according to policy, was supposed to have sanitized them, so Disposal never powers them up to check (doesn't have the time or resources).
Result - PC with sensitive CD still in the drive gets sold.
How many days do you think it will be before the government tries to charge him with something or the bank in question tries to sue him? I'd be pleasantly surprised if neither happened.
Also, the summary leaves out something that might affect those of us on the other side of the pond:
Bold mine. I know they have different branches for countries and such, but I wonder if any of this data crossed international bounds.
Never mind wiping it, this stuff should never be stored unencrypted in the first place.
i'd charge the pricks a consulting fee for my time. a few grand should cover it. i certainly wouldn't be handing back what is entirely his property, since he purchased it fair and square they have no recourse.
Do that and you go straight to jail, don't pass go, don't collect $200. Your consulting fee will be seen as extortion.
http://michaelsmith.id.au
Oh, crap.. i was outbid by £10. If only i knew the content..
Why? He is going to lose the system and runs the risk of being locked up as a thief. I would say you doged a bullet (unless you are joking).
http://michaelsmith.id.au
Some twenty years ago, back when those orange plasma displays were popular, a girl I used to work with said she'd gotten hold of some Compaq portables, and would I want to buy one? She was only asking a couple hundred bucks (I believe they cost several thousand new at the time.) So I stopped by to take a look, thinking I could really use a machine like that. That line of thought lasted right up until the system finished booting and a custom menu appeared with legend of a major national bank across the top. Given the price and the data on them, I figured they were hot (I asked what truck they'd fallen out of) and declined to buy one.
That was then, now we're in the Age of the World Wide Web, and there's just no excuse whatsoever for loading down a portable (read: easily stolen) computer system with vast quantities of confidential data. In fact, that really ought to be a law with few exceptions: customer and personal data must be stored on a server that is both physically and electronically protected. Period.
The higher the technology, the sharper that two-edged sword.
You might not have seen the video clip with the article [I don't know if it's visible outside the UK] but the guy said he bought two servers, one booted and had been wiped, the other didn't boot. It didn't boot because it was missing it's ram (or the chip was unseated), so anyway, he sorted that out, booted it up and found the data.
Soooo... one wonders if the machine didn't get wiped simply because the various techs could boot it and decided it was too much effort to move the drives to another machine?
In fact, that really ought to be a law with few exceptions: customer and personal data must be stored on a server that is both physically and electronically protected. Period.
Servers get decommissioned, too. All that protection isn't going to help if they screw up and leave unencrypted data on their drives. Decommissioned hardware may certainly get used again, depending on how it was disposed of. I'm aware of one company that disposes of hardware--they recycle some parts and sell others. (I believe they require their customers to scrub the data before they throw it out.)
For instance, I have a customer in an industry where that would be bad (which doesn't narrow things down, I admit). I was helping them with some server consolidation, and they wanted some recommendations on wiping the disks. I suggested physically destroying the disks. They didn't like that--apparently the disks (and everything else) were leased.
Standards for encrypting the data and for data disposal might help.
I was going to say the same thing. You'd think he would get a premium to encourage people to come forward in the future. If people are worried they'll be under suspicion or have their equipment taken away, why would they do the right thing? The honest ones will trash the data. If other systems were sold off in the lot it may be discovered too late.
now if i went to them and said "pay me or i'll tell the media what retards your IT security guys are" that's extortion. but since it's already all over the news sites it's not possible to call it extortion.
it's also pretty damn cheeky (and just the thing i'd expect from a bank) to expect him to just hand back his purchase.
this would in fact be an interesting case to test in court as to who owns data when you purchase a pc. no doubt IP lawyers would be foaming at the mouth saying your buying hardware not software (that might shoot some of their, but then this isn't software but plain data which they didn't license so he'd have a reasonable expectation that it came with the sale.
If you mod me down, I will become more powerful than you can imagine....
thats a really really stupid idea. he'd have been thrown in the slammr for sure. he only had 2 options. stay quiet and tell no one at all, or go full blown public screaming from the hill tops so that there was too much public attention to risk making him disappear.
If you mod me down, I will become more powerful than you can imagine....
I know in the Slashdot world of spooks and big evil government everyone's out to get you and you have to play the paranoid schizophrenic... back in the real world you don't get disappeared for doing the large scale equivalent of handing in a wallet that you've bought from a guy down the pub and found to have someone else's credit cards in it.
Really, go out a bit in the world and relax - your bank manager is a human, maybe you even know them fairly well, and definitely they'll be happy with you for reporting it: the best possible outcome is a bonus for them, and that means more love for you. The worst is that he doesn't believe your story, which is fairly easy to defend to him, his boss, the police or a court given that you have evidence that you just bought the machine on eBay and you've walked right into the bank with the offending kit.
(Now if the documents were national security then you might want to do as this man has done. But you're fairly misguided if you think a high street bank has the power to intern you.)
Extortion for what? He bought the system and all of the items with it legally. By most laws, that data is physically located on his property, and is legally his to do with what he wants. The inadvertent sale is not his fault; it's pretty much akin (I would think; IANAL) to being sold a house with $25,000 in the attic.
IANAL, and I'm on the wrong side of the Atlantic, but TFA mentioned a Data Protection Act. Aspects of it may well apply to anyone in possession of the data. It may well have be stolen property, too. The article gives no indication one way or another, nor did it identify the seller. It could be that no one wants to make an accusation until facts are known.
There is actually very little to go on from that article. The reporter seemed to know little more than that some spokesmen, who didn't seem to known much themselves, had said some PR-type stuff. The reporter even managed this gem:
The Information Commissioner's Office said an investigation would be launched as soon as Mr Chapman had handed the computer in to them.
A spokeswoman said: "We are now investigating this potential data breach...
Beyond the timing, who does "them" refer to? Graphic Data or the Information Commissioner's Office? The article certainly wasn't clear about that, either.
Knowledge is the small part of ignorance that we arrange and classify. (Ambrose Bierce)
Sorry, but I think my need to have companies deeply afraid of losing my confidential information outweighs your need to have cheap second hand hardware for hobby purposes. If the morons have to crush entire machines to get it right, go ahead and crush them.
To be honest, I don't care about your need to buy second hand hardware on eBay cheaply, but I do care about my bank's incompetence at keeping its data secure (I'm a customer of Nat West, possibly soon to be ex customer). If this man had tried either of your suggestions, I would never have known about their stupidity.
You really do need to get a sense of perspective.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe