Bank Goofs, and Judge Orders Gmail Account Nuked

An anonymous reader writes "The Rocky Mountain Bank, based in Wyoming, accidentally sent confidential financial information to the wrong Gmail account. When Google refused to identify the innocent account owner's information, citing its privacy policy, the bank filed in Federal court to have the account deactivated and the user's information revealed. District Judge James Ware granted the bank's request, with the result that the user has had his email access cut off without any wrongdoing or knowledge of why." The Reg's earlier story says, "Rocky Mountain Bank had asked to court to keep its suit under seal, hoping to avoid panic among its customers and a 'surge of inquiry.' But obviously, this wasn't successful."

G-Mail?

[SeaFox]

Why is the bank sending sensitive customer information to an email account hosted by a provider known for rifling though it's user's emails for information?

Re:G-Mail?

[wizardforce]

why is the bank sending customer information through email at all? why is the bank not encrypting all sensitive customer data? answer: because they haven't been forced to do so. Everyone whose information was leaked to this account should sue them right into the ground. It's been far too long that banks carry little responsibility for other peoples' data and it's time they start.

Re:G-Mail?

[FrozenGeek]

Because the customer in question gave the bank a gmail account and said "send me information via this email address". Do you really think that your ISP-based email address is any better than gmail? If so, could I interest you in some waterfront property in Florida? Seriously. Unless the contents of the email is encrypted before it is sent, assume the whole fricken' world (with lasers,even) has access to it.

Re:G-Mail?

[SeaFox]

Because the customer in question gave the bank a gmail account and said "send me information via this email address".

The bank is worried about a panic amongest it's customer base. So they obviously sent informtaion on a large number of their customers, that tells you the person requesting the info was not a bank customer but another financial institution or a company they contract with of some sort. These type of recipients are going to have their own domain names and mail servers running on them, so there's no reason the email should have been addressed to a gmail account to start with if it dealt with official business.

Re:G-Mail?

I work as a supplier to the banking industry.

I'll tell you why they do this, they are outright fucking dumb. That's basically it. If the IT guy knows about encryption, he has no power to make it happen, but most of the time he's barely able to type let alone do IT stuff.

Banks just don't pay for shit unless you are a VP or own the place, so they get the crappiest IT help.

"Due diligence" means "cover your ass", and has NO OTHER MEANING in the banking community. Everywhere else it means "make a good effort to do the best you can to the spirit of the task".

Granted, this breech is considerably dumber than average, but of the banks I have worked with, every single one of them at one time or another had some sort of institutional problem understanding and implementing some of the most basic data safety measures.

The Feds have been much more pushy about it recently, so it will improve. And a lot of the old guard is finally dying off, and you'll see bank leaders that have had more than "type this letter" (to the secretary) experience with computers.

Re:G-Mail?

[geekboy642]

Actually that's not what happened.

On Aug. 12, the bank mistakenly sent names, addresses, social security numbers and loan information of more than 1,300 customers to a Gmail address.

That's a lot of very confidential information. No bank customer has the need or right to see anybody else private information, let alone 1299 of them. And you are a moron for thinking this was about somebody's bank statement going to the wrong address.

Re:G-Mail?

[easyTree]

"Due diligence" means "cover your ass", and has NO OTHER MEANING in the banking community.

Surely that doesn't need to be explicitly stated - after all this is the industry that has destroyed millions of family's lives whilst receiving payouts from governments and still paying their people massive bonuses. I guess they have the cream of the crop though, when it comes to staff skilled in screwing-over the ordinary person.

Re:G-Mail?

[Tony+Hoyle]

The idea that that kind of information can even be extracted from the system without a damned good reason and permission signed from the VP in triplicate scares me - are banks *really* that insecure that they let any dumb fuck with a gmail account extract the customer list and mail it to someone? Apparently they are..

Re:G-Mail?

[Beezlebub33]

When the families are told by the bank that they will be able to repay the loan and are given very low initial rate, AND the bank knows they will not be able to pay it back, AND the bank knows they will bundle it up the mortgage and sell it off, AND regulators that actually promote this THEN you have banks that are evil, greedy bastards, and you have families that are stupid, and a government that is incompetent, greedy, and stupid.

No, it's not his world view that's fucked up, it's the world.

Re:G-Mail?

[michaelhood]

The families who took the money were on the edge of desperation - looking for any way out.

Say what?

I could have purchased a home in 2003 on an interest-only mortgage with all the other idiots, but I knew that I wouldn't be able to afford the payments once they included the principal.

Was I on the edge of desperation because I was *GASP* forced to keep renting?

Re:G-Mail?

[easyTree]

You appear to have accidentally hit the nail on the head.

Well done.

Re:G-Mail?

[MicktheMech]

Securitizing the mortgages alone is not evil. The problem was that those bundles had been valued based on model built using historical data. When a lot of banks started buying up mortgages to put in these bundles the guys arranging the mortgages significantly changed their behaviour in order to get more. That change in behaviour (salesmen becoming writing much more shakey mortgages) invalidated the model used to value them, so the banks bought stuff for a lot more than it was worth, leading to the credit crisis.

You can call people evil, greedy and stupid all you want, but that's not going to get your money back and it won't prevent it happening again. The key problem here is that the banks broke the First Rule of Engineering, they trusted a computer model and thus failed to scrutinize their purchases properly. The government allowed them to make these purchases without proper due dilligence, the salesmen sold mortgages they knew would likely end up in default and the families took out mortgages without a plan to pay it off.

If you think those lapses are greedy, evil and stupid, then fine. However, the morale of this whole credit crisis and subsequent recession should be: If it's important, hire an engineer to do it.

Re:G-Mail?

[Achromatic1978]

The families who took the money were on the edge of desperation - looking for any way out.

No, they weren't. Most people who took out low rate ARM mortgages in the early mid 2000s fell into several categories: the ignorant, ill-informed (maliciously or otherwise), or my favorite, seduced by TV networks who made "flipping" a property seem a guaranteed way to make hundreds of thousands of dollars a year. The waves of people I've seen on those shows, even now, who seem to think that anything less than $100,000 profit on a purchase, some renovations, and a six month turn-around is unacceptable is staggering.

Even now, watch the very vast majority of those shows, particularly the ones where people do renovations, and have before/after valuations. "You spent how much on your new kitchen?" "$15,000" "Great, you just added $30,000 value to the home. Now, how about the bathroom?" "We spent $8,000 in here." "Excellent, looking around, I'd say you added $20,000 to the value of the home", and so on, ad nauseaum. Add this up, and you have, in my view, a hidden culprit, along with the RE agents who were pretty much as a whole in lock-step with these mantras pushed by TV onto their clients, of the housing bust.

That $23,000 you invested in the home is only worth $50,000 if you can find the one born every minute to sell it to. Eventually, that got so outrageous, and so out of tune with reality, that people realized they were paying $50,000 for $23,000 of renovations on a home by a "flipper", and balked. And down came the house of cards.

Sooo hang on...

...if a judge in, say, Korea granted the same request to have a gmail account blocked, an innocent user in, say, Germany would loose his email...even if that email contained confidental and critical information to be used by its owner...this is quite pathetic and something should be put in place to stop these low level distric judges making decisions that could affect users across the globe.

Re:Can the Poor SOB sue for damages?

[grahamwest]

Sewing for damages?

Fear the giant quilt of redress!

IMAP

[pushing-robot]

At least Google offers free POP and IMAP access, so it's trivial to back up your email locally. I'd still be pissed if something like this happened to me, but Google isn't to blame.

Re:IMAP

[Naturalis+Philosopho]

You're right Google isn't to blame in this case. Not given the fact that the judge could have told the bank to suck it up, transfer the account to new numbers, and pay a fine to their customer for failing to live up to their security responsibilities. Instead he decided to punish the innocent people in this case. The bank screwed up, the bank should be held accountable. Anything less is yet another miscarriage of justice.

Re:IMAP

[easyTree]

Perhaps you've not realised yet but banks aren't held responsible for their actions....

Re:IMAP

[LordNimon]

but if a bank suddenly sent me 1,300 account's financial information, and then sent me an email telling me not to open it,

How would you feel if both of these emails ended up in your spam folder? You would not have noticed anything at all, but then suddenly, your account would be gone.

Re:IMAP

[Pieroxy]

Yes, someone has the problem of their account being deactivated. This sucks. But, imagine, for one moment, had the opposite happened. Say, for instance, the judge ordered to bank to change the numbers of the 1,300 accounts, resulting in 1,300 people having to change their financial information on all documents relating to those accounts. I'm not sure if you've ever had to do this, but it can take months for the changes to finally take hold on everything from direct deposit accounts to credit cards and Paypal accounts. Assuming that everything worked out correctly, that is. Granted, if they were wise, the customers would be doing this now themselves.

Your point is to say that annoying one person is better than annoying 1300. It may be valid, but for the fact that the person in question didn't do anything wrong, he was just a bystander. Those 1300 people would have been annoyed to hell, and I hope they (some of them at least) would have gone to another bank. This would have been a (albeit small) step in the right direction though. Closing a gmail account is just hiding the horrible truth. Which may not change anything anyways since the gmail account owner may have downloaded the file in question for days.

As far as the person being innocent, if you read the article, the bank sent an email to this account asking the recipient to destroy the file without opening it. The email account holder did not respond at all.

Being on vacation equates having a suspicious behavior !!??? Noone has any obligation to read one's email every f***ing day !!!

I'll stop there. You clearly prefer the workaround instead of having the *stupid* bank assume their very own *stupidity*. As a result they won't be a bit more careful next time, and maybe 1000 gmail accounts are going to be deactivated. Or gmail itself...

Re:IMAP

[dangitman]

Personally, I don't see this as being a problem. The account holder refused to respond to the bank, which, had they done so, something could have been done to avert their account being deactivated

Would you respond to an email from some bank you've never heard of talking about highly important account details, rather than just deleting the email immediately? Furthermore, what modern spam filter wouldn't automatically filter out an email claiming to be from "Rocky Mountain Bank" and talking about account details? This is exactly the kind of email that security-conscious users should be avoiding like the plague.

Re:IMAP

[Todd+Knarr]

I don't know about you, but if a bank suddenly sent me 1,300 account's financial information, and then sent me an email telling me not to open it, I would be sending an email, calling, writing a letter, anything, because if something happens later to any of those accounts, I'm going to be one of the first people looked at.

If it were me, I wouldn't be doing any of those things. That's because I'd've deleted the initial e-mail without reading it. An e-mail purporting to be from a bank I've never done business with is either a) an advertisement I'm not interested in, b) a phishing attempt I don't want to even look at let alone respond to, or c) information I don't need and don't want. Regardless of which it is, I've no need and no reason to even look at it, so into the bit bucket it goes. And why not? I'm under no obligation to read random correspondence someone else wants to send me, just like I'm under no obligation to read that wad of advertising flyers that show up in my mailbox every day.

Spam

[mwvdlee]

If I get e-mails from banks that I have no relation with, it is usually spam and gets instantly deleted.

Perhaps that's why the recipient of the bank's private data didn't respond to any of their e-mails.

Also, why is a bank sending it's customers' private information over an unsecure connection (e-mail)? Wouldn't the bank be violating security rules even if the e-mail address was correct?

Re:Spam

[BitterOak]

If I get e-mails from banks that I have no relation with, it is usually spam and gets instantly deleted.

Perhaps that's why the recipient of the bank's private data didn't respond to any of their e-mails.

Or maybe the mailbox holder was simply on vacation? Is there a legal obligation to check your inbox on a regular basis? (There's a reason legal papers aren't sent by e-mail.)

Re:Can the Poor SOB sue for damages?

[The+Archon+V2.0]

Sewing for damages?

Fear the giant quilt of redress!

Say what you want, I know a few people in the banking profession I'd like to stick a needle into over and over again until I've turned an unwanted hole into a nice compact knot of thread.

I hate analogies, but...

[BitterOak]

Wouldn't this be like having a package wrongly delivered to your house (through no fault of your own: the sender had the wrong address), and since it contained highly confidential information, a judge ordered your house to be burned to the ground? (Okay, that's a bit extreme, but you get my point.)

Re:I hate analogies, but...

Actually, your scenario kinda-sorta happened to the Mayor of Berwyn Maryland. A scam where drugs are shipped to a random (innocent) person, to be taken later from the porch by an accomplice. In this case, brain-dead police investigators and a swat team charged into the innocent man's house, shot his dogs, and arrested him, his wife, and his elderly mother. He still awaits even an apology for the horrifying incident. There is very little actual 'justice' in the justice system.

http://www.washingtonpost.com/wp-dyn/content/article/2008/07/30/AR2008073003299.html

Re:I hate analogies, but...

[internic]

Trust me, if you were more familiar with the incident you'd probably agree with the "brain dead" description. Several points:

1. Police apparently already suspected there was one of these mail drop operations (where packages were shipped to an innocent person only to be swiped off their porch), so they knew the package was likely not for him.
2. Rather than having some officers come to the door, they had a SWAT team break down the door unannounced, shoot the dogs (at least one of whom was simply running away), and cuff the residents on the floor (where they remained for several hours). The quantity of drugs (30 lbs of marijuana, IIRC) was such that it could not quickly be destroyed, and they had no other reason to think they would encounter violent resistance. Which brings us to the next point...
3. They did no preparatory research. They did not even know who lived there. The officers on scene did not believe he was the mayor (which they would have known if they'd done even a Google search). What this says is that they simply deployed maximum force (maximally endangering everyone in the house) rather than any reasoned approach based on the likely resistance.
4. Police entered without first announcing themselves. This requires a "no-knock" warrant, which they did not have.
5. The package actually sat on the front porch for the better part of the day. The guy even walked his dogs when he got home before taking the package in. That should have been a tip-off that he didn't realize it contained >$100k of drugs.

Basically, they did not take a reasoned approach but simply used maximal force, thereby terrorizing and endangering the innocent. Moreover, their sloppy police work quite possibly would have allowed him to get off even if he had been involved. They certainly should have investigated, but they way they did it was utterly irresponsible.

Your analogy is flawed for a number of reasons: First, arresting someone in their car is considerably less dangerous (to everyone involved) than breaking into someone's house unannounced and firing shots. Second, murder is considerably more serious (and suggestive of suspect resistance) than drug trafficking. And third, it's unlikely that an individual would be victim of a body dumping scheme while it's trivial to mail someone a package with something illegal in it.

So...

[tnk1]

...wait. I mean, the account holder at this point has probably seen and done any damage that they are going to do with this information. How precisely is this going to help the bank's cause?

Of course, the account may be inactive and they may well have gotten to it before the person who owned it logged in again, but I do have to wonder why it is the recipient's problem that the bank sent this information. If the bank sent me that sort of information in the mail, does that mean that the county can order my house burned down to make sure I can't read that mail, even though I probably have already read it in full?

These decisions make no sense to me sometimes and it scares me because for some things I use only one email account and if my contacts disappeared, I might not be able to find some of these people again easily. I guess it's time to start backing up all my account data to my home machine by default.

This is yet another strike against "cloud computing" taking over. If they can order your account just plain zapped because a bank fucked up, I don't see how anyone's data is safe. At least if you had it stored at home or at work on your own machine, you'd at least know what the hell happened to it.

Why deactivated?

[FrozenGeek]

The bank requested the user's identity. Google refused to provide it. So then the bank goes to court not only to get the user's identity but to deactivate the user's account. I'm missing the logic. Okay, maybe the bank fears that enough time has passed that the user has seen the errant email and wants to prevent the user from misusing the information. Now, that might work if the user does not have a local copy of the email. On the other hand, if the user has a local copy and is now angry at the bank for having had their gmail account shut down, the user, who might otherwise have done nothing, now has both the means and the motive to do something. Good move. Wouldn't it have been possible for Google to contact the gmail user and ask him to delete any local copies? And Google, presumably, could have deleted the email from its own servers. I like Google's policy of protecting user identities. But this whole mess sounds like two bureaucrats blindly following policy to the detriment of the end-users. Can't anyone think anymore?

Re:Why deactivated?

[Baricom]

Here's what Rocky Mountain Bank should have done. (I refuse to allow them to be anonymous because that's clearly what they want, and they should be held responsible for their mistake.)

1. They should have e-mailed the 1,325 customers that had their data exposed.
2. They should not have sued Google in an effort to get the e-mail deleted.
3. They should not have tried to seal records in a lawsuit they filed to fix their mistake.
4. They should have trained their employees to understand that recalling e-mails doesn't work more often than it does.

Had they done this, this would not have been international news, and probably not even local news.

Re:Why deactivated?

[Dhalka226]

The better question is this:

How the hell did the bank even have standing to sue anybody? What wrong was done by anybody but them? How do you file, much less win, a lawsuit seeking to punish somebody who did nothing but receive an email you should never have been sending in the first place? How is it this man's legal responsibility to help them clean up their own fuck up, and how is it Google's legal responsibility to help the bank do so? What statute gives this judge the authority to destroy a third-party-to-a-fuck-up's email account because he didn't see fit to respond to an email he may not have even thought was legitimate? That's exactly what this ruling is saying; that this man somehow did something wrong by not helping the bank and he deserves to have his email account and potentially years of historical contacts lost.

If I were this guy, I'd sue this bank for damages (and unfortunately, since I'm not even a party to the fucking lawsuit that unfairly harmed me I'd have to sue Google for an injunction against complying with the previous order). Big time. It's this kind of thing that makes me wish we could directly sue a judge for the idiocy of his decisions. Their total lack of accountability is reprehensible.

Re:Can the Poor SOB sue for damages?

[similar_name]

Also having a moment of gratitude that I don't use gmail.

What email do you use that would disobey a judge's order?

Re:Can the Poor SOB sue for damages?

[K.+S.+Kyosuke]

His own server, perhaps?

Re:Redirect the evil!

[cheftw]

and I will backfire badly

:?

It's not like it coud have been a typo, you capitalised it.

Is this some new americanism?

Re:First Amendment?

[causality]

No. The First Amendment does not entitle you to use any particular medium. It only protects the content of your speech, and even then, there's a lot of content that's still regulated (fraud, libel, obscenity, copyright infringement, etc.).

Authoritarian types just love arguments like this. That obvious intended meaning is a pesky thing to them, so to deal with it they created the ingenius device of separating the text into two concepts: the "spirit of the law", which they have made into something they can disregard whenever convenient, and the "letter of the law" which they can carefully examine to find any needed loopholes (incidentally, the same tactic was used when "freedom," a holistic concept, was split into "economic freedom" and "personal freedom"). That argument you are making is like a path, and I will give you a perfect example of one of that path's many destinations: free speech zones. The "logic" behind them is that the 1st Amendment guarantees your right to free speech, but does not specify where you may exercise this right. So, the free speech zones are located where the impact of contrary opinions can be most effectively minimized. Result? "Get with our program, or be censored, except we won't call it that."

Of course, for the free speech zones, they COULD decide that because the Constitution does not specify the specific locations to which the INALIENABLE RIGHTS it enumerates should apply, then obviously any fool can recognize that it's intended to apply throughout every last crumb of American soil. But, that would mean you can't use clever tricks to censor people without having to call it censorship, which is why such a concept is frowned upon by authoritarian types and other would-be tyrants.

Sure they can. They can sign up for another email account, say from Yahoo or Hotmail, or even another Gmail account. They can post on newsgroups and message boards. They can use the telephone, write a letter, or stand on the street corner with a sign and a megaphone. Just because they can't use one particular email account doesn't mean they're unable to speak.

Don't kid yourself. Massive injustices usually start out very small. If it's now considered okay to make you suffer in any way, however minor or however great, for the actions of a third party over which you have zero control, then this system is already terminal, we just don't know it yet. The entire concept is diametrically opposed to all of our notions of due process, the right to confront your accuser, the presumption of innocence, you name it. To fully support this ruling without being a hypocrite you would first have to throw out centuries of American tradition and jurisprudence. I for one am not prepared to do that.

In summary, this is a step in the wrong direction and the fact that a bank might suffer a little inconvenience due to its own damned screw-up is emphatically NOT a worthy reason to support it.

Re:Redirect the evil!

[Dan541]

The owner of the gmail account should be able to sue the bank for damaging their business.

Re:Can the Poor SOB sue for damages?

What email do you use that would disobey a judge's order?

His own server, perhaps?

What makes you think that you won't arrive home to find that all of your electronic equipment has been confiscated?

Re:Redirect the evil!

[mpaulsen]

"Every one should email the bank banker@rmbank.com to ask them of their shady practices." No. Everyone should email some personal information to banker@rmbank.com, then insist that their domain be shut down.

Inflation

[Billly+Gates]

There is a debate between economists on whether inflation should just include the price of products excluding food and energy or should it include housing and health insurance. Both housing and insurance have trippled since the late 1990's. Sure on paper it looks like you make the same but a $175,000 home in 1999 costs $350,000 even during the recession. Suddenly $55,000 a year is not worth jack in most metropolitan areas even if prices do not necessarily show it.

If you health care costs were put in the inflation equation with housing we would see a totally different side of economics that economists should have prevented if they only knew.

Something does need to be done.

Re:Redirect the evil!

[KreAture]

Oh no! You must not do anything that could cause your email to end up in those idiots contact-lists.
Next time they may send something to YOUR account! Then you can kiss your account goodbye.

Come to think of it, that is a great way to get rid of a person online. Just get him on that mailers list and the court will shut him out for ya.
The worst thing is, now there is precedence in such a case so the next one is just blind copy/paste. Thow won't be abused. Surely not. The world is not that evil.

Re:There is no such thing as health insurance

[erroneus]

Have you looked at the cost of "every little thing" on the list of charges from an average doctor's visit? Even the most trivial item or service is ridiculously expensive.

It would make plenty of sense to cover oil changes, tune-ups and brake jobs if the cost comparison were similar to what you see in medical costs. An oil change costs anywhere from $10 to $25 out where I live. Brake jobs can range anywhere from $50 to $150 for basic stuff. If a doctor visit cost that and included anything other than an examination, that would be terrific. And if the cost of prescriptions were somehow less than the price of 4 cans of motor oil, I'd be right there with you. But that is simply not the case. Drugs are ridiculously expensive. (When my youngest was an infant and was experiencing some severe allergies, the doctor prescribed a ridiculously expensive tube of something that cost over $100 at the pharmacy! I bought it but my out of pocket was like $50 versus $10-$15 because my insurer didn't want to cover that drug.)

If people don't need their medical stuff all the time, they wouldn't need to be so concerned about it. But when a medical problem arises, it often involves months if not years of continuous treatment all on the same scale as I have been describing... expensive drugs, expensive office visits, expensive procedures, expensive tests. And people who are well insured are still getting hit hard because the cost of the insurance is still prohibitively expensive.

I consider myself lucky. I don't have any medical problems. My wife and children don't either. That is really fortunate. But there are lots of people who aren't so fortunate... lots. And it does often cost people their homes because it often comes down to completing medical treatments or paying the mortgage. Insurers drop or deny coverage QUITE often which is yet another talking point in favor of healthcare reform.

I get the feeling you simply don't understand what healthcare costs really are because you haven't really paid any before.