Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hundreds of Bank Account Details Left In London Pub

Posted by timothy on from the when-found-they-were-mumbling-and-bleary dept.

twoheadedboy writes "Another day, yet another data security failure. Two companies have been found in breach of the Data Protection Act after tens of thousands of tenants' details were left at a London pub, alongside 800 records with bank account details. A contractor who had stored data from two different companies on an unencrypted USB drive was responsible. We've all lost things on a night out, but rarely is it other people's banking information. The two firms involved have been told to get a grip on their security procedures, but they escaped a fine from the ICO."

18 of 92 comments (clear)

  1. Not even a fine? by captainpanic · · Score: 5, Insightful

    Companies are legal entities that can get away with far too much!

    The police can usually be quite creative when it comes to punishing people when they do something stupid on a night out. There are vague concepts like 'public disorder' or 'disturbing the peace' which allow them to lock up someone for at least a night. Can't they apply that to a company that gets drunk? Close it down for 12 hours until it's sober again?

    1. Re:Not even a fine? by Bert64 · · Score: 5, Insightful

      But the point is that if you were caught doing 10-20mph above the posted limit you would almost certainly be punished for doing so...
      Whereas many corporations are caught doing illegal things, and simply aren't punished at all.

      There's a difference between simply not being caught, and being caught but let off with little or no punishment. The fact we hear about something in the news means they've already been caught, how many other crimes go undetected?

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    2. Re:Not even a fine? by captainpanic · · Score: 4, Insightful

      A 100 euro fine is normal for a person making a relatively minor mistake... like doing something stupid while drunk, or speeding 10-20 mph.
      100 euro is 0.25% of a regular annual income of 40000 euro/year...

      I'd like to see a big business take a fine of 0.25% of the revenue (revenue, not profit, obviously) for relatively small mistakes.
      Take British telecom (mentioned earlier in this thread) for example: A revenue of about 30 billion euro / year. A minor mistake should lead to 0.25% of 30 billion = 75 million euro.
      And that's for small mistakes.

      It would certainly bring an extra incentive to be careful.

    3. Re:Not even a fine? by bkpark · · Score: 2

      Take British telecom (mentioned earlier in this thread) for example: A revenue of about 30 billion euro / year. A minor mistake should lead to 0.25% of 30 billion = 75 million euro.
      And that's for small mistakes.

      Revenue is the wrong number to use. Use the percentage of earnings (or, if not actual reported earnings, at a minimum, revenues minus expenses directly related to generating those revenues), which is more comparable to a person's salary. You should arrive at a figure in the millions or hundreds of thousands, and guess what—that *is* what corporations get fined rather routinely when they do something bad that they do get caught (this isn't to say they always get caught when they do something bad, but for that, I go back to my original point).

    4. Re:Not even a fine? by GaryOlson · · Score: 3, Funny

      Such dreary and damning words first thing in the morning.
      I need to go to the pub for breakfast and beer.

      --
      Every mans' island needs an ocean; choose your ocean carefully.
    5. Re:Not even a fine? by Andrewkov · · Score: 2

      Don't leave your USB drive there..

  2. more details by rbrausse · · Score: 4, Informative

    the BBC article has some more depth (and the site is _much_ faster...). the most interesting sentence is "The memory stick was handed into the police on the weekend of the 5th March and safely retrieved." (emphasis added)

    why took it 5 months to disclose the data breach?

  3. Re:Why didnt they get a fine? by Dunbal · · Score: 2

    Not only did they not get a fine, the contractor's name hasn't even been published so we have no idea who it is. Lewisham Homes and Wandle Housing are the names of the companies whose client's data was leaked. But the name of the contractor responsible for the breach has not been released. So you could end up hiring/contracting this guy.

    --
    Seven puppies were harmed during the making of this post.
  4. Re:Why didnt they get a fine? by xaxa · · Score: 4, Informative

    The article says "The ICO will only enforce a monetary penalty when it believes there has been noticeable damage to affected parties."

  5. The ICO is useless by Heed00 · · Score: 4, Informative
    The ICO has failed time and time again to bring sanctions against infringers. Hell, BT tapped 100's of thousands of its customer's internet connections and never was sanctioned by the ICO or brought before a court to answer for its crimes. The ICO seems to take the attitude that the offenders just simply made a mistake and can't we just forget about it as we're sure they are sorry now -- they took action in just over 1% of cases and levied fines far less than that:

    ...the ICO acts on just 1.4% of data breaches and only fines 0.15% of offenders.

    http://www.techwatch.co.uk/2011/04/22/ico-penalises-less-than-1-of-security-breaches/

    --
    Thought thinks itself.
    1. Re:The ICO is useless by Rich0 · · Score: 2

      Yup, if everybody gets one free warning and the risk of prosecution is low to begin with, then there is virtually no incentive to not commit a crime.

  6. Re:It's clear what the problem is by Sulphur · · Score: 2, Funny

    Reminds me of the other story of the memory device left in a pub.

    Clearly, pubs are dangerous places. Let's close them all down.

    That was meant ironically, for all of you tards on /. who see a troll under every bridge.

    Lost your memory in a pub? I thought that was why one went there.

  7. Re:No, we haven't by itsdapead · · Score: 2

    I can't think of any other country with as many stories of the form "restricted-access data from XXX was left in a pub by a contractor/employee with company/agency YYY".

    I know its not exactly a USB stick with bank details, but other nationalities do quite famously leave things in bars that they probably shouldn't.

    Maybe it's just that the British press covers this expecially aggressively,

    Ding!

    --
    In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
  8. We got our priorities straight here... by SeaFox · · Score: 3, Insightful

    Lose a prototype iPhone?
    Men come busting in to search the apartment of the guy who buys it.

    Lose a USB drive with 800 banking records?
    A stern talking-to, but no fine.

    1. Re:We got our priorities straight here... by david_thornley · · Score: 2

      Another difference: losing a USB stick doesn't usually involve claiming "I COMMITTED A FELONY!" on a very widely read blog. Do not taunt Happy Fun Police Officer.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    2. Re:We got our priorities straight here... by Cederic · · Score: 2

      Lose a prototype iPhone: Get into shit at work
      Lose a USB drive with 800 banking records: Get into shit at work
      Sell someone else's property: Get investigated for receiving stolen goods, money laundering, etc.
      Hand in USB drive found in pub to police: Get thanked.

      I'm not seeing any major issues here.

  9. Re:Why didnt they get a fine? by lucidlyTwisted · · Score: 2

    The ICO is a toothless waste of tax-payers' money. They couldn't even be arsed to do anything about BT's use of Phorm.
    Fines should apply immediately (say £100 per breach), and quadrupled if the company did not disclose the breach itself. So in this case the contractor/councils should be staring down the barrel of a circa £2.6million fine. But they won't. All that will happen is that a few civil servants will be promoted, the council will mutter "lessons learned", the ICO will crow about monitoring its own navel and nothing will change.
    Why the **** does a contractor need to take that amount of information out? Give them a limited VPN and a key to access what they need. Simples.
    And disable USB - that has no business being enabled for typical end-users in a corporate/council environment.

  10. Re:No, we haven't by julesh · · Score: 2

    Britain doesn't have a drinking problem, at least not to the extent that our media would have you believe. It's been hyped out of proportion on the back of badly designed government statistics, which reveal that large numbers of people regularly binge drink. At least, they do if you define "binge drink" as "drink more than the daily recommended alcohol allowance in a day", where the daily recommended alcohol allowance is 3 units for women or 4 for men (i.e. 2 pints of any reasonably strong lager is "binge drinking" by this definition), an allowance which has been described by the committee that originally set it as essentially a guess with no scientific validity, and probably too low. And even the basic principle of whether a daily allowance rather than a weekly one is a good idea is questionable, because to set a daily allowance you have to consider its effects on people who drink every day, but most people only actually drink once or twice a week.