Bank of Scotland (HBOS) is telling 62,000 customers they could be at risk of identity theft after it stuck an unencrypted disc in the ordinary post, which was subsequently lost. The disc, containing information on mortage customers, should have been encrypted before being sent, the bank said, and should have been sent via …
Some poor minimum wage clerk has been fired, while the VP in charge of security gets a raise for increasing security awareness.
In other news....
A man has recently bought David Beckhams "Beckingham Palace" he is said to be chuffed and seeking planning permission for a second house on the property for his Black and White cat.
Hang on a minute...
Three things wrong happened here.
1. The disk wasn't encrypted.
2. It was sent via normal post
3. It was lost.
The spokesman said "on this occasion...". Are we *really* to believe that these three things all happened completely coincidentally? That the first time it wasn't encrypted was the first time it was also sent via standard post and was (therefore) the first time it went missing?
Or, is it, perhaps, more likely that the disk isn't normally encrypted, it is normally sent via standard post and it's just that on this occasion it went missing?
I smell something fishy...
I work for a large multinational financial instiution with very close ties to banks and it always amazes me to see stories like this. Banks get away with murder. We have extremely strict secure data disposal and storage policies and an Audit department that can smell you just thinking about changing someones AD permissions without the required management authorisation from a mile away. Why do banks find implementing basic data protection and security such a difficulty?
It doesn't help that they are so laughably behind the times in terms of tecnology. In the last few years we have been told by one major bank that there isn't a single DVD drive in the entire IT department, another bank still sends us unencrypted data on floppy disk in the post (addressed to my boss's predecessor's predecessor) and until very recently we were still having to send reel-to-reel tapes to a major international bank.
Why is everyone getting so hung up over the lack of encryption. If you have the data available, no encryption can survive. It will eventually be broken, it just requires enough processing power. So, encryption merely stops someone who stumbles upon the disk, has a look and then throws it away as rubbish. If the disk is targetted by someone, they probably have the inclination to seriously attack the encryption and therefore, over time, will break it. So, encryption only protects the data if the data becomes useless after a certain time. This data does not really fit into this category.
So, rather than being a panacea to all data privacy issues, encryption actually has a limited use. Yes, it can work in some circumstances, but if the data is persistent, the only answer is to stop people intercepting it.
Financial Services IT
I used to work for a major UK pensions/financial services provider. At said company I used to be in charge of the Wintel hardware and wintel backup. My pet hate was people ordering CD/DVD writers, because they just presumed that it was ok for them to have their own personal copies of data, or to send data to other companies. So few people understand the implications of their actions in this area, it is frightening. I used to take CD/DVDs of personal/external data from people's desks after hours and post them to our IT security department, just to see if the loss of data was reported - it never was, although the IT security people relished 'having a quiet word'.
It took a significant amount of my time to get in touch with people ordering CD/DVD writers and persuade them that it was safer/faster/better for us to setup VPNs to send the data or that the 3million quid we just spent on a new backup infrastructure would probably be better than a 25p writeable disk. We had to get our IT security department to walk floors after hours to see if they could find unauthorised CD/DVD writers.
Then came XP and memory sticks, it took a while, but I managed to get all USB ports disabled before most people realised it was possilbe...
Odds on the ICO doing anything
Can we have a book on the odds on the ICO acting against HBoS over this? I reckon odds of 10,000-1 are a bit mean.
Brute force? My arse!
I can't agree with what Mad Mike is saying. There is not enough processing power on Earth to crack the strongest encryption, even with Moore's Law. Breaking 256 bit AES encryption with a 30 character or higher password runs into the order of taking thousands of years to break with conventional processing power - even a nine character password would take a 2GHz PC more than 90 years to break. Unless there is some profound weakness in encryption or unless computing power becomes orders of magnitude more powerful, many types of encryption will be safe for decades. Anyone looking for names and addresses would have more luck rummaging in bins than trying to break encryption.
Encryption can give you time to fix the error, reduce the amount of people that can do something with it. There are benefits.
Encryption VERY relevant
People are "getting so hung up over the lack of encryption" because of the way in which the data was lost. The data wasn't targeted it was sent by post through the normal mail from where it has never been seen again - as far as we know.
When found, if it hasn't been already, no doubt someone will have enough curiosity to look at what is on the disk and because it is not encrypted they will instantly realise that it is the personal details of approximately 62,000 customers. If they are dishonest enough they will either use the disk themselves to attempt identity theft or sell it to "someone down the pub" who will be able to exploit it much more efficiently.
As people become more and more convinced that honesty is not the best policy (£80 for dropping a cigarette, no penalty for shoplifting!) the possibilty increases of this data being used for criminal purposes.
Mad Mike, when you were getting your information out of that Computer Science textbook, you obviously didn't look in the "practical uses" section, where you would see that you can indeed break the encryption, as long as you have a few hundred years spare.
One Time Pad
Mad Mike - you may also want to update your 'Computer Science' book to one that includes info on one time pad encryption. Not sure what edition you currently have but (the ever reliable :-) Wikipedia puts the invention of this method to 1917.
Given that you fulfill certain conditions this system is PROVABLY unbreakable.
Public Key encryption is easier to set up (don't have to securely transmit your public key) but banks and similar SHOULD be able to courier the one time key securely. If enough keys are sent this wouldn't have to be done for every transaction and they could then send CDs cheaply through the normal post instead of paying the enormous premium that secure posting obviously entails.