Security-incident prone bank HSBC has admitted losing a server containing transaction data on 159,000 Hong Kong-based account holders. The bank said on Wednesday that the kit went missing during renovation work at a Kwun Tong district branch on 26 April, Reuters reports. Data held on the server included customer names, account …
Dirty deeds done dirt cheap ......
"Data held on the server included customer names, account numbers, transaction amounts and transaction types,....... "The server is protected by multiple layers of security. The risk of data leakage and fraudulent transactions resulting from the loss of the server is deemed to be low," HSBC said."
It is not the bank they target, it is the customers.
I'm sorry but I'm not used to this.
I was under the impression that servers are "up" unless "down" for maintenance or repair. If it was "up" and live, HTF did the thief get access to it and WTF didn't the server suite management system alarm to say that a bit of infrastructure was taking an unplanned holiday?
If it was down for maintenance are the procedures so lax that one can just go for a walk and nobody notices? Rhetorical question, really. They are and it did.
I know thieves are dammed tricky but it sounds like P45 time for somebody.
After reading this article, I am severly concerned with the way HSBC operates its security practice. Surely a financial bank must follow regulatory guidelines and must track and log, investtigate and maintain their security policies, and implement them. If your data is not safe in a Bank, then we would expect it cannot be safe anywhere - surely they should have the latest and greatest security products, physical, logical, technical and deterent controls implemented.
In this article, I am amazed how a server can just go missing. Surely they would have thought to have security guards on site watching over the equipment during the rennovations. After all, there are many techniques to crack security, but having deterents and access controls in place, isn't that difficult to implement !
Should we bank with them if this carries on....? Thats up to you.
I'm sure that their "layers of security"....
...were cunningly designed to fox a lobotomised rabbit !!
@amanfromMars - Clear English diction !! Shurly an all-time first !! :-)
At least they [HSBC] followed sensible procedure by investigating it before shouting about the incident to the world at large. Such incidents are never good but I'm inclined to believe they do indeed use a lot of protection on the data. Of course, I still think it's basically inevitable that the data be recovered by the bad guys, eventually.
On another matter, Mr Leyden [et al.] : there is no 'a' and no 'double l' in "publicly".
The server is protected by multiple layers of security
given the fact that the main layer is gone e.g. no physical access to the server, and the fact that they let go thru the door a server or disk array that gives a pretty bad picture of the subsequent security layers .
.. or maybe it was just a M$ VISTA powered laptop and all is fine then. You can't bulk copy.
It's not difficult is it!
How many of us have walked into another office in our companies and walked off with a bit of kit? You walk in, grab the kit, wave the company photo ID to the security guard and carry a bloody great HP DL380 or whatever out the door. Almost every place I have worked at, this has been allowed, only about 10% of places does the security guard decide to ask to double check that you can take the kit out the door.
I'm not defending HSBC, but companies need to stress to the poor sod on security desk, most likely on just above minimum wage from a third-party agency, that nothing goes in or out without paperwork, even then would the guard really give a toss, it's not his kit and he can always go to another security firm/agency and get signed up again if this firm boots him!
Re: It's not difficult is it!
You're right, also, more to the point, those same minimum-wage security plods can be offered more money than they will make all year to 'see nothing' as the kit walks out the door. It's not their kit, after all and if they get fired, they still have the extra cash, if not.. win/win.
I seem to recall some seriously well-heeled and organized crime syndicates operating in HK. How useful do we think this server would be to them? Sadly they'd also be the very kind of people able to peel away those 'multiple layers' of security, which, let's face it, is basically trivial once you have physical access (though still time-consuming). If I were them, though, I'd already have appropriate access credentials, passwords and the like.
The bank branch (not a datacentre as far as I can tell) had some workers in, presumably out of hours. Those workers, may well have had access to the small server room that they had, most branches don't have many servers, so likely it was a cupboard with a swipy card lock, if the workers need access, this door may well have been set to unlocked. All it would take was someone to hoik the server out of the rack. Bear in mind that if people are working in a branch, they are going to be "trusted".
At the main datacentre/mission controll they would have seen an alert saying the server had just disappeared from the network. At this point you start investigating what has happened, try to connect to it's RIB board, or whatever else it has. This has already taken a couple of minutes, by which time the server was in a sack of stuff taken out to the workers' van and it's off.
Now, that may not be what happened and likely there should have been better security, but it's not hard to end up in this situation, if you trust your staff/contractors.
Keeping your poop in a jar...
...Time to close my HSBC account I think.
what a shock
i'm surprised they even bothered to tell people rules over data loss are so lax that incidents like these are commonplace.
Its about time they re reimbursed each customer with a fixed sum as a penalty for these incidents they then might just make it a tad more difficult to happen.
Of course they definitely wouldn't report it then.......catch 22.
In reality the best thing would be for all concerned to find another bank who might take a bit more care customers voting with there feet would tend to focus their strategy more.
hey tell the authorities quick! Amanfrommars has been hacked...No numbers, no odd capitalAIsations, Its not him I tell ya!