Lord of the Rings: The Return of the Snafu
Gandalf: (laughs) Oh, of course. "Speak, friend, and enter."
(Stands up and holds up staff)
(Security doors open wide...)
Couriers lost magnetic tapes containing the personal details of 4.5 million people who had dealt with the Bank of New York Mellon, it has emerged. The incident happened three months ago, but has only surfaced after legal papers were filed in the state of Connecticut. The Bank of New York Mellon offered people whose details were …
Gandalf: (laughs) Oh, of course. "Speak, friend, and enter."
(Stands up and holds up staff)
(Security doors open wide...)
I'm probably going over old ground here (various British cock-ups) - but why, when you're moving such sensitive data, isn't it held in the safekeeping of the same human being(s) from the beginning of its journey to the end of it? No sorting offices, no handovers: the courier takes it from the sending office to the receiving office, and does not allow himself to be distracted from that task.
OK, maybe in USA these can be quite long journeys. Even so, I would still give it to one trusted guy (or pair of guys) to take from A to B, with strict instructions about never letting it out of their sights.
Snafu? You're being ironic. From the customers' PoV, tarfu at least.
I'd really like to know what courier lost the tapes... Did the bank just pop the tapes into their local FedEX Kinko's drop box or did it fall out of the back of an Iron Mt. truck.
Paris - 'cause she now knows to secure her tapes.
Wouldn't it be safer to somehow transfer the data over the network?
Obviously not a zipped file, but if there's data being transferred daily over the network, that can't constitute an extra risk? Or can it?
If you loose someone's data you owe them insurance for life -- after all, that's how long their personal details will be valid.
It seems only honest people need worry in this world.
It seems like the "NY Mellon Bank" is a recently-merged financial entity. It is barely one year old, and they've already done an epic SNAFU. Way to go!
With that name, though, I'd wonder if speaking 'friend' will give me full r00t access...
Thanks for making the heart of US Bank (usbank.com) customers race... with the ambiguous title.... Turns out this is about a USA-based Bank, not the actual US Bank company.
Is it REALLY going to take a law backed by punitive damages to make these buggers start using a bit of common before burning tapes/CDs/whatever and carrying them offsite? My details were on a tape lost by a bank about 18 months ago.
The IT department responsible for this disgraceful cock-up issued a statement that it was "about to" implement encryption at the time (so any future IDs I might adopt and give to the bank were presumably safe), and they assured me that it was unlikely that anyone would have the equipment to read the tape anyway so I shouldn't worry my little head about it.
Oh yeah? Is it *that* unlikely that a tape containing a DIY kit for forging the ID of a couple of million customers would be stolen by someone who *hadn't* taken the preliminary step of obtaining a couple of easy-to-get surplus-these-days tape units BEFORE concocting the elaborate "steal tape from courier" plan?
Hay-Zeus on a Bike! You'd think that at least ONE of these buggers would get the message. Perhaps only when Glorious Leader Bush or Beloved Co-Leader Cheney have had their Name, SSN, Address and Deposit Account numbers stolen will Something Be Done.
... national ID Scheme that wouldn't happen, of course!
It is no wonder that there is a global banking crisis when we see time and time again that the bank cannot even look after data let alone money !!. I would not trust Bank of New York Mellon with any money at all, let alone mine.
Anyone in any organization that handles data pertaining to clients or customers, especially financial and medical establishments, who transfers unencrypted data is an ignoramus or a fool. And that goes as well for at least one level up in chain of command.
Oh, yes, regarding "...bank has promised to transfer data electronically, where possible, rather than depending on the transport of physical media..." can you say "Hannaford" boys and girls?
Skull and crossed bones because Pirates is Everywharrrrr. Arrrr.
After all, who's going to have mag tape equipment anyway. Only stodgy old banks and telcos.
>After all, who's going to have mag tape equipment anyway. Only stodgy old banks and telcos.
And me... I bet I am not the only Reg reader with this kind of kit at the house or available for use at work
"After all, who's going to have mag tape equipment anyway. Only stodgy old banks and telcos."
-Holds up hand- The last refurbished computer I bought had a mag tape bay in it! (Pulled it out, it's probably still in my closet)
Hmm, maybe I should put it on E-bay? It looks like it might be worth serious cash to someone, eh?
It comes down to cost. Most of the UK and US banks in the UK (including NYM) use Bike couriers as we are secure and hard to rob but we're not cheap. The US doesn't have many Bike couriers and they are VERY expensive so uses overnight services which cost little.
Overnight courier is very insecure but when nothing goes wrong it looks cheap. I guess its a perception thing.
Ex Securicor Pony Express rider who used to carry everything from cash to penny under a Billion bearer bonds to your banks clearing to bullion from cash centres all on Motorbikes. Ex company manager with a few banks as clients.
Anon as I signed confidentiality agreements (seriously)
US banks routinely contract with small Puerto Rican software shops who in turn sub the work out to... well the US banks would rather not know.
It doesn't take a bank losing tapes to leak this stuff, they ship it offshore routinely.
Knowing these tards, they probably are still using 7 track round reel . No excuse is good enough for this type of stupidity. Loonies in Ohio were having interns take computer files home with them as an off-premises storage backup....ha.ha.ha.ha.ha
computer tards.... where do they get them?
Because all of the practical encryption options for backup media are *expensive*.
ie Encryption option for NetBackup isn't cheap
new tape drives [for hw encryption rather than sw encryption]
key management software plus associated new processes/procedures
impact on restoration/recovery times of encrypted data vs unencrypted
+ legal compliance
+ data expiration considerations
+ and DR can become further complicated
Most places seem to get their backup and recovery strategy "working ok", without then going and getting the next step of securing it properly.
Personally, I'd feel a bit safer if the encryption of *sensitive* data on backup media was legally mandatory AND part of the auditing that's done of financial institutions (i.e. by APRA here in Australia)
I use an LTO tape library even at home. Just keeps things nice and simple.
Ten years ago, losing a tape or CD was less of a problem; it would probably just end up in a bin. Now though, the criminals are more aware of the value of data and are more likely to look through it and attempt to sell it to someone who can make use of it.
How excatly is a bike courier safe or hard to rob?
*Car Vs. Bike. Car wins. Car driver gets the physical data price.*
I'm loving some of the comments you guys are making. Agreeing with most i.e end to end delivery by responsible individuals and encryption where possible. But it seems a lot of you guys are really out of touch practical and economic reality.
Large organisations simply cannot encypt all tape data due to the size and amounts of data we are talking about, as well as the recovery procedures and timescales that would be required to get the details back from the disk, it may be ok if you are handling a few megs of tape data but when you are dealing with hundreds of Gigs it is a different story.
And don't even get me started on risk calculations. Those of you who have never worked on a large scale IT projects would be well served to get out there and get some experience of systems that make ACME Pot Rivet ltd. Company to shame before chucking in there two penith.
How expensive do you actually think that encryption measures are, compared to the cost and hassle of losing unencrypted data? And we're talking about banks here, not exactly the poorest institutions around.
I'd imagine that most tape drives (libraries, more likely) that banks use are already advanced enough to include hw encryption and compression, I don't think key management is that much of an issue, and I don't see how DR would be significantly impacted either. Overall, definitely a small sacrifice compared to the potential benefits it brings.
@AC about car vs bike:
Motorcycles (or even bikes) are probably a lot more agile, so unless you have some real pros trying to steal the data, you're probably more likely to get away on one of those rather than a car.
But seriously, unencrypted tapes, in 2008? FAIL++ :[
Is that the best the yanks can do?
Our lads lose that much data before breakfast.
>After all, who's going to have mag tape equipment anyway. Only stodgy old banks and telcos ... and me too [holds hand up in sheepish manner]. Truth is, I just can't throw anything away.
From your bank !!!!!!!!!
They are all at it in UK at any rate, pay £x per month and we'll provide legal assistance while you sort out your shit in the (increassed likelyhood) eventuality that your ID gets stolen (after we lost your fucking data HA! HA! HA! - give us more of your money - idiot !)
This is how they are going to stabalise the world currency deficit caused by their bad capital investments and their incredibly weak security policies - not to mention the rather excessive fat cat payouts and executive jollies they've had recently)
I read somewhere that you are safer from ID theft if you only have debts.
There's something like 5000 couriers on bikes within Central London, how do you tell which one has the important package? Not even the customer knows which rider has the package or what route they will take.
I suppose you could wait around outside a bank on Canary wharf but then how do you know what rider is carrying important data and which dross?
In the two years I worked for Securicor only one bike was robbed and that was because he forgot to lock his top box. In the several years I ran a company not one rider was robbed although the bank was.
The system of obscurity and speed works in this instance. If it didn't it wouldn't have been used for so long.
Anyone running a book on who will beat the incompetence of the UK goverment, they lost 25 Million details, i was going to say Australia but then i relised they don't even have 25 million people's details to lose.
A big net and a lot of patience.
People have been shipping backups around ever since we've had backups. I realise that the reporting of these incidents in recent times is highlighting the problem, but imagine how much information has been lost over the last few decades. It's not like courier services have suddenly become incompetent overnight.
If you ain't got a NSA certificated key custodian - with an active account - you AIN'T got encryption - you've got PRIVACY.. and that's a 20 min job to break usually.
This takes the pee pee yet again. How many times does this need to happen before banks will wake up and smell the proverbial coffee (Or in the banks case when will they smell the shit hitting the fan??).
Those affected need to hit them in the only place that hurts for large American Corporations, the bottom line. Hit their profit margin very hard and they'll soon sit up and take notice. A class action lawsuit from 4.5 million people should do the trick.
When will the US administration stop spying on it's own populace and bring in some laws to protect them instead?
Flames; 'Cos whoever at the bank took the decision to send the unencrypted details of 4.5 million people, via a third oarty courier, should be burned at the stake in Times Square. I'll bring the petrol...
Can you tell us which company you work for, so that we can stay as far as possible from it?
sudo killall -9 Autopilot