Feeds

back to article Quadrillion-dollar finance house spams Reg reader with bankers' private data

IT staff at the world's largest securities transaction clearing house are facing a rough few days after a Reg reader was inadvertently deluged with emails leaking session IDs, transfers, and account details for executives at big-name customers. The Depository Trust & Clearing Corporation (DTCC) handles the vast bulk of stock and …

COMMENTS

This topic is closed for new posts.
JDX
Gold badge
Unhappy

Reward?

More likely he'll be sued

16
0
Anonymous Coward

Am I the only one...

Who upon receiving such an inadvertent blurt of data would take a copy and put it somewhere safe, just in case? (in case of what I don't know).

12
0

Re: Am I the only one...

pastebin? usenet?

2
0
Silver badge

Re: who would take a copy

Um ... every server in the chain of delivery I should think. And since the recipient was a gmail account, the Great Farm in the Cloud can be assumed to have backed it all up too.

0
0
Anonymous Coward

I once started getting account opening emails from a UK bank.

I phoned them up to let them know something dodgey was going on.

Later that day they contacted me and told me that someone had entered a made up email address to perform some tests on the system, had forgotten to remove it, and hadn't realised the email address might actually belong to someone. Oh dear.

5
0
Bronze badge

RE: made up email address

Hope there is no one called asd at asda, I'm probably responsible for a lot of email their way if there is.

2
0
Bronze badge

Re: RE: made up email address

http://asdf.com/asdfemail.html

FFS use example@example.com if you absolutely have to use a fabricated email address. Your real email address is better, since you get anything that does actually get sent.

5
0
Anonymous Coward

Re: RE: made up email address

I always use able@baker.com

0
0
Anonymous Coward

I always use a@a.au - quick and easy... will pass valid email checks, but it guaranteed undeliverable.

0
0
Anonymous Coward

Re: RE: made up email address

"FFS use example@example.com'

I have a domain which I mainly use for online stuff, like shopping. I got fed up with spam so I wanted to be able to find out who 'leaked' my address (eg. shop in john lewis, give them email johnlewis@etc) All emails get through to my administration address. I figured I'd chosen a sufficiently random, but still memorable, domain name, but turns out someone might have had the same idea for testing.

0
0

Re: RE: made up email address

I quite like a@b.com which is about the shortest address I know that passes basic validation

0
0
Anonymous Coward

Yup. Saw that done in a hardware validation lab. Configured & tested a template system, and then made about 100 copies. Didn't discover the random "send alert here" email address was live for nearly a week. Had to go around and hand-edit all of the cloned systems individually.

0
0
Anonymous Coward

He had to loop LotR to fall asleep??

Never made it to the end myself...

5
1
Bronze badge

Re: He had to loop LotR to fall asleep??

Oh, the eagles led by Gwaithir attack Mordor and take the One Ring for themselves.

A new era of the Menace from the Sky starts.

1
0
Bronze badge

Re: He had to loop LotR to fall asleep??

Sounds like he is like me. I have nights were Ben Stein could narrate the tax code and I'd still be up. Hell I could watch Ben Stein d play in east enders and I'd still be up , wait would that just drive me insane ?

0
0

Suitable reward

I suggest they give him the bonus of the banker who replied "not interested"

And maybe a similar amount to the press droid who was interested, even though off duty?

25
0
Joke

Just give him the fraction-of-cents from all the transaction rounding being done by DTCC for a year.

(I know, I know, it doesn't really work that way, it's a joke.)

3
0
Bronze badge

The civic minded thing would have been to drop them in it.

Otherwise we end up with the situation where the same mistakes get made again and again, with no one individual ever having to face the consequences.

2
0
Silver badge

I think that making the story public is probably akin to dropping someone in it....

6
0
Anonymous Coward

Typo

Shouldn't that be QUADREEEELION - in CAPS.

At least be consistent with your funny-about-ten-years-ago meme use.

6
6
Bronze badge

Re: Typo

In the Reg Reader Survey I have asked them to stop using BLOODY AWFUL CAPITALS in their headlines.

2
2

Surely it needn't eat his data plan

Just stick a filter on the sender email address (I'm guessing that at the very least it was all from the same domain, if not the same email address) and stuff them all into a separate folder that is not set to sync with the phone.

0
2

Re: Surely it needn't eat his data plan

@jetsetjim

I'm sure he would have thought of that if he hadn't been having his cognitive faculties eaten by the flu at the time...

7
0

Flips over a card and reads:

Bank error in your favour.

Collect £200.

Ah, if only.

3
0
Silver badge
Mushroom

I'm getting pretty sick of this "human error" crap

Sure, EVERY mistake is a human error if you trace back far enough.

Thing is, these organizations are trying to use "human error" as shorthand for "our systems are actually secure", which is what has just been proven to be untrue.

Even discounting the "human error" which occurred, the fact that such an error would be magnified to such an effect indicates just how poorly designed and implemented these systems are.

But I guess those are just two more "human errors."

4
0
Anonymous Coward

Re: I'm getting pretty sick of this "human error" crap

"indicates just how poorly designed and implemented these systems are"

I love these type of comments....It's the IT equivalent of watching a professional footballer cock up a penalty and then screaming about what they've done wrong, how you would have done it better and how much less you would ask for in wages to do it....

Yes, yes...I am sure that one of the largest financial institutions in the world has poorly written and implemented systems and you and your "degree" from some old poly can do a much better job single handed whilst moonwalking and gargling the alphabet backwards.

3
3
Silver badge

Re: I'm getting pretty sick of this "human error" crap

1. I don't have a '"degree" from some old poly' -- I have 32 years' experience in IT.

2. One of the projects I worked on at the financial institution I work for was setting up and testing an e-mail filter to prevent "human error" from sending out e-mails containing sensitive customer information.

3. I don't believe that system will catch everything (though it would most likely have caught this crap), and I continue to work to improve security and security awareness at my institution, because

4. I don't believe that the false illusion of security benefits anyone. That was my point, not some misguided armchair quarterbacking. Pretty much all IT systems in use today have security flaws, and we don't make progress by dismissing evidence of those flaws as "human error".

8
0
Bronze badge

Re: I'm getting pretty sick of this "human error" crap

The best bit in the World Snooker Championships is listening to the commentator's ackamarackus after a champion player cocks up a shot.

0
0

Even the crappest of pr0n sites are reputedly equipped with a simple email address verification system such as "please follow the link in the email we have just sent you"

0
0
Silver badge
Coat

That'll be a SysAdmin getting sacked today then.

No, not for the "human error" misconfiguration. For not noticing more quickly that the flood of emails about his systems had suddenly stopped.

"Wow, everything must be working brilliantly today, I'm not getting sent ANY errors" - you are the weakest link, goodbye.

3
0
FAIL

There's no reason to assume the BOFH in question wasn't also getting the emails. PROTIP: many systems which send email allow more than one email address to be specified as recipients.

5
0
Silver badge
FAIL

I will bet ...

the whole problem was when a sysadmin decided he wanted to receive alerts at his personal email (gmail) account, and had a finger-fumble moment.

The real question is why on earth such a mission critical system was happy to accept an UNVERIFIED email address as the endpoint for diagnostic emails. Almost every system + dog nowadays insists on clicking on an emailed link to verify the address before using it.

5
0
Silver badge

Evil Google Plot?

Once those emails went to a Google account, all that information was automatically slurpped up by Google and is now there property.

Think about that for a sec....

But one has to ask... using a gmail account for internal secure information would have to violate a number of security and policy rules.

I'll wager a couple of people lose their jobs over this...

2
0
Silver badge

Re: Evil Google Plot?

Well that's the usual company stupidity. What worries me more is someone who worked for an ISP has his e-mail with Google.

0
1
Bronze badge

a quadrillion

using the most common US meaning of the word, this is

one thousand trillion

equalling one million billion

equalling one thousand million million

At what point does 1.7 quadrillion (about $243,000), per year, have any relationship to the real world?

0
0
Bronze badge

Re: a quadrillion

Heh, best two-numbers-not-equivalent-by-orders-of-magnitude-comparison-today goes to me.

Should have been "about $243,000 per human on the planet"

0
0
Silver badge
Happy

Re: a quadrillion

I thought you were making a comment on exchange rates

0
0
Silver badge
Trollface

Re: a 10^15 dollar

At what point does 1.7 quadrillion (about $243,000), per year, have any relationship to the real world?

NOW!!

I guess these are not always different quadrillions sloshing around in there, indeed they are quite like the same going around like fat cows in circles, though I would wager that Bernanke's 65 billion dollar per month of QEn are in there SOMEWHERE.

0
0

example.org

Although this was a mere mistake on a live system, this sort of thing would be inexcusable if done deliberately for testing purposes or otherwise. This is one of the reasons why "example.org" exists. It was created for purposes very much akin for this.

1
0

Re: example.org

example.org is not the only one available, either... me@privacy.net is also available and has been for several decades... if me@privacy.net doesn't work, simply add a number to it... they're all flushed into the bitbucket...

0
0
Silver badge
Black Helicopters

Re: example.org

But you are relying on their good faith and their address not being owned. And whatever spy agency du jour slurping it all up.

Probably best to keep it internal.

0
0
RW
Facepalm

No one's paying attention

This is just another example of what happens when no one pays attention.

Some other examples from personal experience, not entirely IT related, of the results of no one paying attention:

1. A weekly e-flyer for a pharmacy chain, in PDF format, but really just a string of jpegs with such low resolution you couldn't read the text. No way to tell just what this week's specials were! No one bothered to actually look at the end result to be sure it was legible. Strangely enough, an email to the president's email address actually got to him, and they cleaned up their act promptly. I imagine somebody got their fingers slapped over such stupidity.

2. A big illuminated sign by the highway saying "For latest road condition information, check http://....." With all the hoopla about the adverse effects on driving of using cell phones, you'd think that a sign that was an open invitation to fire up your browser would be dismissed off hand as counterproductive.

3. An emergency response program that has designated routes for emergency vehicle use only. Problem: all the routes between different parts of the metroplex are so designated: you simply cannot get from part A where people work to part B where they live without using one of these highways. If we have a big earthquake (certain to happen sooner or later), everybody's going to want to rush home to make sure things are okay, that their kids in school are okay, etc. There aren't enough cops to block the resultant flood of traffic; and besides, the cops will have other things to do after a big shake. [The city I live in has very few road links between some sections.] This particular stupidity also involves failure to take into account human nature which, as the old adage teaches us, never changes. Plus the common bureaucratic position that making a rule against something actually stops people from doing it.

In the present case, somebody didn't bother to look at the email address they'd keyed to be sure it was correct, to say nothing of the other criticisms of this fiasco.

0
0
Anonymous Coward

Tradition requires

foo@bar.com

0
0
Silver badge

Bah!

"Misdirected"? Not so. Some inattentive berk typed in a valid email address in whatever box asked for it. The fact that it was not the address he/she intended is not important. Let's assign blame where it belongs: some techno-tw*t who probably broke umpteen company regulations (not to mention conditions of employment) to steer information to his or her private email account instead of a safe (and probably audited) company one. That this person then didn't double check the address is just par for the course.

If company rules-of-conduct don't make that a fingerbreaking offense, they should.

And where was the firewall nannyware when it was needed? Why aren't all outbound e-mail addresses whitelisted?

The more I think on it the more there seems to be a cultural/systemic problem at the root of this.

0
0
This topic is closed for new posts.