back to article Quadrillion-dollar finance house spams Reg reader with bankers' private data

IT staff at the world's largest securities transaction clearing house are facing a rough few days after a Reg reader was inadvertently deluged with emails leaking session IDs, transfers, and account details for executives at big-name customers. The Depository Trust & Clearing Corporation (DTCC) handles the vast bulk of stock …

COMMENTS

This topic is closed for new posts.
  1. JDX Gold badge
    Unhappy

    Reward?

    More likely he'll be sued

  2. Anonymous Coward
    Anonymous Coward

    Am I the only one...

    Who upon receiving such an inadvertent blurt of data would take a copy and put it somewhere safe, just in case? (in case of what I don't know).

    1. Lyndon Hills 1

      Re: Am I the only one...

      pastebin? usenet?

    2. Stevie

      Re: who would take a copy

      Um ... every server in the chain of delivery I should think. And since the recipient was a gmail account, the Great Farm in the Cloud can be assumed to have backed it all up too.

  3. Anonymous Coward
    Anonymous Coward

    I once started getting account opening emails from a UK bank.

    I phoned them up to let them know something dodgey was going on.

    Later that day they contacted me and told me that someone had entered a made up email address to perform some tests on the system, had forgotten to remove it, and hadn't realised the email address might actually belong to someone. Oh dear.

    1. wikkity

      RE: made up email address

      Hope there is no one called asd at asda, I'm probably responsible for a lot of email their way if there is.

      1. Peter2 Silver badge

        Re: RE: made up email address

        http://asdf.com/asdfemail.html

        FFS use example@example.com if you absolutely have to use a fabricated email address. Your real email address is better, since you get anything that does actually get sent.

        1. Anonymous Coward
          Anonymous Coward

          Re: RE: made up email address

          I always use able@baker.com

        2. Anonymous Coward
          Anonymous Coward

          Re: RE: made up email address

          "FFS use example@example.com'

          I have a domain which I mainly use for online stuff, like shopping. I got fed up with spam so I wanted to be able to find out who 'leaked' my address (eg. shop in john lewis, give them email johnlewis@etc) All emails get through to my administration address. I figured I'd chosen a sufficiently random, but still memorable, domain name, but turns out someone might have had the same idea for testing.

          1. Mayhem

            Re: RE: made up email address

            I quite like a@b.com which is about the shortest address I know that passes basic validation

    2. Anonymous Coward
      Anonymous Coward

      I always use a@a.au - quick and easy... will pass valid email checks, but it guaranteed undeliverable.

    3. Anonymous Coward
      Anonymous Coward

      Yup. Saw that done in a hardware validation lab. Configured & tested a template system, and then made about 100 copies. Didn't discover the random "send alert here" email address was live for nearly a week. Had to go around and hand-edit all of the cloned systems individually.

  4. Anonymous Coward
    Anonymous Coward

    He had to loop LotR to fall asleep??

    Never made it to the end myself...

    1. deadlockvictim

      Re: He had to loop LotR to fall asleep??

      Oh, the eagles led by Gwaithir attack Mordor and take the One Ring for themselves.

      A new era of the Menace from the Sky starts.

    2. kain preacher

      Re: He had to loop LotR to fall asleep??

      Sounds like he is like me. I have nights were Ben Stein could narrate the tax code and I'd still be up. Hell I could watch Ben Stein d play in east enders and I'd still be up , wait would that just drive me insane ?

  5. Mister_C

    Suitable reward

    I suggest they give him the bonus of the banker who replied "not interested"

    And maybe a similar amount to the press droid who was interested, even though off duty?

  6. IglooDude
    Joke

    Just give him the fraction-of-cents from all the transaction rounding being done by DTCC for a year.

    (I know, I know, it doesn't really work that way, it's a joke.)

  7. Vimes

    The civic minded thing would have been to drop them in it.

    Otherwise we end up with the situation where the same mistakes get made again and again, with no one individual ever having to face the consequences.

    1. James Hughes 1

      I think that making the story public is probably akin to dropping someone in it....

  8. Anonymous Coward
    Anonymous Coward

    Typo

    Shouldn't that be QUADREEEELION - in CAPS.

    At least be consistent with your funny-about-ten-years-ago meme use.

    1. Primus Secundus Tertius

      Re: Typo

      In the Reg Reader Survey I have asked them to stop using BLOODY AWFUL CAPITALS in their headlines.

  9. JetSetJim

    Surely it needn't eat his data plan

    Just stick a filter on the sender email address (I'm guessing that at the very least it was all from the same domain, if not the same email address) and stuff them all into a separate folder that is not set to sync with the phone.

    1. John 110

      Re: Surely it needn't eat his data plan

      @jetsetjim

      I'm sure he would have thought of that if he hadn't been having his cognitive faculties eaten by the flu at the time...

  10. lawndart

    Flips over a card and reads:

    Bank error in your favour.

    Collect £200.

    Ah, if only.

  11. Steve Knox
    Mushroom

    I'm getting pretty sick of this "human error" crap

    Sure, EVERY mistake is a human error if you trace back far enough.

    Thing is, these organizations are trying to use "human error" as shorthand for "our systems are actually secure", which is what has just been proven to be untrue.

    Even discounting the "human error" which occurred, the fact that such an error would be magnified to such an effect indicates just how poorly designed and implemented these systems are.

    But I guess those are just two more "human errors."

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm getting pretty sick of this "human error" crap

      "indicates just how poorly designed and implemented these systems are"

      I love these type of comments....It's the IT equivalent of watching a professional footballer cock up a penalty and then screaming about what they've done wrong, how you would have done it better and how much less you would ask for in wages to do it....

      Yes, yes...I am sure that one of the largest financial institutions in the world has poorly written and implemented systems and you and your "degree" from some old poly can do a much better job single handed whilst moonwalking and gargling the alphabet backwards.

      1. Steve Knox

        Re: I'm getting pretty sick of this "human error" crap

        1. I don't have a '"degree" from some old poly' -- I have 32 years' experience in IT.

        2. One of the projects I worked on at the financial institution I work for was setting up and testing an e-mail filter to prevent "human error" from sending out e-mails containing sensitive customer information.

        3. I don't believe that system will catch everything (though it would most likely have caught this crap), and I continue to work to improve security and security awareness at my institution, because

        4. I don't believe that the false illusion of security benefits anyone. That was my point, not some misguided armchair quarterbacking. Pretty much all IT systems in use today have security flaws, and we don't make progress by dismissing evidence of those flaws as "human error".

      2. Primus Secundus Tertius

        Re: I'm getting pretty sick of this "human error" crap

        The best bit in the World Snooker Championships is listening to the commentator's ackamarackus after a champion player cocks up a shot.

  12. Martin 15

    Even the crappest of pr0n sites are reputedly equipped with a simple email address verification system such as "please follow the link in the email we have just sent you"

  13. Velv
    Coat

    That'll be a SysAdmin getting sacked today then.

    No, not for the "human error" misconfiguration. For not noticing more quickly that the flood of emails about his systems had suddenly stopped.

    "Wow, everything must be working brilliantly today, I'm not getting sent ANY errors" - you are the weakest link, goodbye.

    1. Tom Maddox Silver badge
      FAIL

      There's no reason to assume the BOFH in question wasn't also getting the emails. PROTIP: many systems which send email allow more than one email address to be specified as recipients.

  14. JimmyPage Silver badge
    FAIL

    I will bet ...

    the whole problem was when a sysadmin decided he wanted to receive alerts at his personal email (gmail) account, and had a finger-fumble moment.

    The real question is why on earth such a mission critical system was happy to accept an UNVERIFIED email address as the endpoint for diagnostic emails. Almost every system + dog nowadays insists on clicking on an emailed link to verify the address before using it.

  15. Ian Michael Gumby

    Evil Google Plot?

    Once those emails went to a Google account, all that information was automatically slurpped up by Google and is now there property.

    Think about that for a sec....

    But one has to ask... using a gmail account for internal secure information would have to violate a number of security and policy rules.

    I'll wager a couple of people lose their jobs over this...

    1. Christian Berger

      Re: Evil Google Plot?

      Well that's the usual company stupidity. What worries me more is someone who worked for an ISP has his e-mail with Google.

  16. BlueGreen

    a quadrillion

    using the most common US meaning of the word, this is

    one thousand trillion

    equalling one million billion

    equalling one thousand million million

    At what point does 1.7 quadrillion (about $243,000), per year, have any relationship to the real world?

    1. BlueGreen

      Re: a quadrillion

      Heh, best two-numbers-not-equivalent-by-orders-of-magnitude-comparison-today goes to me.

      Should have been "about $243,000 per human on the planet"

      1. Darryl
        Happy

        Re: a quadrillion

        I thought you were making a comment on exchange rates

    2. Destroy All Monsters Silver badge
      Trollface

      Re: a 10^15 dollar

      At what point does 1.7 quadrillion (about $243,000), per year, have any relationship to the real world?

      NOW!!

      I guess these are not always different quadrillions sloshing around in there, indeed they are quite like the same going around like fat cows in circles, though I would wager that Bernanke's 65 billion dollar per month of QEn are in there SOMEWHERE.

  17. Electric Panda

    example.org

    Although this was a mere mistake on a live system, this sort of thing would be inexcusable if done deliberately for testing purposes or otherwise. This is one of the reasons why "example.org" exists. It was created for purposes very much akin for this.

    1. waldo kitty

      Re: example.org

      example.org is not the only one available, either... me@privacy.net is also available and has been for several decades... if me@privacy.net doesn't work, simply add a number to it... they're all flushed into the bitbucket...

      1. Dan 55 Silver badge
        Black Helicopters

        Re: example.org

        But you are relying on their good faith and their address not being owned. And whatever spy agency du jour slurping it all up.

        Probably best to keep it internal.

  18. RW
    Facepalm

    No one's paying attention

    This is just another example of what happens when no one pays attention.

    Some other examples from personal experience, not entirely IT related, of the results of no one paying attention:

    1. A weekly e-flyer for a pharmacy chain, in PDF format, but really just a string of jpegs with such low resolution you couldn't read the text. No way to tell just what this week's specials were! No one bothered to actually look at the end result to be sure it was legible. Strangely enough, an email to the president's email address actually got to him, and they cleaned up their act promptly. I imagine somebody got their fingers slapped over such stupidity.

    2. A big illuminated sign by the highway saying "For latest road condition information, check http://....." With all the hoopla about the adverse effects on driving of using cell phones, you'd think that a sign that was an open invitation to fire up your browser would be dismissed off hand as counterproductive.

    3. An emergency response program that has designated routes for emergency vehicle use only. Problem: all the routes between different parts of the metroplex are so designated: you simply cannot get from part A where people work to part B where they live without using one of these highways. If we have a big earthquake (certain to happen sooner or later), everybody's going to want to rush home to make sure things are okay, that their kids in school are okay, etc. There aren't enough cops to block the resultant flood of traffic; and besides, the cops will have other things to do after a big shake. [The city I live in has very few road links between some sections.] This particular stupidity also involves failure to take into account human nature which, as the old adage teaches us, never changes. Plus the common bureaucratic position that making a rule against something actually stops people from doing it.

    In the present case, somebody didn't bother to look at the email address they'd keyed to be sure it was correct, to say nothing of the other criticisms of this fiasco.

  19. Anonymous Coward
    Anonymous Coward

    Tradition requires

    foo@bar.com

  20. Stevie

    Bah!

    "Misdirected"? Not so. Some inattentive berk typed in a valid email address in whatever box asked for it. The fact that it was not the address he/she intended is not important. Let's assign blame where it belongs: some techno-tw*t who probably broke umpteen company regulations (not to mention conditions of employment) to steer information to his or her private email account instead of a safe (and probably audited) company one. That this person then didn't double check the address is just par for the course.

    If company rules-of-conduct don't make that a fingerbreaking offense, they should.

    And where was the firewall nannyware when it was needed? Why aren't all outbound e-mail addresses whitelisted?

    The more I think on it the more there seems to be a cultural/systemic problem at the root of this.

This topic is closed for new posts.