Barclays Bank probes 'client data sold to rogue City traders' breach Barclays Bank has launched an investigation following a reported security breach involving thousands of confidential customer files. The Mail on Sunday took delivery of a memory stick containing personal details of 2,000 Barclays customers from a whistleblower. The files reportedly contained passport and national insurance …
I'm no fan of Barclays but just what leads you to believe they, as a bank, have done anything wrong. At the moment, from the information given in the article, this whistleblower could just be a disgruntled employee who took some files to the Mail, that bastion of understated headlines and investigative journalism, and spun them a line. There doesn't seem to be any indication that the Mail checked his credibility and are reporting it as fact.
Yes, and Snowden and others shouldn't have been allowed to have walked out of wherever with what they did but it happens. It's not impossible to lock down your machines but sometimes a bit of trust is needed. This bloke obviously had some data. Barclays have confirmed that it appears to be genuine, but the Mail has taken his story at face value. Until all the facts are known they shouldn't be reporting this as fact and claiming it is the biggest data breach ever.
Even if it is found to be true I wouldn't consider it a failure on the part of the bank if it were theft by an employee. Losing data, having an insecure system or if the source is found to be an outsider then that is a failure. However it's hard to protect yourself from determined employees without making life impossible for the the majority.
... that much of this data, ripe for identity theft, is acquired in the first place.
The government has ensured that banks, solicitors, estate agents, money exchange offices and just about everyone that ever handles more of your money than the price of a basket of groceries is *obliged" to collect a lot of this highly personal data, allegedly for the avoidance of money laundering (but really as part of the apparatus of the surveillance state).
I'm not sure why you feel this data is somehow going to be secure, given the number of people who have access to it. Or, indeed, all that medical data that is going to be shared with all and sundry, "for your own good".
If you're really concerned about your privacy, you should be concerned that this data is being so widely collected in the first place. One that's happened, frankly, all bets are off.
They're a bank.
While it is ordinarily a safer bet to presume ineptitude than malice (see: occam's razor), when discussing banks malice is a constant and ineptitude an inevitability.
We're not talking about an excel spreadsheet with a phone number and address on it We're talking here about detailed information that could well be used for spearphishing attacks against the kind of people that make spearphishing attacks worthwhile.
There exist multiple ways to protect against insider data theft. If the person is in a highly privileged position there exist multiple technologies and procedures which will allow an organization to pinpoint whodunit in a matter of seconds. Whether this is an external breach or an internal one makes no difference to the duty of care the bank had to their customers in retaining this information.
"But the NSA are a bunch of derpy fucks too" is not an acceptable excuse. "Tommy put worms in Sally's sandwich so I put worms in Jessica's" doesn't fly in elementary school and it sure as shit shouldn't fly when dealing with the largest financial institutions in the world.
If the bank was unable to protect the data against insider threats it should not have been retaining the data. End of.
Do you bother to read fully what people write before putting finger to keyboard. If so you would have seen this, "It's not impossible to lock down your machines" yet you feel the need to repeat it. In any working environment there needs to be a balance between protecting data and the need to use it. Also as has been pointed out later these people may have consented to their details being shared with third parties and if the whistleblower is to be believed it is the third party who is trying to sell it on. As yet there is no proof that the bank is to blame and the Mail should not have run the headline it did.
Actually with banks they are under a greater onus to protect the data thanks to PCIDSS. Retailers large and small have to prove, to a stupidly detailed level what systems they have in place to protect customers card data, and not just with systems. If they don't the task masters fine them, or block them from accepting card transactions and this, like chip&pin, is just to reduce the banks liability.
Yet when a bank loses data they are not fined to the point it will bankrupt the business nor blocked from trading in certain areas. Add to the fact this data is now 6 years old so should have been at the least archived offline and at best destroyed there really is no defense for what has happened.
Oh, I read what you wrote. But what you wrote basically says "oh, sure, It's not impossible to lock down your machines, but that's just such a hassle that no bank can really be held to those standards." Which is utter bullshit.
Also, under EU law data controllers have certain responsibilities. One of the most critical is ensuring that any third parties with whom they share data meet the same data protection requirements as the original entity itself. In plainer language: by law, the bank has a duty of care to that data even if that data is being used by a third party.
It doesn't matter if the breech happened at a contractor or at the bank itself. The bank is responsible for that data. It must ensure that all of the contractors it uses secure the data as well or better than the bank must itself.
That makes a data breach at a contractor the bank's responsibility and an abdication of responsibility by the bank. No matter how hard it is on the wee diddums to have to comply.
Meanwhile, the rest of us live int he real world where it is far more likely that IT operations at any company is underfunded, internal bureaucracy makes implementing policy difficult-to-impossible and negligence is a more realistic assumption than not.
You give no reason to assume good faith beyond your assertions and personal beliefs. Conversely, there is a lot of history that demonstrates that banks have a lackadaisical attitude to regulations in general and large organizations of all types have hostile attitudes towards proper IT policy.
I see no reason to presume the bank did everything to spec when history says it is far more likely that they haven't. People are innocent unless proven guilty. I do not extend the same concept to banks.
Call it personal prejudice - and frankly it is personal prejudice - however, I will always view bank IT as paralyzed and constantly fighting uphill battles they can never win until proven otherwise. I've heard far too many horror stories from very reliable sources in the UK banking industry to be capable of holding a different view.
It's the reason I don't do any reporting on bank IT. No matter how hard I try I cannot believe a bank to be innocent unless proven guilty. Fortunately, comments don't require the presumption of innocence.
That said, you've nothing to prove your side either. Only a philosophical requirement on your part that they be presumed to have done everything right. Your beliefs and assertions conflict directly with every iota of experience - personal and secondhand - I've ever had with bank IT. As such, I feel entirely justified in calling you on it and saying that for your thesis to be accepted evidence is required.
The court of public opinion does not require the assumption of good faith.
The assumption of good faith is founded in the principles of the presumption of innocence and is a rational extension of the foundational principles of our society when dealing with unknown individuals or entities. You assume good faith when there is no history to inform you otherwise.
Where history exists it is rational to examine past behavior to deduce patterns. Thus presumptions can be made from past behavior, which may or may not continue to warrant the assumption of good faith.
There is a difference between caution and naivete. When and where a pattern of populace-hostile behavior exists I do not assume good faith because I have never been presented with a rational reason to do so.
At some point the assumption of good faith gives way to naivete. In this instance, I believe that your assertion we should assume good faith falls on the "naivete" side of that line.
What I find most interesting is that you are quick to assert the right of a bank to the assumption of innocence and yet are clearly willing to assume that I haven't read your comment in full. You would seem to believe that corporations are more deserving of the presumption of innocence than individuals. Or perhaps that we should not presume things of corporations based on past behavior whereas we should with people.
Either way, your standards appear to be dichotomic.
For the record, my standards are dichotomic, as I believe there is a difference between people and corporations. I don't for a second believe that corporations should have all of the same rights as natural persons and that includes the "right" to the assumption of good faith. (Not that this is an actual right.) Legally, a corporation is entitled to the presumption of innocence, however, that is a different and separate standard from the assumption of good faith.
The damage a corporation can do is orders of magnitude higher than that which most individuals are capable of inflicting. As such, I believe it is critical that we do not assume good faith of corporations and instead view them with a critical eye.
Guilt isn't determined by the act (or not) of breaking the law, either. In these days of cutting deals "no admission of wrongdoing" and blatant corruption the law is infinitely malleable to those with the right resources.
Fortunately, the people have more than a flawed legal system at their disposal to hold individuals and corporations to account. One of the more important tools is peer pressure. Ostracisation is a powerful incentive at the individual level and can become "voting with our collective wallets" at the corporate level.
Failure to be found guilty in a court of law does not mean the actions of an individual or corporation are just, morally correct, ethical or even legal. Human beings who aren't sociopaths hold themselves and others to more standards than the lack of being found guilty of a criminal offense.
It's easy to game a system with well defined rules. It is far harder to game a system where the only rule that truly matters is Wheaton's law.
So we arrive at the crux of it. As with so many arguments in the comments, when you strip the events away, it is a fundamental philosophical difference. On one side we have myself, and those who believe as I do, stating that individuals and corporations must be held to a higher standard than the ability to prevent themselves from being held criminally liable for their actions.
On the other side we have you and those who believe as you do, claiming that ethics and morality are arbitrary, and thus should not be used as standards of governance or the foundation of rules of interaction.
One side takes into account the variability of humans, their ability to lie, cheat, corrupt, adapt and conceal. The other side is procedural, believing that everything can be codified and quantified. The debate is as old as time. We'll not solve it here, today...or likely ever.
Or put another way we have on one side those like myself who belive in justice however flawed it may be and you and yours on the other side who follow a lynch mob mentality. The same can be said for justice as for democracy, it may not be perfect but it's better than the alternatives.
No Chris, here you are incorrect. A lynch mob is entirely emotive. It is the extreme end of the spectrum away from cold, corrupt justice. What I - and most people around the world - preach and practice is something very much in the middle.
It is holding people and corporations to a duty that includes social responsibilities, not merely legal ones. It is a recognition that any system can be gamed and anything that can be gamed will be. People who believe as I do believe we must evolve both our system of jurisprudence and our law enforcement to deal with this reality.
I do not preach extremism, unless your personal view is that anyone who preaches something other than the extreme to which you've attached yourself is an extremist. (A very republican (or Greenpeace) view of the world.)
You say you believe in Justice. Yet what you preach isn't justice, it's jurisprudence. What you preach is a gamable system where those with the most resources are above the law. You preach a system where one's past actions are not to be examined. That doesn't lead to justice. It leads to America: massively disproportionate numbers of minorities locked up for petty, victimless crimes while those who come far greater sins walk free.
People who believe as I do believe in concepts like "corporate manslaughter" and "piercing the corporate veil". We believe that corporations are to be held to as much account as individuals, even if that includes holding the individuals behind a corporation to said account.
There must be evidence to convict, but past behavior is - to us at least - entirely admissible evidence.
When you have nothing but the extremes - the lynch mob on one end and the sociopathic legalists on the other - you get America. That's not a good thing. There is no justice to be found there.
Laws must be open to some interpretation and procedures to a given amount of latitude in order to cope with those who seek to game the system. Past crimes need to be used to inform the severity of punishment - or the likelihood of guilt - of current crimes. And nobody - nobody - must ever be allowed to be above the law.
Pure procedure is as broken a concept as pure emotion. The answer lies in balance. Recognition of the fallibility of human nature, and of "the system". The creation and implementation of a system flexible enough to cope with reality.
The most interesting aspect of this story, for me, will be whether Barclays' get held liable for this or not. In the current environment it would not surprise me in the least bit to see some multi-million pound fine being dished out. And yet one could argue that, in this case, they are as much the victims as anyone else.
"In the current environment it would not surprise me in the least bit to see some multi-million pound fine being dished out"
It would surprise me a great deal, because the ICO can only levy penalties up to half a million. That's bad news for an SME, for a bank it's not even a rounding error on previous fines, never mind profits. The eagle eyed will spot yet another law drafted to the advantage of big data and big financial services lobbyists. In any competition law or regulated business environment the bureaucrats fall back on the "up to ten per cent of turnover" fines, but if it's your data abused by the same people who caused the current financial difficulties (or if it had been tax dodgers like Google), then a mere half a mill will do nicely.
By rights Wanklays should be taken to the cleaners for this, because they have breached the law and customer trust by retaining, or allowing to be retained (even if through lack of proper control) this data, and by not securing it. But that's not going to happen. We've not yet had a major EPOS hacking scandal that's native to the UK, but it will happen sooner or later, and largely because the retailers and financial services players know there's no penalty for ignoring data protection rules. Meanwhile, MP's debate plans to ban child-transporting proles from smoking in their Ford Sierras, and Wanklays increase the bonus pot to all those "top talent" individuals that make them the bank of choice.
this really doesn't surprise me one bit. Some years ago I did some IT work at Barclays and was totally shocked by their head in the sand attitude to security. To give an example one of many many issue's, when I arrived I was told here is the plain text document which contains the admin usernames and passwords to servers and routers in the data center you might need (sat on an NT4 share) I nearly fell off my chair! I bought this up as an issue and was told all will be fine and this would be replaced with a more secure solution. Several months later a manager sent a CC'd unencrypted e-mail to all IT support staff saying that the usernames and passwords were now all in a password protected word document (still on an NT4 share) and here was the master password. I did then fall off my chair and left not long after. They like to pretend they're doing something rather than doing things properly .As I said that was one of many many shortcomings. This was some time ago maybe they've improved but I wouldn't bet on it so no I don't bank with Barclays although I'm not sure of of the others are any better.
Hmmm..
Banks really don't seem to be getting this whole 'banking' think anymore!
They've basically got two jobs:
1) Lend money prudently and assess risk thus making a healthy profit and not risking driving the bank (and possibly the global economy) over a cliff. (Many of them failed miserably at that, resulting in massive bailouts at our expense.)
2) Run a reliable, safe, secure and trusted information processing platform that supports transactions. So far, we've already had RBS' computer networks going down (for a full month in the case of their Irish subsidiary Ulster Bank) and now this kind of thing isn't really going to exactly painting a wonderful picture of their systems.
I'm beginning to wonder what exactly the purpose of banks is these days other than to speculate on the share price of and to pay directors gargantuan sums of money 'because they're worth it' ... apparently.
" Barclays Financial Planning" sounds like a legal scam so anyone who fell for it is likely to have signed anything put in front of them (including the "Yes lots of yummy spam for me" box)
Maybe Barclays just flogged the data to some third party - would have got a good rate too for suckers with a pedigree.
I have a business account with Barclays and they are trying to get me to sign all my assets for a small mortgage! My bank manager is dense as a frog with a "jack the lad" flash watch which he is really proud of. He calls me during my holidays to say I am in overdraft when I am in lots of credit (he forgets where to look).
The man and the bank do not inspire confidence and make me watch my back all the time. Any other bank recommended anyone?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
