back to article Mortgage data splashed all over the net. Thanks HSBC Finance

HSBC Finance in the US is notifying customers that it has inadvertently been publishing their mortgage data online since last year. HSBC is believed to have exposed customer names, account numbers, social security numbers, and telephone details, in a move which isn't being attributed to hackers, and as such is almost …

  1. Doctor_Wibble
    Stop

    > "That file (or those files) where indexed by Google (or some other search engine) and thus became available to everyone. My guess is that it became aware of it through someone who did some Google snooping and incidentally bumped into this file."

    Someone did some "google snooping"? Sounds like bollocks to me. The web server would have had to expose a listing including that file before any search engine would list it.

    Or someone used a 'share this file' or 'send this link' button instead of copy/paste of a link/location after possibly-accidentally uploading to the wrong place. These 'share/send' buttons cause a a test GET (or equivalent) on the file/link in question to be done by the remote share/send service and that is a 'leak' point especially if related to some kind of indexing company.

    1. h4rm0ny
      Pint

      My bet is that someone put it there to share with someone else (either due to technical hurdles on the correct way of sharing things, or bureaucratic hurdles that were inconvenient). That other person grabbed it off the webserver and then it was forgotten that it was up there.

      It's at least plausible.

      IT Person A: "Hey, I need to run some stats on your mortgage figures for the boss. Can you send them over?"

      It Person B: "We're not allowed to send that stuff as email attachments anymore and we're not in the same group for the file shares."

      IT Person A: "Can you put it on that webserver and just tell me the name of the file?"

      IT Person B: "Can do."

      Then Friday afternoon happens and the rest is history.

      1. Doctor_Wibble

        Entirely plausible but I'm still not clear on how a search engine/crawler is going to find the file without being told where it is unless the directory is exposed to be able to be listed or if the file is linked on a page unless said engine is psychic...? Possibly the server has its own search thingy that auto-updates by searching the 'library' filesystem for new files, and thereby helpfully presented said secret data on a silver platter.

        Alternatively when someone was told to grab if from the web server they pasted the URL into the browser bar, the browser then automatically tried to match against something by talking to its search engine of choice which then recorded the inadvertent search for posterity.

        Or I missed something - that's perhaps likely - but the search engine had to have some way of finding the file or knowing it or its contents existed.

  2. Ben Hodson

    The problem is that the penalties for these kind of screw ups are too lenient.

    Make the penalty fit the crime. All senior board members of companies that disclose customer date should be compelled to post naked pictures of themselves and wives/husbands. There - now they realise how it feels to have personal information exposed.

    Likewise, MDs or hospital cleaning firms should have too eat their lunch from the floor of randomly chosen toilets that their company cleans.

    MDs of chemical companies should have to bathe in the factory effluent on random occasions.

    Tell me these measures wouldn't be more effective.

    1. Anonymous IV

      @Ben Hodson

      Just wondering whether you have been involved with extraordinary rendition, water-boarding, and the like in your career? Your breadth of imagination could have have come in very useful...

    2. Kracula
      Pirate

      Dito

      I totally support your comment my dear fellow reader. I say enough to this 'corporate veil' nonsense. Corporations are made and run by people. Thus when a company messes up, the guy running it should be punished in such a way that he really gets how his error affected others.

      I for example, would have sent the entire BP Board of Directors to shovel oil from the beach.

      1. codejunky Silver badge

        Re: Dito

        @ Kracula

        "Thus when a company messes up, the guy running it should be punished in such a way that he really gets how his error affected others.

        I for example, would have sent the entire BP Board of Directors to shovel oil from the beach."

        Would we also extend that to the minion who did it? The working Joe who cocked up (as it very well sounds), and what about his management team, fellow co-workers and the cleaning crew? Was the list put up maliciously? If so then go after the people involved. Was it an accident? You are talking about punishing people who didnt do anything wrong because an underling (how many times removed?) made a mistake. Who doesnt make mistakes? And some are nothing and some are serious.

        I assume the idea of attacking a guy at the top of the company is because you work for someone and resent it? Or maybe you think he has money so should be punished? Or do you think the blame for an accident (intentional or accident) should be arbitrarily assigned?

    3. Stevie

      The problem is that the penalties

      ... for these kind of screw ups are too lenient.

      I totally agree.

      However, your solution lacks practicality. I would suggests a "No bonuses for anyone" uckfup clause in the terms of employment. The bank squirts all over the web or lets someone in who does, the three-letter brigade go cap in hand that year with only their meager wages to survive on.

  3. Anonymous Coward
    Anonymous Coward

    Make the punishment fit the crime?? Then surely you mean, publish the board of directors' home phone numbers, home addresses, bank account details, social security numbers (or international equivalent) on the net. And give them some token 12 month protection from a credit company.

    1. DNTP

      Nonsense, we can't apply eye-for-an-eye principles here, since all the legal, financial, and insurance authorities are perfectly clear that the value of a CEO or director's refined, discriminating eye exceeds that of a common man's flaccid organ, used for nothing more than the study of infomercials and pornography of the basest order, by tremendous orders of magnitude.

  4. Anonymous Coward
    Anonymous Coward

    Google Snooping? Probably people just googling themselves

  5. Amorous Cowherder
    Facepalm

    "Since HSBC does not appear to be claiming that it suffered a breach by hackers it seems that it may have inadvertently stored the data in a manner that made it accessible on the internet."

    A1, first class excuse! "We weren't hacked sir! Honest! We simply put it there by mistake and some other, bigger boys read it sir!"

    1. Anonymous Coward
      Anonymous Coward

      Now that is *exactly* what I was thinking.

      "We waz hacked" ==> massive fine

      " We waz stuupid" ==> small fine, thus plenty left for fat bonuses

  6. Spaceman Spiff

    Oops...

    Actually, that would qualify as a major "Oh Sh!t!" moment. When the full scope of this gets out, HSBC will be scurrying to find a new business to be in, such as dog poop collector!

    1. Alister

      Re: Oops...

      When the full scope of this gets out, HSBC will be scurrying to find a new business to be in, such as dog poop collector!

      I am saddened by your trusting naivete.

      What HSBC will be doing, after all this has come out, is just what they are doing now. No action will be taken, and they will swan along as before.

      1. Anonymous Coward
        Anonymous Coward

        Re: Oops...

        "What HSBC will be doing, after all this has come out, is just what they are doing now. No action will be taken, and they will swan along as before."

        Au contraire, they're a furrin company, and in the US that means that the machinations of the state and federal authorities will be loaded against them, when compared to the way a domestic company would be treated - or even investigated in the first place. It is unsurprising that there have been five major "money laundering" settlements in recent years with non-US banks (HSBC, Lloyds, ING, Standard Chartered, Credit Suisse) and only one against a US company (JP Morgan).

        HSBC can expect to be clobbered for a moderate to large fine (even if this is a "settlement without admission of guilt") and they will then be hounded by class actions from lawyers pretending to represent customers, and separately from lawyers pretending to represent shareholders. The adverse publicity will not help their business. Overlay the costs of restitution and credit monitoring, and this works out expensive.

  7. John H Woods Silver badge

    This is negligence, pure and simple...

    ... there's some pretty cost effective software I have come across that automates the discovery of personal content on publicly accessible web and file servers, and raises alerts accordingly. I think you might even be able to do it with Google Alerts if you used your imagination.

    Certainly the Goog, and other major search engines, could easily run a service which lets you know if it discovers things that look like bank account numbers, social security numbers, even addresses, on your site. You set up some exclusions, like the company's own address :-) obviously --- and as soon as you get a notification email, e.g. "The number of publicly accessible bank account numbers on your site has increased from 3 to 123,456, and the new instances are here: ..../path/to/cockup" then you can start doing something.

  8. Stevie

    Bah!

    Again?

  9. Anonymous Coward
    Anonymous Coward

    Google is the database

    Krebs had an article last year of a US mortgage company accidentally doing the same thing because their Oracle Forms installation had some setting for auto-publishing to the web.. i.e. auto-importing into Google.

    You don't really need hackers when the information systems themselves have no concept of internal vs external network.

    I had a potential client that wanted me to engineer an 'XML database' to make some data publicly available and searchable over the web. I told them if it was 1990 something like this might make sense - today you can just put whatever it is, in any format, on a public web server and Google will index it for you..

  10. skeptical i
    Unhappy

    So, why do we even have social security numbers?

    Once upon a time, there was a "not to be used for identification" notice on SS cards, then that caution disappeared once someone realized that SS numbers = unique-ish human serial numbers, happy day. But with them being spaffed hither and yon with alarming regularity (hackers, cock-ups, whatever) one wonders if they need to be downgraded in importance from 'key to ones identity" to "just another number, like a phone number" so the inevitable loss can not create havoc on the victims of these breaches. (No, I don't have a better idea, sorry.)

    1. Captain DaFt

      Re: So, why do we even have social security numbers?

      Well, Social security numbers are how the government tells John Smith from John Smith and John Smith. It's basically just a more unique 'name' than a person's regular name.

      As such, its only use in security should be the same as a person's name, no more, no less.

      1. tony2heads
        Big Brother

        Re: So, why do we even have social security numbers?

        Life becomes more like 'The Prisoner' every day

        I am not a number

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like