A slow news day at El Reg?
Storage device reported stolen from insurer RSA's data centre
The insurance company formerly known as Royal & Sun Alliance but now going by the confusing-for-Reg readers “RSA” says “a data storage device has been reported as stolen from one of our data centres.” The firm's sparse customer notice and press statement say the device contained names and addresses, bank account and sort code …
COMMENTS
-
This post has been deleted by its author
-
Monday 14th September 2015 08:37 GMT Electron Shepherd
Weasel words from those looking to evade culpability
From http://rsagroup.com/rsagroup/en/home/Customer-Notice#.VfX7oJ2qpHx:
Will you be compensating your customers?
We have taken precautions to protect our customers through Cifas. No customer has reported any theft or fraudulent activity to date and we will monitor the situation going forward.
Notice how the response doesn't actually answer the question...
Perhaps El Reg should contact Louise Shield, Director of External Communications (from the PR page) and ask her direct?
-
Monday 14th September 2015 09:30 GMT JayBizzle
Re: Weasel words from those looking to evade culpability
Should have seen the crap that Carphone Warehouse came out with. Disgusting attitude and put it all at the door of the consumer and their banks to sort it out.
If this keeps happening then I'm afraid there will be pressure to legislate against this and make the companies take full responsbility for their (lack of) actions.
At least RSA offered to do something.
-
Monday 14th September 2015 11:08 GMT Turtle
@JayBizzle Re: Weasel words from those looking to evade culpability
"If this keeps happening then I'm afraid there will be pressure to legislate against this and make the companies take full responsbility for their (lack of) actions."
To me, personally, such an outcome is not something of which to be "afraid". Actually, the phrase "fervently to be desired" comes to mind.
-
-
-
-
Monday 14th September 2015 14:31 GMT ItsNotMe
"I wonder how they'd feel...
... if their board of directors had their personal and financial details stolen."
First...the Board would all be fired.
Second...the Board would all leave with large 7 figure severance packages.
Third...the Board members would all pop up at other organizations within a year or so with 7 figure compensation packages.
Fourth...rinse & repeat.
-
-
Monday 14th September 2015 08:51 GMT Anonymous Coward
More likely a server was nicked.
Most people with access to data centers know that uplugging a random device or tampering with live kit might set off alarms or be caught on CCTV. I suspect some opportunistic contractor maybe spotted a small expensive (1U server) computer that he/she could nick and either flog for spares or use as a desktop at home.
Its likely this server was already -de-racked for some project and stored in a cupboard giving the contractor the unobserved opportunity for this heist, hence why RSA believe that it wasn't nicked for the data.
I once heard a story that during a previous server heist the thief actually went to the trouble of removing the server's hard drives and leaving them behind and thus reducing the urgency for the company to trace the thieves. - Not sure if this is an urban legend
-
Monday 14th September 2015 09:16 GMT TonyJ
Re: More likely a server was nicked.
"...I once heard a story that during a previous server heist the thief actually went to the trouble of removing the server's hard drives and leaving them behind and thus reducing the urgency for the company to trace the thieves. - Not sure if this is an urban legend...
I have heard similar but ihot-plug, press-a-couple-of-buttons-and-pull-them-out HDD's have been around what? 20+ years? This isn't as unlikely as the days of taking the time to strip one down to remove them would be.
Speaking of 20+ years ago when I used to fix hardware for a living, we had a ProLiant 1500 tower come in all battered. Not only were these beasties quite large they were also heavy at (as I recall) around 45-55Kg.
The story I got from the customer was that one of their security guards caught a guy climbing down a drainpipe holding this thing under one arm and when challenged, he threw it at the guard and did a runner!
-
Tuesday 15th September 2015 06:51 GMT Wzrd1
Re: More likely a server was nicked.
We keep USB HD's around the data center for capturing the system image after a compromise. The drives then are shipped off to the analysis group to counter today's exploit.
It could be that one of those drives went astray, either during shipping or disappeared when returned by analysis.
-
-
-
Monday 14th September 2015 13:27 GMT John Brown (no body)
Re: credit monitoring
Yes, that was my first thought too.
All these companies ever seem to offer is 12 -24 months of "credit monitoring". Big deal. If that data gets out into the wild, it's their forever. Maybe "they" think we all change our bank accounts regularly. Well, I for one, don't. I have had the same bank account since I was 16. That's 47 years. If my details are compromised due to the ineptitude of some organisation then I want compensation for all the stress and effort of changing my bank account before the "credit monitoring" service reaches end of life and starts spamming me with "please pay to continue" crap.
-
-
Monday 14th September 2015 10:05 GMT Hans Neeson-Bumpsadese
Data
While any sort of data loss should be frowned on, let's try and get a measure of the seriousness of this.
If the customers' data stolen was names, account numbers, sort codes, etc., then exactly how much of a risk does that pose to the customers?
That's the sort of info that's on every check I write, every direct debit form I complete, i.e. it's hardly privileged information.
-
Monday 14th September 2015 11:35 GMT Captain Badmouth
The lady of the house was given a leaflet for "immobilise" by a police person in town the other week inviting people to register their valuables on their "secure website" so that any stolen items could be returned if recovered etc. "All this means", I said, "is that when (not if) their database is compromised the crooks will have a nationwide shopping list at their disposal".
https://www.immobilise.com/
-
-
Monday 14th September 2015 23:54 GMT Anonymous Coward
RSA Secuirty
RSA the company (part of EMC) and even RAS the encryption people (Ron Rivest, Adi Shamir, and Leonard Adleman) aren't going to be impressed if the data was not encrypted by RSA the insurer.
But seriously, no CCTV tapes ? Sure, many people go in and out, but someone should be worried that these tapes are being scrutinised. How long was it before they knew the device was removed ?
Zurich aren't going to be impressed either but fortunately for RSA staff their record seems even worse (http://www.computerweekly.com/news/1519296/Zurich-Insurance-breach-payment-Data-breach-fine-highest-on-record) and that too from a data centre (backup tapes).