back to article Storage device reported stolen from insurer RSA's data centre

The insurance company formerly known as Royal & Sun Alliance but now going by the confusing-for-Reg readers “RSA” says “a data storage device has been reported as stolen from one of our data centres.” The firm's sparse customer notice and press statement say the device contained names and addresses, bank account and sort code …

  1. PCS

    A slow news day at El Reg?

    1. Simon Sharwood, Reg APAC Editor (Written by Reg staff)

      Slow day? I would've thought a theft from a data centre and leak of customer data ranked as a decent piece of news.

      1. Destroy All Monsters Silver badge
        Windows

        ...the feel when

        9/14 starts the same way as 9/11. Slow.

      2. DubyaG

        It happens too often now. Data breaches are a daily thing and I just assume my data is out there flapping in the breeze.

  2. This post has been deleted by its author

  3. Bloodbeastterror

    Slow news day...?

    Well, considering the previous story was "Viper sinks fangs into unwary Indian farmer's todger"... :-)

  4. Electron Shepherd
    Thumb Down

    Weasel words from those looking to evade culpability

    From http://rsagroup.com/rsagroup/en/home/Customer-Notice#.VfX7oJ2qpHx:

    Will you be compensating your customers?

    We have taken precautions to protect our customers through Cifas. No customer has reported any theft or fraudulent activity to date and we will monitor the situation going forward.

    Notice how the response doesn't actually answer the question...

    Perhaps El Reg should contact Louise Shield, Director of External Communications (from the PR page) and ask her direct?

    1. JayBizzle

      Re: Weasel words from those looking to evade culpability

      Should have seen the crap that Carphone Warehouse came out with. Disgusting attitude and put it all at the door of the consumer and their banks to sort it out.

      If this keeps happening then I'm afraid there will be pressure to legislate against this and make the companies take full responsbility for their (lack of) actions.

      At least RSA offered to do something.

      1. Turtle

        @JayBizzle Re: Weasel words from those looking to evade culpability

        "If this keeps happening then I'm afraid there will be pressure to legislate against this and make the companies take full responsbility for their (lack of) actions."

        To me, personally, such an outcome is not something of which to be "afraid". Actually, the phrase "fervently to be desired" comes to mind.

  5. TonyJ

    And here we go again. We're just numbers and pound signs and when they expose us to risk they laugh it off like it's no big deal.

    I wonder how they'd feel if their board of directors had their personal and financial details stolen.

    1. ItsNotMe
      Mushroom

      "I wonder how they'd feel...

      ... if their board of directors had their personal and financial details stolen."

      First...the Board would all be fired.

      Second...the Board would all leave with large 7 figure severance packages.

      Third...the Board members would all pop up at other organizations within a year or so with 7 figure compensation packages.

      Fourth...rinse & repeat.

  6. Anonymous Coward
    Anonymous Coward

    More likely a server was nicked.

    Most people with access to data centers know that uplugging a random device or tampering with live kit might set off alarms or be caught on CCTV. I suspect some opportunistic contractor maybe spotted a small expensive (1U server) computer that he/she could nick and either flog for spares or use as a desktop at home.

    Its likely this server was already -de-racked for some project and stored in a cupboard giving the contractor the unobserved opportunity for this heist, hence why RSA believe that it wasn't nicked for the data.

    I once heard a story that during a previous server heist the thief actually went to the trouble of removing the server's hard drives and leaving them behind and thus reducing the urgency for the company to trace the thieves. - Not sure if this is an urban legend

    1. TonyJ

      Re: More likely a server was nicked.

      "...I once heard a story that during a previous server heist the thief actually went to the trouble of removing the server's hard drives and leaving them behind and thus reducing the urgency for the company to trace the thieves. - Not sure if this is an urban legend...

      I have heard similar but ihot-plug, press-a-couple-of-buttons-and-pull-them-out HDD's have been around what? 20+ years? This isn't as unlikely as the days of taking the time to strip one down to remove them would be.

      Speaking of 20+ years ago when I used to fix hardware for a living, we had a ProLiant 1500 tower come in all battered. Not only were these beasties quite large they were also heavy at (as I recall) around 45-55Kg.

      The story I got from the customer was that one of their security guards caught a guy climbing down a drainpipe holding this thing under one arm and when challenged, he threw it at the guard and did a runner!

    2. Wzrd1 Silver badge

      Re: More likely a server was nicked.

      We keep USB HD's around the data center for capturing the system image after a compromise. The drives then are shipped off to the analysis group to counter today's exploit.

      It could be that one of those drives went astray, either during shipping or disappeared when returned by analysis.

  7. Martin hepworth

    credit monitoring

    So all they do is give Credit moniting for X months.

    Great so I know after I've had my details abused..

    1. John Brown (no body) Silver badge

      Re: credit monitoring

      Yes, that was my first thought too.

      All these companies ever seem to offer is 12 -24 months of "credit monitoring". Big deal. If that data gets out into the wild, it's their forever. Maybe "they" think we all change our bank accounts regularly. Well, I for one, don't. I have had the same bank account since I was 16. That's 47 years. If my details are compromised due to the ineptitude of some organisation then I want compensation for all the stress and effort of changing my bank account before the "credit monitoring" service reaches end of life and starts spamming me with "please pay to continue" crap.

      1. Anonymous Coward
        Headmaster

        Re: credit monitoring

        @63 years old, you should know the difference between "their" and "there".

  8. Doctor Syntax Silver badge

    Don't overlook the obvious

    A laptop is just as likely as a tape drive and more easily sold

  9. David Roberts
    WTF?

    Old news?

    Or is this in addition to the theft of a storage device from Lloyds Bank containing details of RSA customers reported 3 days ago?

    1. Anonymous Coward
      Anonymous Coward

      Re: Old news?

      It's the same story, but without the sensationalism and innacurate reporting that the data was stolen from Lloyds Bank. It was Lloyds customer data stolen from RSA. But that doesn't make a good headline.

  10. Anonymous Coward
    Anonymous Coward

    probably a spare RAID disk..

    now whirring in someone's home server. Also more than likely therefore contained only data fragments rather then full datasets.

  11. Hans Neeson-Bumpsadese Silver badge

    Data

    While any sort of data loss should be frowned on, let's try and get a measure of the seriousness of this.

    If the customers' data stolen was names, account numbers, sort codes, etc., then exactly how much of a risk does that pose to the customers?

    That's the sort of info that's on every check I write, every direct debit form I complete, i.e. it's hardly privileged information.

    1. Bloodbeastterror

      Re: Data

      "exactly how much of a risk...?"

      Maybe you never read this about the UK's number one loudmouth?

      http://www.theguardian.com/money/2008/jan/07/personalfinancenews.scamsandfraud

      Couldn't have happened to a nicer chap...

    2. Wzrd1 Silver badge

      Re: Data

      "If the customers' data stolen was names, account numbers, sort codes, etc., then exactly how much of a risk does that pose to the customers?'

      Well, give us all your name, address, account and routing number and your education will be well worth the price.

  12. Friar

    Here we go again

    History repeats - http://www.theguardian.com/money/2008/aug/26/consumeraffairs.banks

  13. Captain Badmouth
    Pirate

    The lady of the house was given a leaflet for "immobilise" by a police person in town the other week inviting people to register their valuables on their "secure website" so that any stolen items could be returned if recovered etc. "All this means", I said, "is that when (not if) their database is compromised the crooks will have a nationwide shopping list at their disposal".

    https://www.immobilise.com/

    1. Bloodbeastterror

      "crooks will have a nationwide shopping list..."

      Astute observation...

      https://grahamcluley.com/2015/01/immobilise-national-property-register-data/

      1. Captain Badmouth

        Shit. It's even worse than I would have imagined- that easy? Nice to be proven right, will show the lady of the house later tonight.

  14. CAPS LOCK

    Does the ICo take a view on this?

    Or is a bank 'Too Big to Spank'?

  15. Sorry, handle already taken

    Encrypted or not?

    As there is no mention in anything from RSA whether or not this information was encrypted, then I guess it wasn't. That's going to make quite a difference when the ICO imposes a fine (which they almost certainly will).

  16. Anonymous Coward
    Anonymous Coward

    RSA Secuirty

    RSA the company (part of EMC) and even RAS the encryption people (Ron Rivest, Adi Shamir, and Leonard Adleman) aren't going to be impressed if the data was not encrypted by RSA the insurer.

    But seriously, no CCTV tapes ? Sure, many people go in and out, but someone should be worried that these tapes are being scrutinised. How long was it before they knew the device was removed ?

    Zurich aren't going to be impressed either but fortunately for RSA staff their record seems even worse (http://www.computerweekly.com/news/1519296/Zurich-Insurance-breach-payment-Data-breach-fine-highest-on-record) and that too from a data centre (backup tapes).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like