back to article Million bank details sold on eBay

A computer hard disc containing one million sets of bank details was bought on eBay for just £35. The secondhand PC contained details of customers from American Express, NatWest and Royal Bank of Scotland. The files included names, addresses, sort codes, account numbers, credit card numbers, mobile phone numbers, mothers' …

COMMENTS

This topic is closed for new posts.
  1. Lord of Dogtown
    Heart

    Welcome to my details

    I cant get credit for toffee these days, if a fraudster gets credit under my name I would welcome a few tips.

  2. Anonymous Coward
    Anonymous Coward

    I'm finally going to...

    ... get off my arse and change my bank account now. Been with NatWest for just tooooo long and this has given me the final push I need.

  3. Andy Worth

    Err.....oops?

    I simply can't understand why it isn't standard policy to secure-wipe these drives before they are re-sold. Jeez there's even free software on Sysinternals that lets you delete files to DOD standards.

  4. Julian I-Do-Stuff
    Paris Hilton

    I Wonder....

    I dare say he's done the decent thing and given the disk back, but maybe he should have solicited bids for the data in order to set a price - then he could reasonably offer to sell it back to the careless previous owner for a nominal premium on the market value...

    Which raises an interesting question: if one legitimately comes into possession of such information, e.g. by buying a disk from someone who had proper title to it, is any offence committed or tort created by selling the information content on?

    I hope the original owners are suitably chagrined/embarrassed/out of pocket

    Paris - because as the great gag list quoted Joan Rivers re: embarrassment: ~"Poor Paris' parents - how humiliating to have your daughter make a pr0n flick... in a Marriott"

  5. Andrew Moore

    Fire him.

    If any IT Manager I employed bought hardware through ebay I would fire him.

  6. N

    Muppets, here we go again...

    How reassuring to see our banks, follow the standards set by our hopelessly insecure government, spraying confidential data everywhere. Have they still not heard of strong encryption?

    ID Cards anyone?

  7. Ferry Boat

    Under a Duffy Moon

    So RBS outsource their data archiving and it looks like a machine used by the archiving company has made it onto Ebay. I wonder how outsourcing data archiving is cost effective. I would have thought it's quite reasonable to do in-house. If it is outsourced then surely it ought to have been encrypted. I've always worked on the principal that if the data leaves the control of the firm its primarily been entrusted to then it should be encrypted or identifying information should be replaced or removed.

    I hope there are big fines for Graphic Data/Mailsource if they are at fault. If the machine was sold illegally then the 'seller' should be prosecuted. I don't quite see how RBS are at fault other than choosing a company that is not up to the job.

    As with all of these things I'd love to know how the data has been stored. MS SQL database, excel spreadsheet (everyone knows spreadsheets are the best databases) or just in a plain text file.

  8. Paddy Smith
    Unhappy

    Encryption?

    This sort of stuff is archived in unencrypted files? On portable machines? That is perhaps the real story here.

    Hope the vendor put that £35 somewhere safe, like in a bank account.

  9. Brian Miller

    So does that mean that they are safe??

    If the winner has openly proclaimed that he has the data, does that mean this time it is safe from being used for malicious purposes?

    I hope so, cause if my account gets snaffled into, I will be looking around for this Andrew character.

    I bank with RBS so they better damn well tell me if mine were included.

  10. Anonymous Coward
    Alert

    What's the point ?

    As an IT Professional and certified CISSP I can't believe the lack of concern showed by most businesses when dealing with sensitive data, which they have a legal obligation to protect - most don't have a clue.

    At least 99% of the time I deal with a new company they are (at least) complacent about endpoint security and data loss, explaining that "it will never happen to them". They would much rather spend money on BMWs for the directors and software to produce more money or do fancy reports.

    But when something like this happens, it affects everyone and your average consumer just doesn't care, or certainly doesn't bother doing anything about it.

    I take extreme care to have my details removed from public records and value my identity, but if my bank (one of those mentioned) is going to be so sloppy with sub-contractors, what's the point?

    Unless businesses start to suffer as a result of losing data and clients wise-up and start bothering to sue for damages when this happens we'll just continue with this apathetic approach.

    The first thing that consumers need to do is to write a letter to the bank, then seriously consider moving to a new bank.

    After all, a bank without customers is, erm bankrupt ? You only have to look at Northern Rock to see what consumer power can achieve (probably in the wrong way, in that instance).

    Because the perceived threat of losing your identity is much less tangible than the threat of losing your savings, people just don't care.

    Every customer of those banks should be calling and kicking off about their identity being "misplaced". It's the only way to get something done. A few grand fine from the Data Commissioner (god bless their valiant attempts) isn't going to upset the banks or Graphic Data.

  11. Kevin Whitefoot
    Boffin

    What I don't understand ...

    is why all this information ever ends up in local storage.

    Surely no one ever needs to copy millions of records to an insecure machine. Can't they run scripts on a server to do whatever analysis they need?

    At least that's what is done on the systems I design, build, and maintain (and practically every other system I have been proffessionally involved with). And it applies to file based databases like Access and dBase as well, although there is unavoidable copying and cacheing in the background in these cases of course.

    I would write more but it occurs to me that anyone who would let create such opportunities for such massive data loss isn't likely to have a long enough attention span to read it.

  12. caffeine addict
    Joke

    contract completed

    Well, to be fair, they did pay for an off site backup...

  13. Alex
    Boffin

    @Andy Worth & @Andrew Moore

    @Andy Worth

    Would depend if the laptop was 'officially' allowed to be sold. Doesn't move away from the fact that it wasn't encrypted.. or it could have been held for quite a while, unbeknown to the organisation... happens.

    Let's face it, it'd be a really old laptop to go for 35 quid!! Probably gathered dust and some opportunist knicked it knowing it wouldn't be missed!

    @Andrew Moore

    Why would you do that? You mean if the IT department SOLD stuff on eBay, right? Yeah I get that... Sometimes you can only buy spare parts off eBay to keep things going until the migration can take place. Not everyone has a bottomless budget mate.

  14. Anonymous John

    From the Mail article

    Graphic Data said: 'Certain pieces of IT equipment have been removed from a secure area. We are seeking to recover this equipment, which apparently contained customer data.

    'We take customer privacy and data security very seriously.'

    They do?

  15. Anonymous Coward
    Anonymous Coward

    Yup, agree, most don't have a clue.

    Having said that, IT is in some cases to blame as well.

    Many times I have come across situations which were set up for convenience rather than doing the Right Thing. The flipside is that not-so-bright directors get annoyed with "all this security crap" - just make sure you get it in writing if you ever have to lower the barriers..

    I once reviewed a large lawyer firm and discovered every senior partner had their laptop hard disk shared at root level so the techs could get at it. So, the most confidential data was accessible by the holiday job school kid..

  16. djh

    @ Andrew

    "If any IT Manager I employed bought hardware through ebay I would fire him."

    Can't wait for the unfair dismissal case on that one...

    Ever considered it was for his own personal use? Or if it not - how about for parts for the obselete hardware his boss won't let him decommission - "That costs too much - make do with what you've got".

    How's the air up there on your high horse?

  17. Anonymous Coward
    Unhappy

    Oh crap

    I have a One Account. RBS own them. I'm just trying to make contact with them and see if I am affected or not and what they intend to do about it.

    I will not be settling for the PR bullcrap.

  18. Anonymous Coward
    Anonymous Coward

    @Andy Worth

    "I simply can't understand why it isn't standard policy to secure-wipe these drives before they are re-sold. Jeez there's even free software on Sysinternals that lets you delete files to DOD standards."

    The word "missing" in the story suggests that the hardware wasn't legitimately resold. Now I know the company concerned probably aren't going to come out and say the gear was stolen, that would make it look like their premises aren't secure. But by the sound of the story the hardware in question found it's way onto ebay without their knowledge.

    BTW tt is sound policy never to sell on hard disks that have stored sensitive data. Formatting, writing zeroes and even degaussing aren't really enough. Physical destruction is the only way to be secure.

  19. Anonymous Coward
    Flame

    @Andrew Moore - try and stay focussed for 30 seconds !

    "If any IT Manager I employed bought hardware through ebay I would fire him."

    I bought 3 open box proliant servers from eBay for a client. When I say open box, obviously the boxes were sealed when they arrived - but obviously had been opened at some point - yet the equipment was clearly brand new and still showed 34 month's HP warranty (which was never needed).

    I paid £12K for 3x when HP distribution wanted £21K each.

    My client was very happy with that, even though they had been shipped from Australia, they were around £50K less.

    If Andrew Moore has that much money to throw around I can only assume he works in Government or for BT (or of course - a bank).

    But that's really not the point.

    The point is that my bank, your bank, the department of transport / health / defence / "homeland security" / steak pies etc. (delete as appropriate) are passing around details of our most sensitive data unencrypted on a laptop, be it through a third party or not, it's their obligation to protect the data you MUST give them.

    I am very happy that the guy that bought it - brought it to the attention of the press, so the press can inform the banks and the government what their policies should be. God forbid the commercial or governemt sector doing it right before being paraded as right whoopsies in front of the world media.

    Resignations - I doubt it.

    There's bound to be an inquiry that finds that there was a breakdown in the systems that was "not attributable to any single person or department".

  20. Wize

    @ Andrew

    "If any IT Manager I employed bought hardware through ebay I would fire him."

    I've had to get old junk off ebay to support customers systems built in the 70s and 80s. Its hard to find things of that age in PC World.

  21. Tomothy Toemouse

    I am a criminal

    say I was, anyway. I hope the computer isn't at his house or his business as I would be looking for addresses of both...

    as to comments on "local storage" the machine pictured in the mail looks like a 3U server with four hard drives

    the excuse from the company that it was sold by an ex-employee seem a bit thin. Big companies I know of don't sell their old kit to employees.

    why was it no encrypted, though?

  22. andy gibson
    Coat

    @ Andrew Moore

    I'm an IT Manager. Being in "the biz" I know the price of IT stuff and always look out for bargains on Ebay for *personal* use. How do you know that the guy in the article isn't doing the same?

    My corporate IT purchases can only come from vetted and approved businesses with pre-arranged accounts. Any spending on Ebay would have to come from my own pocket and I'm hardly likely to do that for work.

  23. Anonymous Coward
    Pirate

    @Kevin Whitefoot

    Exactly what I was thinking Kevin! Why is this data allowed to be extracted out and let lose?

    Oh yes, muppet project manager/data analyst/director requests it and kicks up a stink with the CTO if they don't get it.

    We are living in these amazing connected times. We have fixed BB and mobile BB and in between encrypted access to company systems from "da intaweb". For crying out loud, surely the cost of a mobile broad-band card/dongle and an RSA token pales into insignificance against the bad PR that this sort of thing causes? Then again I suppose you could sum it up, given the horrendous levels of management in most companies, "S'not my problem, someone else can carry the can!", pure and simple apathy.

  24. Chris Walker
    Thumb Down

    Buying hardware through eBay?

    "If any IT Manager I employed bought hardware through ebay I would fire him."

    Unless of course it runs contrary to internal procurement rules, why?

    Hardware is hardware is hardware in all but a few areas; commodity boxes, the like of which abound on eBay, are fine for most things I can think of.

    Unless you object to the idea of saving money, and reusing existing machines (and therefore doing your 'bit' for environmentalist considerations).

    Frankly I suspect your comment is also in danger of breaking equality laws too; implying as it does that you only ever employ males in the role ;)

  25. Anonymous Coward
    Flame

    I just heard this on the news and stormed online to get full details.

    PUT THEM IN JAIL

    ENOUGH MESSING ABOUT WITH FINES, WARNINGS and "we take your data very seriously"s

    Millions of people's private data.. Medical records...financial details... etc..... is priceless. Once it's out there, that's it. You can't put a price on the damage it can do (and when someone does, it is pathetically low)

    If the computer was only worth £36 then surely they could have just destroyed it after they got all their use out of it? In fact, they should have to destroy all the old computers, since they can't seem to manage basic data protection or erase information properly. Not that they would do that either I guess.

  26. Scott
    Stop

    @Alex

    Who said anything about a laptop? The photo in the MoS story shows a Quantum Snap rackmount NAS server. Sounds like a former employee of Graphic Data helped himself to a few "leaving presents" when he went...

  27. Justin
    Stop

    Could one have slipped through the net

    It could be as simple as slipping through the net.

    I have lost count the number of hardware disposal companies have tried to get my business, a couple of things they all say....

    "We will wipe your data"

    and the golden one

    "Reduce you invoice if the hardware can be RESOLD"

    How its resold I never found out, but perhaps to employee's.

    Anyway this incident is bad for both Graphic Data and RBS.

  28. Stuart Oram
    Thumb Down

    Retention of hard drives?

    OK, so fine, contract out the disposal of equipment, but surely in ANY business at any level, hard drives should be retained in-house to be physically destroyed?! Surely that is just common sense.... something which many businesses seem to be lacking....

  29. Alan Ferris
    Paris Hilton

    Enormous savings to be made now

    Now I have no need to buy a shredder.

    Why bother shredding sensitive data when the banks give it away!

    Paris, 'cos I'm told she gives it away too

  30. Toastan Buttar
    Alien

    ob: Aliens quote

    "Formatting, writing zeroes and even degaussing aren't really enough. Physical destruction is the only way to be secure."

    Nuke it from orbit. It's the only way to be sure.

  31. Mike Crawshaw
    Flame

    Talking to NatWest...

    I'm a NatWest customer. Great.

    So I phone customer services, who give me the number for the press office. Who tell me that I need to speak to customer relations, and put me through. Mildly incompetent start, promising. At least I wasn't on hold for long.

    Conversation Synopsis (phrasing is mine from notes jotted down, content / substance has been preserved):

    Q: "Can you tell me whether my data has been compromised?"

    A: "We don't know, there's an investigation ongoing."

    Q: "Will customers whose data has been compromised be proactively contacted by NatWest / RBS to let them know this is the case?"

    A: "We don't know, there's an investigation ongoing."

    Q: "Will customers be compensated for the fact that NatWest have allowed their customer's confidential information into the public domain?"

    A: "We don't know, there's an investigation ongoing."

    Q: "Have you been given any statement for customers who may have been affected by this issue?"

    A: "No, I know about as much as you do at the moment, we haven't been given any information beyond what is available in the newspapers."

    Q: "Can you advise what course of action customers should take if they believe they may have been affected by this data breach?"

    A: "We would advise customers to continue to check their statements carefully, and immediately report any suspicious transactions to us. We will of course refund any transactions that have been made fraudulently."

    Q: "Have you been given any timescales for being able to give more definitive answers regards my earlier questions?"

    A: "No, we haven't. There is an investigation ongoing at the moment, and we would expect to have further information available in the near future."

    In other words, they don't know shit at the moment. But I ain't gonna take it out on the phone-drones, cos they're being treated just as much like mushrooms as the customer base.

  32. Anonymous Coward
    Flame

    Laptop / Workstation / Server / NAS Whatever

    == QUOTE ==

    details of our most sensitive data unencrypted on a laptop

    == UNQUOTE ==

    I didn't actually mean that this event was specific to a laptop - I meant that the (especially sensitive) data should be harder to get at than picking up a box and walking off with it, with encryptrion being the most obvious answer.

    Everybody knows that brand new £20K server will be an old dog worth £35 in a few years, at that point, the disposal becomes a cost burden and nobody cares if it gets "lost" between the data centre and the skip.

    The only way to keep data secure is to secure the data even when it's actually in use - even if adding encryption slows down the server a bit. This needs to become industry standard these days, not special for Banks and the MoD.

    BTW - @ Andrew Moore - Are your laptops and desktops encrypted with strong encryption, do you enforce unencrypted USB drives not being used?

  33. Kevin Whitefoot
    Dead Vulture

    Re: Retention of hard drives?

    This stuff should never have been on any drive outside a secure datacentre. Concentrating on the hardware is missing the point.

    There is no dead horse icon so I'll make do with the vulture (or is it a puffin?).

  34. Anonymous Coward
    Alert

    WTF!

    Having just seen a picture (MoS website) of this Rack Mounted Server complete with 4 hard drives, this has to be a case of equipment theft rather than data loss; even the scrap value is way more than £35.

  35. Alex
    Heart

    @Scott

    I stand corrected - I'm sure Radio 5 said it was a laptop....

    Cheers ears!

  36. Anonymous Coward
    Coat

    @"@Andrew Moore - try and stay focussed for 30 seconds ! "

    "If Andrew Moore has that much money to throw around I can only assume he works in Government "

    No no.. please.. stop it.. it's hurting.. I can't breathe from all this laughter..

    One Certificate of Muppetry on it's way to you!

    Mines' the one with the DVD of "Pigs in Spaaaaaaaaaaace...."

  37. Anonymous John

    @@Scott

    The BBC 1pm news referred to it as a laptop, then a server.

  38. Anonymous Coward
    Anonymous Coward

    You don't get any

    Confidential data found on a discarded Wyse 120.

  39. Kev K
    Dead Vulture

    LMFAO @ Graphic data

    We used to sell them hardware & support - they were (are?) the biggest bunch of cowboys going - I wouldnt trust them to archive my toilet paper

  40. Anonymous Coward
    Alert

    Quotes from the RBS website

    "If a fraudster has some - but not all - of your security details, they may try to guess the rest. That's why we will temporarily disable your account if someone makes too many failed attempts to log in.

    But don't worry if you've simply forgotten some of your security details. Simply follow the instructions on screen to regain access to your account."

    Contradiction in terms? Doesn't exactly fill me with confidence...

    "Protect your computer

    Computer security doesn't have to be daunting - just follow these simple steps.

    If your computer isn't secure, losing your data could be the least of your worries."

    Maybe they should follow their own advice before patronising their customers.

  41. Anonymous Coward
    Stop

    "How RBS protects you"

    From http://www.rbs.co.uk/global/f/security/security-advice/we-protect-you.ashx

    "Steps we're taking to keep you safe

    Make no mistake - we take your security very seriously indeed. In fact, we've invested in a host of measures that help protect you and your money."

    I beg to differ...

  42. ShaggyDoggy

    Backup copy

    Since the guy now legally owns the £35 hardware, surely he should take a backup copy of his property, for security reasons of course. Also if garphic data want it back, they would need to pay him the going rate for a NAS server. LOL

  43. Anonymous Coward
    Anonymous Coward

    'Confidential' information?

    While I concede that presenting the information of a million customers in one list is indeed handing it to the crooks on a plate, I'm not entirely clear how much of this information is in any sense secret.

    Your address can be obtained from the electoral role if not the phone book. You can view the Births, Marriages, and Deaths register for the whole country for a modest fee (from which you can identify an individual's parents, and from their records the maiden name of the mother). Your account details are printed on cheques, as is your signature if it's a signed cheque! People tend not to treat these as confidential documents, and it wouldn't be hard for a determined thief to photocopy cheques at a utility company's accounts receivable department, for example.

    Yes, a suitably informed individual can make it harder to obtain this information, but none of it is strictly secret. The real issue is the fact that all of this non-secret information is deemed by the banks to be sufficient to identify a person, without going back to the old-fashioned two-out-of-three of something you know, something you have, something you are...

  44. Danger Mouse
    Linux

    £35 Cheap as in CHIPS

    I wouldn't mind a Quantum Snap rackmount NAS server with the drives still in, if anyone see's anymore on ebay for £35 please give me a shout.

This topic is closed for new posts.

Other stories you might like