Five-year-old wanders into bank branch after-hours
Technorati Tag: Security Breach
Date Reported:
2/6/08
Organization:
HSBC Group (UK)
Contractor/Consultant/Branch:
Market Place, Easingwold
Victims:
Potentially customers, but no confirmed loss or theft occurred
Number Affected:
Unknown
Types of Data:
Potentially customer banking records
Breach Description:
The HSBC branch in Easingwold was found unlocked during non-business hours on Saturday, February 2nd. A five-year-old boy wandered into the bank while his father was using the cash machine. The bank was closed and unattended since 4:30 the previous day and no alarms were sounded.
Reference URL:
The Northern Echo online story
The Press online story
Report Credit:
The Northern Echo
Response:
From the online sources cited above:
Little Oliver was at the HSBC with mum, Alison, and dad Daniel, when the family visited the cash machine at Easingwold, North Yorkshire, on Saturday afternoon.
Mrs Pettigrew said: "We usually go into the bank and so Oliver just pushed the door and wandered in.
"I was at the cash machine and it was Oliver's dad who started saying, 'where's Oliver? where's Oliver?' "Then Oliver appeared again. He and his dad ended up wandering around the place, which was totally deserted. There were computers everywhere and there was no alarms sounding.
The HSBC tried to downplay the breach saying the emergency services would have been summoned automatically if someone stepped inside.
[Evan] This did not appear to have happened. According to the news story, emergency services were not even aware of this physical breach until notified by the Pettigrews.
However North Yorkshire Police have confirmed that the only call received was from Daniel Pettigrew.
The bank had been closed for business at 4.30pm on Friday and Oliver opened the door at lunchtime on Saturday.
A spokeswoman for the bank said there had been a malfunction with the catch on the door.
[Evan] A malfunction is not an acceptable reason for a breach. System malfunctions need to be taken into account when designing secure systems (physical and technical), especially at a bank.
"When I realised the bank was empty and the service times said Monday to Friday I phoned 999."
He and Oliver also walked right up to the door of the vault where money is kept.
[Evan] It is important to note that they walked up to the door, not THROUGH the door. This would be a more sensational story if the vault were open too.
There were computers and walkie talkies lying around in there. Anyone could have stolen them.
"The hard drives were in there too. In the current climate it makes you wonder if anyone could have got the database with bank customers' details on it.
[Evan] There is chatter that HSBC employs centralized and secure data storage, meaning that there should be no sensitive information on the client computers. This may be true, but often there is much more information on these computers than people realize. I would guess that there is also a substantial amount of sensitive paperwork in the branch.
The Pettigrews stood guard at the bank until police officers arrived.
A spokesman for HSBC, which made profits of about £11bn in 2006, said there was no danger to bank customers.
[Evan] Not so. There WAS a danger to bank customers. It may not exist in this instance anymore, but the danger was there.
She said: "Basically, what happened was there was a malfunction with the door catch. Once the door was pushed open it would have alerted the police anyway.
[Evan] This was obviously not so. Malfunctions must be detected at the time of the occurrence.
She said: "There would have been no danger to customers in terms of cash or information being stolen. Obviously we don't want security issues but sometimes these things happen."
[Evan] Again, I disagree.
From Simon Davies, director of Privacy International:
"extraordinary state of affairs" which could have exposed thousands of customers to a "grave risk"
"I cannot believe that a bank would not have procedures in place to make sure all exits are sealed at close of business."
"This is a situation I have never encountered before. It is a failure on multiple levels, on the human level and on the technical level and what it does is expose thousands of customers to a grave risk."
"It could be that the computers are part of a central control system and are password protected and contain no information locally, in which case you don't have the same level of threat."
"But if they are just password protected then someone could have gained access to the whole central resource of data."
Commentary:
I added this breach to The Breach Blog because the potential for lost data confidentiality and integrity was real and present. There appear to have been no customer-related victims, which is a very good thing. HSBC and/or their security team should have detected the door malfunction well before a five-year-old did.
How many times have we used a cash machine at the bank after-hours? Most of us just assume that the bank doors would be locked. Even if the door were unlocked, most of us would assume that alarms would go off as soon as we opened it.
I don't suggest that you drive from bank to bank looking for unlocked doors because this might get you in a lot of trouble.
Past Breaches:
Unknown
Date Reported:2/6/08
Organization:
HSBC Group (UK)
Contractor/Consultant/Branch:
Market Place, Easingwold
Victims:
Potentially customers, but no confirmed loss or theft occurred
Number Affected:
Unknown
Types of Data:
Potentially customer banking records
Breach Description:
The HSBC branch in Easingwold was found unlocked during non-business hours on Saturday, February 2nd. A five-year-old boy wandered into the bank while his father was using the cash machine. The bank was closed and unattended since 4:30 the previous day and no alarms were sounded.
Reference URL:
The Northern Echo online story
The Press online story
Report Credit:
The Northern Echo
Response:
From the online sources cited above:
Little Oliver was at the HSBC with mum, Alison, and dad Daniel, when the family visited the cash machine at Easingwold, North Yorkshire, on Saturday afternoon.
Mrs Pettigrew said: "We usually go into the bank and so Oliver just pushed the door and wandered in.
"I was at the cash machine and it was Oliver's dad who started saying, 'where's Oliver? where's Oliver?' "Then Oliver appeared again. He and his dad ended up wandering around the place, which was totally deserted. There were computers everywhere and there was no alarms sounding.
The HSBC tried to downplay the breach saying the emergency services would have been summoned automatically if someone stepped inside.
[Evan] This did not appear to have happened. According to the news story, emergency services were not even aware of this physical breach until notified by the Pettigrews.
However North Yorkshire Police have confirmed that the only call received was from Daniel Pettigrew.
The bank had been closed for business at 4.30pm on Friday and Oliver opened the door at lunchtime on Saturday.
A spokeswoman for the bank said there had been a malfunction with the catch on the door.
[Evan] A malfunction is not an acceptable reason for a breach. System malfunctions need to be taken into account when designing secure systems (physical and technical), especially at a bank.
"When I realised the bank was empty and the service times said Monday to Friday I phoned 999."
He and Oliver also walked right up to the door of the vault where money is kept.
[Evan] It is important to note that they walked up to the door, not THROUGH the door. This would be a more sensational story if the vault were open too.
There were computers and walkie talkies lying around in there. Anyone could have stolen them.
"The hard drives were in there too. In the current climate it makes you wonder if anyone could have got the database with bank customers' details on it.
[Evan] There is chatter that HSBC employs centralized and secure data storage, meaning that there should be no sensitive information on the client computers. This may be true, but often there is much more information on these computers than people realize. I would guess that there is also a substantial amount of sensitive paperwork in the branch.
The Pettigrews stood guard at the bank until police officers arrived.
A spokesman for HSBC, which made profits of about £11bn in 2006, said there was no danger to bank customers.
[Evan] Not so. There WAS a danger to bank customers. It may not exist in this instance anymore, but the danger was there.
She said: "Basically, what happened was there was a malfunction with the door catch. Once the door was pushed open it would have alerted the police anyway.
[Evan] This was obviously not so. Malfunctions must be detected at the time of the occurrence.
She said: "There would have been no danger to customers in terms of cash or information being stolen. Obviously we don't want security issues but sometimes these things happen."
[Evan] Again, I disagree.
From Simon Davies, director of Privacy International:
"extraordinary state of affairs" which could have exposed thousands of customers to a "grave risk"
"I cannot believe that a bank would not have procedures in place to make sure all exits are sealed at close of business."
"This is a situation I have never encountered before. It is a failure on multiple levels, on the human level and on the technical level and what it does is expose thousands of customers to a grave risk."
"It could be that the computers are part of a central control system and are password protected and contain no information locally, in which case you don't have the same level of threat."
"But if they are just password protected then someone could have gained access to the whole central resource of data."
Commentary:
I added this breach to The Breach Blog because the potential for lost data confidentiality and integrity was real and present. There appear to have been no customer-related victims, which is a very good thing. HSBC and/or their security team should have detected the door malfunction well before a five-year-old did.
How many times have we used a cash machine at the bank after-hours? Most of us just assume that the bank doors would be locked. Even if the door were unlocked, most of us would assume that alarms would go off as soon as we opened it.
I don't suggest that you drive from bank to bank looking for unlocked doors because this might get you in a lot of trouble.
Past Breaches:
Unknown
Posts Atom 1.0
Comments