Lost Bank of Ireland laptops affect roughly 30,000 (updated) customers
Technorati Tag: Security Breach
Date Reported:
4/22/08
Organization:
Bank of Ireland
Contractor/Consultant/Branch:
Drogheda, Dunleer, Bagnelstown, Court Place Carlow, Stephens Green, Tallaght, and Montrose
Victims:
"customers who either obtained a quote or took out a Life Assurance policy with Bank of Ireland Life from the following branches:
Number Affected:
~10,000
30,000 (updated, source: Belfast Telegraph)
Types of Data:
"names, addresses, bank account details and medical histories"
Breach Description:
"DUBLIN--Four laptop computers stolen from one of Ireland's largest commercial banks contain the unencrypted details of some 10,000 customers, the bank said on Tuesday."
Reference URL:
Bank of Ireland
The Associate Press via International Herald Tribune
Agence France-Presse via Inquirer.net
Report Credit:
Data Protection Commissioner, Billy Hawkes
Response:
From the online sources cited above:
DUBLIN, Ireland: Four laptops containing the personal details of 10,000 Bank of Ireland customers have been stolen, the bank confirmed Monday.
Ireland's second-largest bank made the admission after the chief regulator, Data Protection Commissioner Billy Hawkes, told Irish broadcasters RTE he had been informed of the lost customers' data only last Friday.
Bank of Ireland said the four laptops disappeared between June and October 2007 and contained the names, addresses, bank account details and medical histories of about 10,000 holders of the bank's life insurance policies.
Commenting on the delay in reporting the thefts to the regulatory authorities, managing director Brian Forester said internal procedures had not been followed.
[Evan] Policies and "internal procedures" aren't worth squat if they aren't communicated to all affected persons AND enforced.
"Unfortunately in this situation the procedures were not properly adhered to. The thefts, while they were reported to the Gardai [police], the situation wasn't escalated to the level of management it should have been, through a human error," he said.
[Evan] Yes, human error indeed. Humans run the bank, humans run the information security program (assuming one exists), and humans collect, create, store, access, distribute and destroy confidential information. This was more like "humans error", meaning more than one.
The bank said it had found "no evidence of fraudulent or suspicious activity on any of these accounts."
The four laptops all disappeared in Ireland, at least one of them from a bank worker's home.
The laptops contained information relating to some customers who either obtained a quote or took out a Life Assurance policy with Bank of Ireland Life from the following branches:
Anybody who is not a customer of these branches is not affected by this incident.
The customers' personal data was not encrypted to prevent easy access.
[Evan] Should we be surprised?
The bank said it was beginning to encrypt customers' data on its remaining 5,000 laptops
[Evan] Reactionary information security is ineffective. Organizations working with confidential information need to be proactive in risk management and information security in order to be effective. Let's think this through for a second or two. Here we have a bank (or a bank-owned entity) that has many highly confidential records. The bank employs ~5,000 laptop computers and encourages a mobile workforce. Do you think that there is a good (more than 50/50) chance that some of the laptops may be used to work with highly confidential information? Do you think there is a good chance that one of these laptops may be lost or stolen? Obviously the answer to both questions is "yes". Why then are these laptops not adequately protected? Is this another "human error"?
had yet to inform any of the 10,000 customers that their personal details had been compromised.
Bank of Ireland will be writing to these customers in the coming days.
a help-line has been set up to handle any customer queries and select the Bank of Ireland Life option
This customer help-line will be open from 9.00am to 6.00pm Monday to Friday.
Bank of Ireland apologises to customers and is committed to moving as quickly as possible to allay the concerns of affected customers.
Ireland's Data Protection Commissioner Billy Hawkes said his office was investigating what he described as "serious" security lapses.
[Evan] Of course my purview is very limited, but I tend to agree that there are some serious information security gaps at The Bank of Ireland.
Commentary:
Baffling is the first word that comes to mind. Poorly protected confidential information and a poor incident response.
Past Breaches:
Unknown
Date Reported:4/22/08
Organization:
Bank of Ireland
Contractor/Consultant/Branch:
Drogheda, Dunleer, Bagnelstown, Court Place Carlow, Stephens Green, Tallaght, and Montrose
Victims:
"customers who either obtained a quote or took out a Life Assurance policy with Bank of Ireland Life from the following branches:
- Drogheda
- Dunleer
- Bagnelstown
- Court Place Carlow
- Stephens Green
- Tallaght
- Montrose"
Number Affected:
~10,000
30,000 (updated, source: Belfast Telegraph)
Types of Data:
"names, addresses, bank account details and medical histories"
Breach Description:
"DUBLIN--Four laptop computers stolen from one of Ireland's largest commercial banks contain the unencrypted details of some 10,000 customers, the bank said on Tuesday."
Reference URL:
Bank of Ireland
The Associate Press via International Herald Tribune
Agence France-Presse via Inquirer.net
Report Credit:
Data Protection Commissioner, Billy Hawkes
Response:
From the online sources cited above:
DUBLIN, Ireland: Four laptops containing the personal details of 10,000 Bank of Ireland customers have been stolen, the bank confirmed Monday.
Ireland's second-largest bank made the admission after the chief regulator, Data Protection Commissioner Billy Hawkes, told Irish broadcasters RTE he had been informed of the lost customers' data only last Friday.
Bank of Ireland said the four laptops disappeared between June and October 2007 and contained the names, addresses, bank account details and medical histories of about 10,000 holders of the bank's life insurance policies.
Commenting on the delay in reporting the thefts to the regulatory authorities, managing director Brian Forester said internal procedures had not been followed.
[Evan] Policies and "internal procedures" aren't worth squat if they aren't communicated to all affected persons AND enforced.
"Unfortunately in this situation the procedures were not properly adhered to. The thefts, while they were reported to the Gardai [police], the situation wasn't escalated to the level of management it should have been, through a human error," he said.
[Evan] Yes, human error indeed. Humans run the bank, humans run the information security program (assuming one exists), and humans collect, create, store, access, distribute and destroy confidential information. This was more like "humans error", meaning more than one.
The bank said it had found "no evidence of fraudulent or suspicious activity on any of these accounts."
The four laptops all disappeared in Ireland, at least one of them from a bank worker's home.
The laptops contained information relating to some customers who either obtained a quote or took out a Life Assurance policy with Bank of Ireland Life from the following branches:
- Drogheda
- Dunleer
- Bagnelstown
- Court Place Carlow
- Stephens Green
- Tallaght
- Montrose
Anybody who is not a customer of these branches is not affected by this incident.
The customers' personal data was not encrypted to prevent easy access.
[Evan] Should we be surprised?
The bank said it was beginning to encrypt customers' data on its remaining 5,000 laptops
[Evan] Reactionary information security is ineffective. Organizations working with confidential information need to be proactive in risk management and information security in order to be effective. Let's think this through for a second or two. Here we have a bank (or a bank-owned entity) that has many highly confidential records. The bank employs ~5,000 laptop computers and encourages a mobile workforce. Do you think that there is a good (more than 50/50) chance that some of the laptops may be used to work with highly confidential information? Do you think there is a good chance that one of these laptops may be lost or stolen? Obviously the answer to both questions is "yes". Why then are these laptops not adequately protected? Is this another "human error"?
had yet to inform any of the 10,000 customers that their personal details had been compromised.
Bank of Ireland will be writing to these customers in the coming days.
a help-line has been set up to handle any customer queries and select the Bank of Ireland Life option
This customer help-line will be open from 9.00am to 6.00pm Monday to Friday.
Bank of Ireland apologises to customers and is committed to moving as quickly as possible to allay the concerns of affected customers.
Ireland's Data Protection Commissioner Billy Hawkes said his office was investigating what he described as "serious" security lapses.
[Evan] Of course my purview is very limited, but I tend to agree that there are some serious information security gaps at The Bank of Ireland.
Commentary:
Baffling is the first word that comes to mind. Poorly protected confidential information and a poor incident response.
Past Breaches:
Unknown
Posts Atom 1.0
It appears that number has now jumped to 30,000, and what about this statement from the bank, "the bank said an assessment had concluded that the risk of fraud arising from the thefts was 'very low'", see http://www.rte.ie/business/2008/0428/boi.html Your thoughts?
Reply to this
My first thought is, do you think that the bank would tell you any different? It would be extremely rare for an organization to state that the risk of fraud is "very high". I also wonder who conducted the assessment and what methods were used to draw their conclusion. We have all heard words and they don't mean much to me without actions.
Do you really need "bank account passwords, PIN numbers or copies of signatures" to commit fraud? The laptops still stored medical records, bank account details, names, addresses, and dates of birth. Names and addresses can probably be considered public information, or at least semi-public. Medical records and bank account details could be damaging. In context, all of the information exposed is damaging and thieves can easily use it to perpetuate further fact finding (i.e. spear phishing).
Considering only the information I know, I don't think I would go as far as to say the risk is "very low". I also wouldn't say that risk is high. It is somewhere in the middle. The primary issue I take is no matter what the risk is now, it should have been reduced significantly if information security were managed more appropriately.
Reply to this