Laptop is stolen from the car of a First Calgary Savings employee
Technorati Tag: Security Breach
Date Reported:
5/14/08
Organization:
First Calgary Savings
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
"hundreds", Calgary Sun
"a few hundred", First Calgary Savings
Types of Data:
"clients' confidential information" in a database stored on the laptop
Breach Description:
"The theft of a laptop computer containing hundreds of clients' confidential information from a Calgary bank employee's vehicle has raised concerns for Alberta's privacy commissioner.
In a letter sent yesterday to its customers, First Calgary Savings said a vehicle parked in a secured underground parkade was vandalized and the bank employee's laptop and cellphone stolen last month. "
Reference URL:
Calgary Sun
First Calgary Savings
Report Credit:
Bill Kaufmann, Sun Media (Calgary Sun)
Response:
From the online sources cited above:
The theft of a laptop computer containing hundreds of clients' confidential information from a Calgary bank employee's vehicle has raised concerns for Alberta's privacy commissioner.
In a letter sent yesterday to its customers, First Calgary Savings said a vehicle parked in a secured underground parkade was vandalized and the bank employee's laptop and cellphone stolen last month.
If a complaint is lodged with the province's privacy commissioner, officials there would launch an investigation
"We're very concerned when we hear about these kinds of things," Wayne Wood, Privacy Commissioner spokesman
Soon after the theft occurred, police were notified
potentially vulnerable accounts numbering "in the hundreds, not thousands" had been red-flagged to prevent abuse and there's been no unusual activity detected, said First Calgary privacy officer Rod Banman.
As part of this employee's specialized role at First Calgary Savings, it was determined that a database had been saved onto the password protected laptop.
[Evan] Password protection doesn't mean squat on a laptop. There are numerous better (more secure) methods for an employee to work with this information while mobile. How about keeping the database on the server (where most databases belong) and enabling remote VPN access?
And while he said the data was protected by a password, it doesn't appear to have been encrypted and could be vulnerable to a determined computer hacker
[Evan] It DOES NOT take a "determined computer hacker" to access a password protected laptop. It takes no more than 30 seconds to create a bootable CD, turn the laptop on and run through a few menu prompts. Done. Total time: 5 minutes. Experience level: Novice to Intermediate.
"It is information somebody would love to get their hands on for identity theft purposes," said Banman.
[Evan] This is not reassuring. Mr. Banman is the First Calgary privacy officer.
"We're doing the best we can to ensure the information is not going to impact them."
He said it's not improper for employees to carry information in such a fashion.
[Evan] It SHOULD BE!
"It's information needed for our employees to do their jobs -- this is a theft and there is nothing the fault of our employees," said Banman.
[Evan] It is the fault of poor information security management and governance. The person or persons responsible for information security management and governance appear(s) to have failed in his/her responsibilities.
We have contacted all affected member-owners, totalling a few hundred, by telephone and personal letter.
First Calgary Savings is taking all prudent steps possible to protect the privacy and security of affected member-owners.
We have undertaken several additional monitoring approaches to provide an enhanced level of protection to the affected member-owners.
[Evan] Additional monitoring is good. Steps to prevent a similar occurrence would be good to, eh?
First Calgary Savings places the highest importance on your privacy and the security of confidential information.
[Evan] It is so easy to make remarks like this. The actions that led to this breach and the comments afterwards do not support the remark though. Sorry, but they don't.
We take this event very seriously and I apologize for the understandable concerns this has caused our member-owners, especially the member-owners that were directly impacted.
I can assure all member-owners that your personal and financial information is safe and secure within our well constructed, monitored banking system.
If you have further questions or concerns please contact your branch, phone the Contact Centre at or email .
Member Reaction:
A recipient of the letter, 14-year First Calgary client Doug Gablehaus, said he was "livid" to hear personal information would have been left in a vehicle.
"It's unacceptable ... that's the way identity theft goes," said Gablehaus, adding he might now take his business elsewhere.
[Evan] When a company sees a correlation between an incident and the bottom line is often times when it decides to take action. It's a poor strategy (or no strategy). Customers leaving equates to less revenue, and less revenue gets the attention of upper management. Sad but true.
"In today's society, I don't think confidential information should be on someone's laptop and kept in their car."
Commentary:
I strongly encourage people to read the letter from First Calgary Savings. Tell me if you read this the same way I do. Sometimes I need a sanity check. In my opinion the letter is one of the best attempts to minimize an information security breach that I have read in some time. The sense that the bank sees nothing wrong with storing confidential customer information on a "password protected" laptop is very troubling. Out of touch with best practices, current news and general risk management.
NOTE: Throughout this posting I am assuming that the stolen laptop was not encrypted. There was no mention of encryption, and the Calgary Sun reports "it doesn't appear to have been encrypted".
Past Breaches:
Unknown
Date Reported:5/14/08
Organization:
First Calgary Savings
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
"hundreds", Calgary Sun
"a few hundred", First Calgary Savings
Types of Data:
"clients' confidential information" in a database stored on the laptop
Breach Description:
"The theft of a laptop computer containing hundreds of clients' confidential information from a Calgary bank employee's vehicle has raised concerns for Alberta's privacy commissioner.
In a letter sent yesterday to its customers, First Calgary Savings said a vehicle parked in a secured underground parkade was vandalized and the bank employee's laptop and cellphone stolen last month. "
Reference URL:
Calgary Sun
First Calgary Savings
Report Credit:
Bill Kaufmann, Sun Media (Calgary Sun)
Response:
From the online sources cited above:
The theft of a laptop computer containing hundreds of clients' confidential information from a Calgary bank employee's vehicle has raised concerns for Alberta's privacy commissioner.
In a letter sent yesterday to its customers, First Calgary Savings said a vehicle parked in a secured underground parkade was vandalized and the bank employee's laptop and cellphone stolen last month.
If a complaint is lodged with the province's privacy commissioner, officials there would launch an investigation
"We're very concerned when we hear about these kinds of things," Wayne Wood, Privacy Commissioner spokesman
Soon after the theft occurred, police were notified
potentially vulnerable accounts numbering "in the hundreds, not thousands" had been red-flagged to prevent abuse and there's been no unusual activity detected, said First Calgary privacy officer Rod Banman.
As part of this employee's specialized role at First Calgary Savings, it was determined that a database had been saved onto the password protected laptop.
[Evan] Password protection doesn't mean squat on a laptop. There are numerous better (more secure) methods for an employee to work with this information while mobile. How about keeping the database on the server (where most databases belong) and enabling remote VPN access?
And while he said the data was protected by a password, it doesn't appear to have been encrypted and could be vulnerable to a determined computer hacker
[Evan] It DOES NOT take a "determined computer hacker" to access a password protected laptop. It takes no more than 30 seconds to create a bootable CD, turn the laptop on and run through a few menu prompts. Done. Total time: 5 minutes. Experience level: Novice to Intermediate.
"It is information somebody would love to get their hands on for identity theft purposes," said Banman.
[Evan] This is not reassuring. Mr. Banman is the First Calgary privacy officer.
"We're doing the best we can to ensure the information is not going to impact them."
He said it's not improper for employees to carry information in such a fashion.
[Evan] It SHOULD BE!
"It's information needed for our employees to do their jobs -- this is a theft and there is nothing the fault of our employees," said Banman.
[Evan] It is the fault of poor information security management and governance. The person or persons responsible for information security management and governance appear(s) to have failed in his/her responsibilities.
We have contacted all affected member-owners, totalling a few hundred, by telephone and personal letter.
First Calgary Savings is taking all prudent steps possible to protect the privacy and security of affected member-owners.
We have undertaken several additional monitoring approaches to provide an enhanced level of protection to the affected member-owners.
[Evan] Additional monitoring is good. Steps to prevent a similar occurrence would be good to, eh?
First Calgary Savings places the highest importance on your privacy and the security of confidential information.
[Evan] It is so easy to make remarks like this. The actions that led to this breach and the comments afterwards do not support the remark though. Sorry, but they don't.
We take this event very seriously and I apologize for the understandable concerns this has caused our member-owners, especially the member-owners that were directly impacted.
I can assure all member-owners that your personal and financial information is safe and secure within our well constructed, monitored banking system.
If you have further questions or concerns please contact your branch, phone the Contact Centre at or email .
Member Reaction:
A recipient of the letter, 14-year First Calgary client Doug Gablehaus, said he was "livid" to hear personal information would have been left in a vehicle.
"It's unacceptable ... that's the way identity theft goes," said Gablehaus, adding he might now take his business elsewhere.
[Evan] When a company sees a correlation between an incident and the bottom line is often times when it decides to take action. It's a poor strategy (or no strategy). Customers leaving equates to less revenue, and less revenue gets the attention of upper management. Sad but true.
"In today's society, I don't think confidential information should be on someone's laptop and kept in their car."
Commentary:
I strongly encourage people to read the letter from First Calgary Savings. Tell me if you read this the same way I do. Sometimes I need a sanity check. In my opinion the letter is one of the best attempts to minimize an information security breach that I have read in some time. The sense that the bank sees nothing wrong with storing confidential customer information on a "password protected" laptop is very troubling. Out of touch with best practices, current news and general risk management.
NOTE: Throughout this posting I am assuming that the stolen laptop was not encrypted. There was no mention of encryption, and the Calgary Sun reports "it doesn't appear to have been encrypted".
Past Breaches:
Unknown
Posts Atom 1.0
Has it not occurred to all financial institutions that "Full disk Encryption" is the way to go??? Something like PGP would mitigate the risk of a stolen laptop and not cost this company the fines they may incur with lost/stolen data. Jeesh...makes me think that most companies could care less about their customers data...And credit monitoring is going to do nothing when someone waits 3-4 yrs to steal your identity...
Reply to this