Financial information belonging to millions sold on eBay

Technorati Tag:

Date Reported:
8/26/08

Organization:
The Royal Bank of Scotland
American Express
NatWest

Contractor/Consultant/Branch:
MailSource UK Ltd*

*Formerly Graphic Data UK Ltd

Victims:
Customers

Number Affected:
"several million"

Types of Data:
"historical data related to credit card applications and data from other banks"
"names, addresses, mobile phone numbers, bank account numbers, sort codes, credit card numbers, mothers' maiden names and even signatures"

Breach Description:
"The personal details of more than a million high- street bank customers have been found on the hard drive of a computer sold on eBay for £35."

Reference URL:
The Daily Mail
The Independent
Reuters UK
BBC News

Report Credit:
Dan Newling, The Daily Mail with props to an informed Breach Blog reader

Response:
From the online sources cited above:

An investigation is under way into how a computer containing bank customers' personal data was sold on eBay.

The computer, bought by IT manager Andrew Chapman for £77, had the sensitive details on its hard drive.
[Evan] The University of Glamorgan conducted research about hard drives bought on eBay that contained sensitive information and published their findings in September 2007.  If people don't think that criminals are buying hard drives on eBay, searching for sensitive information (personal information, health information, corporate secrets, intellectual property, etc.), then they are deluded (I think this is the word I am looking for).


Mr. Chapman sitting with his eBay purchase. (Source: The Daily Mail)

Mr Chapman, from Oxford, said the machine contained information on several million bank customers.

Details of customers of three companies, including the Royal Bank of Scotland (RBS) and its subsidiary, Natwest, were involved.
[Evan] These three companies should be responsible for ensuring that the sensitive information shared and/or used by their third-party contractors, consultants and partners remains "secure".  Usually this includes policy, contractual language, and regular assessments.

RBS said an archiving firm told it the computer had been "inappropriately sold on via a third party"

historical information relating to credit card applications for its bank and others had been on the machine

The information is said to include account details and in some cases customers' signatures, mobile phone numbers and mothers' maiden names.

The problem came to light when Mr Chapman, 56, bought the computer, noticed the data and raised the alarm.

He said: "I was appalled when I found the bank account information. That sort of thing shouldn't have been listed on there."

Mr Chapman said anyone with a basic knowledge of computer software would have been able to find the data fairly simply.
[Evan] Absolutely!  Many people don't realize how simple it is to compromise the confidentiality of information, in this case and thousands of others.  People need to be aware.

"The information was in back-up CDs and in ISO files so it would have been possibly quite easy to find if you know something about computers," he said.
[Evan] For the non-technical reader, and ISO file is essentially a disk image.  If I wanted to replicate everything stored on a disk, I may choose to create an ISO file.

RBS and Natwest said they were taking the issue very seriously and were working to resolve it "as a matter of urgency".

A spokeswoman for the third company reported to be involved, American Express, said it took the security of its card members' data "extremely seriously".

"We are currently working as a matter of priority to establish exactly what data is impacted and identify the card members who may be affected," she said.

A spokeswoman for data processing company Mail Source, which is part of the archiving firm Graphic Data, said it was investigating how the computer equipment had been removed from a secure location.

A spokesman for Mail Source, which owns Graphic Data, put the situation down to an 'honest mistake'.

She added: 'We know which employee took the server and sold it, but we believe it was an honest mistake and it was not intentional to sell it without the server being cleared.

"The IT equipment that appeared on eBay was neither planned nor instructed by the company to be disposed," she said.
[Evan] This statement almost seems to contradict the previous statement.

The incident was "extremely regrettable" and the firm was "taking every possible step" to retrieve the data and ensure it was an isolated incident, she added.
[Evan] Was this an "isolated incident"?  No encryption and poor information disposal seem to be more process oriented.

'This is a very unfortunate incident and we are taking measures to ensure it will never happen again.'
[Evan] How?

A spokesman for eBay said the firm was also looking into what had happened.

"Clearly such details should never have been included in the hard drive of the computer offered for sale on eBay," said the spokesman.

"We fully expect Mr Chapman to hand it back to Graphic Data as soon as possible. We will of course work with Graphic Data to establish how it came to be available for sale on our site."

The Information Commissioner's Office said an investigation would be launched as soon as Mr Chapman had handed the computer in to them.

The computer and a second server sold with it to Mr Chapman were tonight returned to Graphic Data.

A spokeswoman said: "We are now investigating this potential data breach and will be seeking an urgent explanation from Graphic Data to establish what has gone wrong and the steps that are being taken to prevent a similar incident occurring."

RBS, NatWest and American Express are expected to contact customers once they have analysed the data at risk.
[Evan] Wow!  This could be very expensive.

But Marc Kirby, an IT lecturer at Cranfield University, said today that some firms did not realise how hard it was to delete computer files.
[Evan] Hard how?  There are a number of tools available to erase data from a hard drive securely.

'You can't escape leaving a data trail in the 21st century, and it will only get worse,' he warned. 'People think they have deleted emails or documents but it is usually very easy to retrieve them.
[Evan] True.

'In most circumstances you can buy software on the internet for £25 that will retrieve almost anything, unless the computer has been totally wiped or the hard drive is destroyed.'

Case study

As someone with a limit of more than £20,000 on his credit card, Christopher Tomlins was shocked to learn that NatWest has lost the information that could give anyone access to his account.

When told about the breach by the Daily Mail, Mr Tomlins, 32, said: 'It is like they have given my house keys to a stranger and then said, "Help yourself".'

Mr Tomlins's personal information is revealed in a photograph of an application for a NatWest 'black' credit card he made on April 14, 2005.

The completed application form contains his name, address, date of birth, mobile phone number and home phone number.

It also reveals his mother's maiden name, signature, annual income, bank account number, bank sort code and the 16-digit number of the credit card he was granted.

Mr Tomlins, who runs his own lighting company in Ealing, West London, said: 'I am amazed that NatWest have let this information get out. If the company looking after the information was getting rid of the computer, they should have destroyed the hard drive.'

Mr Tomlins's details were contained on one of 227 photographs of separate credit card application forms found on just one of 32 computer files containing NatWest card information.

Commentary:
There are at least three information security issues that I see which contributed to this breach.

  1. The information was not stored securely.  This type of information should be encrypted at rest.
  2. The disk drive was not disposed of securely.  A disk drive that contains(ed) sensitive information must either be destroyed or overwritten in such a way that the "work factor" involved with recovery outweighs the value of the information.
  3. The vendor relationship MAY not have been managed securely.  Vendors accessing sensitive information in any tangible manner must be managed as an extension of the information security program.

Thankfully, these drives were purchased by a person who did not intend to cause harm to the companies or customers.  There is little doubt that this information in the (im)proper hands could be lucrative to the bad guys and seriously harmful to the victims (banks, customers, etc.).

Past Breaches:
Unknown

 
Trackbacks
  • No trackbacks exist for this post.
Comments
  • No comments exist for this post.
Leave a comment