National Bank of Canada laptop stolen despite physical controls
Technorati Tag: Security Breach
Date Reported:
9/23/08
Organization:
National Bank of Canada
Contractor/Consultant/Branch:
None
Location:
Montreal (Québec), Canada
Victims:
Customers
Number Affected:
Unknown*
*A National Bank spokesman "declined to say exactly how many names were on the laptop, other than it was a "high percentage" of the bank's clients."
Types of Data:
"names, addresses, bank reference information and chequing account numbers"
Breach Description:
"A determined thief managed to break into a locked office at National Bank of Canada's Montreal headquarters, avoid various security measures and pinch a laptop computer containing information about most of the bank's mortgage customers."
Reference URL:
570 News
The Canadian Press via The Halifax Herald Limited
The Globe and Mail
Report Credit:
570 News
Response:
From the online sources cited above:
A determined thief managed to break into a locked office at National Bank of Canada's Montreal headquarters, avoid various security measures and pinch a laptop computer containing information about most of the bank's mortgage customers.
The theft occurred some time last Friday, said bank spokesman Denis Dubé.
The bank discovered Friday during regular business hours that someone had cut a cable tethering the laptop to a desk in an employee’s personal office
The computer was linked to a cable and the cable was cut
[Evan] Sheesh! You don't read about a breach like this everyday. Someone stole a laptop that was secured to a desk with a cable lock, in a locked office, at a corporate headquarters, during business hours! The next questions are why was a database of customer information stored on the laptop and why wasn't the laptop encrypted (there is no mention of encryption, so I am assuming that it wasn't used)?
Nothing else was taken from the office and police are investigating.
the computer contained some information about customers who have mortgages with the bank
He declined to say exactly how many names were on the laptop, other than it was a "high percentage" of the bank's clients.
Mr. Dubé stressed that the computer contained minimal client information - names, addresses, bank reference information and chequing account numbers.
The laptop did not have any dates of birth, social insurance numbers or credit card information, he said.
"That’s why we say that the impact is minimal, since there was not this kind of personal information," Dube said.
[Evan] This is not necessarily true. If the information was not public, then it has some sensitivity. This information can be used by a criminal as leverage to gather additional information and acquire a complete identity profile.
The bank has contacted the clients and promised to compensate them for any related damages.
Mr. Dubé said the bank has strict security policies and it is determined to find out what happened.
"We have a lot of security measures in place, but it's like on the highway, we could put police on every corner and somebody will still exceed the speed limit," he said.
[Evan] I think I get what Mr. Dube is trying to say, but I don't agree. We (information security professionals) don't keep placing more police, we use a combination of administrative, physical and logical controls.
Anne-Marie Hayden, a spokeswoman for the federal Privacy Commissioner's office, said the bank had contacted officials about the theft.
The office will be working with the bank to determine what occurred and what can be done to prevent future breaches.
"Don't underestimate the value of what a criminal can find out about you if they have basic information about you," said Ms. Dolinski, a regional manager in Winnipeg for PPL Legal Care of Canada. (Darlene Dolinski)
She said that even erased information on the computer could be recovered and potentially used. And, she said the fact that the bank kept the computer under lock and key suggests it contained important information.
"So there’s no impact. But we want to be transparent. As a good corporate citizens, we have some responsibilities with our customers." (Mr. Dube)
[Evan] Mr. Dube in a previous statement said that there was "minimal impact" and in this statement he says that there is "no impact". There certainly is an impact. The extent and severity could be debated, but there is an impact. The bank will be notifying customers and this costs money. The bank has lost some customer confidence and this costs money. Private information could become public, which could have an impact although it may difficult to quantify.
Commentary:
We (information security professionals) use a balanced mixture of administrative, physical and logical controls to reduce the risk of unauthorized information disclosure, modification and destruction. The amount and types of controls and our approach is often dictated by business objectives and acceptable risk.
All (good) information security professionals understand the concept of defense-in-depth. The laptop was in a locked office and secured to the desk with a cable lock. These are good physical controls. A defense-in-depth approach may pose the question; what if the laptop is stolen despite our physical controls? A good logical control could be encryption and a good administrative control could be prohibiting the storage of sensitive information on client computers.
Past Breaches:
Unknown
Date Reported:9/23/08
Organization:
National Bank of Canada
Contractor/Consultant/Branch:
None
Location:
Montreal (Québec), Canada
Victims:
Customers
Number Affected:
Unknown*
*A National Bank spokesman "declined to say exactly how many names were on the laptop, other than it was a "high percentage" of the bank's clients."
Types of Data:
"names, addresses, bank reference information and chequing account numbers"
Breach Description:
"A determined thief managed to break into a locked office at National Bank of Canada's Montreal headquarters, avoid various security measures and pinch a laptop computer containing information about most of the bank's mortgage customers."
Reference URL:
570 News
The Canadian Press via The Halifax Herald Limited
The Globe and Mail
Report Credit:
570 News
Response:
From the online sources cited above:
A determined thief managed to break into a locked office at National Bank of Canada's Montreal headquarters, avoid various security measures and pinch a laptop computer containing information about most of the bank's mortgage customers.
The theft occurred some time last Friday, said bank spokesman Denis Dubé.
The bank discovered Friday during regular business hours that someone had cut a cable tethering the laptop to a desk in an employee’s personal office
The computer was linked to a cable and the cable was cut
[Evan] Sheesh! You don't read about a breach like this everyday. Someone stole a laptop that was secured to a desk with a cable lock, in a locked office, at a corporate headquarters, during business hours! The next questions are why was a database of customer information stored on the laptop and why wasn't the laptop encrypted (there is no mention of encryption, so I am assuming that it wasn't used)?
Nothing else was taken from the office and police are investigating.
the computer contained some information about customers who have mortgages with the bank
He declined to say exactly how many names were on the laptop, other than it was a "high percentage" of the bank's clients.
Mr. Dubé stressed that the computer contained minimal client information - names, addresses, bank reference information and chequing account numbers.
The laptop did not have any dates of birth, social insurance numbers or credit card information, he said.
"That’s why we say that the impact is minimal, since there was not this kind of personal information," Dube said.
[Evan] This is not necessarily true. If the information was not public, then it has some sensitivity. This information can be used by a criminal as leverage to gather additional information and acquire a complete identity profile.
The bank has contacted the clients and promised to compensate them for any related damages.
Mr. Dubé said the bank has strict security policies and it is determined to find out what happened.
"We have a lot of security measures in place, but it's like on the highway, we could put police on every corner and somebody will still exceed the speed limit," he said.
[Evan] I think I get what Mr. Dube is trying to say, but I don't agree. We (information security professionals) don't keep placing more police, we use a combination of administrative, physical and logical controls.
Anne-Marie Hayden, a spokeswoman for the federal Privacy Commissioner's office, said the bank had contacted officials about the theft.
The office will be working with the bank to determine what occurred and what can be done to prevent future breaches.
"Don't underestimate the value of what a criminal can find out about you if they have basic information about you," said Ms. Dolinski, a regional manager in Winnipeg for PPL Legal Care of Canada. (Darlene Dolinski)
She said that even erased information on the computer could be recovered and potentially used. And, she said the fact that the bank kept the computer under lock and key suggests it contained important information.
"So there’s no impact. But we want to be transparent. As a good corporate citizens, we have some responsibilities with our customers." (Mr. Dube)
[Evan] Mr. Dube in a previous statement said that there was "minimal impact" and in this statement he says that there is "no impact". There certainly is an impact. The extent and severity could be debated, but there is an impact. The bank will be notifying customers and this costs money. The bank has lost some customer confidence and this costs money. Private information could become public, which could have an impact although it may difficult to quantify.
Commentary:
We (information security professionals) use a balanced mixture of administrative, physical and logical controls to reduce the risk of unauthorized information disclosure, modification and destruction. The amount and types of controls and our approach is often dictated by business objectives and acceptable risk.
All (good) information security professionals understand the concept of defense-in-depth. The laptop was in a locked office and secured to the desk with a cable lock. These are good physical controls. A defense-in-depth approach may pose the question; what if the laptop is stolen despite our physical controls? A good logical control could be encryption and a good administrative control could be prohibiting the storage of sensitive information on client computers.
Past Breaches:
Unknown
Posts Atom 1.0
I am one of the victims of this theft and the bank has made no attempt to assist in resolving the issue, in fact while I tried to repair their damage, they took mortgage payment and ran into problem from other institution and their notification on this was to send my file within 3days of occurrence to collections dept. and made harassing calls. This is this banks way of offering customer service. this is only one of the problems I have encountered since this happened. When speaking to upper management I have been treated with such a lack of respect. They have not only compromised my home, but my accounts, my reputation, my family etc. and have put more effort into pointing blame at the customer than resolving the issue.
Reply to this
I sympathize with Ray as I encountered the exact same problems with National
Bank. After receiving a letter from National Bank stating my name, address and Royal Bank chequing account number had been stolen and advising "if mortgage payments are debited from another financial instituion, it is im[portant that you promptly inform them of the situation". I immediately took this letter to RBC who felt it prudent to cancel my account and open another.
While RBC assured me my pre-authorized payments would have an indicator allowing automatic debits, they failed to so do. There were four automatic payments due on October 15th, and one of the creditors phoned me on October 17th to say my payment had been returned "account closed". I explained and the creditor was very sympathic and asked that I put a void cheque on my new account in the mail to them. I then contacted the RBC who apologized for their error, and supplied me with a letter of explanation to send to my other pre-authorized payment suppliers.
I send a letter of explanation to all, along with the apology letter from RBC and a new void cheque. As National Bank's mortgage payment was not due until October 28th - the new information I provided should have arrived in plenty of time.
Like Ray, I started to receive collection calls from National November 3rd, three business days after payment was returned. I explained to the agent why the account was closed and she said "yes, there is a note on your file" I also informed her the new information had been sent to their Vacouver Branch. She then insulted me with asking "if there was suffient funds in this new account?". Next day, November 4th I received another call at 8:40am with the agent stating she had been trying to contact their Vancouver office all morning. I suggested the office was not yet open and to try later. Response "I can't keep calling them all day" She also asked if there was sufficient funds in the new account.
In summary, I continued to receive collection calls all week along with a letter threating legal action. I then contacted the Vancouver office myself, and it turned out the my letter "had been sitting on someone's desk for quite awhile. I escalated my complaint to the Nationl Bank Ombudsman's office only to be told I had to go to their Mediation Department first. Did so. Comment from this office "NB did not force you to close your account" and that someone would followup with me within 10 days. Received a obviously impersonal form letter December 10 generated through their WP department with one line stating "we would like to offer you (promotional item or other). They couldn't even fill in the variable.
I'm not giving up yet and will contact the Ombudsman for Financial Services.
Reply to this