A lost Bank of Ireland USB key

Technorati Tag:

Date Reported:
11/03/08

Organization:
Bank of Ireland

Contractor/Consultant/Branch:
None

Location:
Dublin, Ireland

Victims:
Customers

Number Affected:
894

Types of Data:
"account numbers, names and addresses"

Breach Description:
"A memory stick containing the unencrypted personal information of 894 customers has been lost by a Bank of Ireland employee."

Reference URL:
Independent House
Finextra
Siliconrepublic

Report Credit:
Independent House

Response:
From the online sources cited above:

Ireland’s biggest bank has again been rocked by a data breach scandal – this time a data storage device with almost 900 customer account details has gone missing.

It emerged this morning that a USB key with 894 customer account numbers, names and addresses has been mislaid.
[Evan] USB key, thumb drive, flash drive, and USB flash drive are all names for the same type of device.  It's not clear why an employee of a bank would be allowed to use one for bank business.

It is understood that no financial information on the customers was contained on the lost device.

The bank said it has no reason to believe the device has fallen into the wrong hands, but is mounting an investigation as well as taking steps to protect its customers’ interests.
[Evan] Chances are pretty good that it will fall into the hands of someone who should not have it, and in that sense the "wrong hands".

It is believed the bulk of the data lost related to general bank business, but included in it were the account details of business and personal clients, as well as the first line of their addresses.

The Data Protection Commissioner is also launching an investigation.

The retention of unencrypted data on electronic devices is prohibited under the bank’s policies and procedures.
[Evan] It should serve as no surprise that people circumvent policies and procedures, no matter if it's convenience or ignorance.

Most people affected by the loss have been informed

Commentary:
People use flash drives because flash drives offer a convenient way to carry data from one place to another.  Convenience is a good thing and it can positively affect productivity.  Unfortunately, convenience all too often comes at the expense of increased risk.  The trick is allowing for convenience while keeping risk in check.  If we don't want people to use unsecured flash drives, get creative and offer users an alternative solution (centrally controlled encryption?).  If creativity doesn't provide an acceptable solution, create effective controls (disable USB interfaces through hardware/software?).  There are multiple ways to go on this.

Past Breaches:
Unknown


 
Trackbacks
  • No trackbacks exist for this post.
Comments
  • No comments exist for this post.
Leave a comment