Laptop stolen from North Cascades National Bank audit firm
Date Reported:12/09/08
Organization:
North Cascades National Bank
Contractor/Consultant/Branch:
"the bank’s financial audit firm"
Location:
Chelan, Washington*
*incident took place in Portland, Oregon
Victims:
Customers
Number Affected:
Unknown**
**"Social Security numbers of about 500 customers"
Types of Data:
Personal information including names, account numbers and Social Security numbers
Breach Description:
"CHELAN — A laptop computer stolen from a car in Portland, Ore., last month contained the names and account numbers of many North Cascades National Bank customers."
Reference URL:
The Wenatchee World
Report Credit:
K.C. Mehaffey, The Wenatchee World
Response:
From the online source cited above:
CHELAN — A laptop computer stolen from a car in Portland, Ore., last month contained the names and account numbers of many North Cascades National Bank customers.
[Evan] Some people just don't get it. I am going to assume up front that the information stored on this laptop was secured by nothing more than an operating system password. Sensitive information should NOT be stored on mobile devices. If there is a strong business case to do so, then additional protections should be required (such as encryption). As long as people (customers, partners, suppliers, etc.) continue to allow it, organizations will continue to do it (increase risk).
Bank president Scott Anderson said the computer also included the Social Security numbers of about 500 customers, but authorities believe it’s unlikely that thieves will access the password-protected information.
[Evan] On one hand, I appreciate a corporate leader addressing the public as it demonstrates ownership (in my mind anyway). On the other hand, I think Mr. Anderson's comments speak for themselves. Password-protection?! When has operating system password-protection been adequate protection for sensitive information? This is operating system password-protection that he's talking about, right?
“We notified every customer whose name and account number was on that laptop,” asking them to watch their account activities and offering a free credit report, Anderson said Monday.
He declined to say how many customers were listed on the computer, but he said customers already give out their name and account number to store clerks every time they write a check.
[Evan] Uh, am I missing something? Customers give out information to people that they trust. Customers have a certain amount of trust in the places they shop, including store clerks. Does this mean that it is OK to give information to a crook? Do you think that a customer would shop at a store which they know is fraudulent? I do not understand how Mr. Anderson bridges this gap.
“We have fielded a hundred phone calls from our customers, and in almost every case, those have been positive conversations about what information was, and what was not, available,” he said.
[Evan] I guess it really depends on what customers are being told.
He said police were notified and are investigating.
The bank is headquartered in Chelan and has branches in Wenatchee, East Wenatchee, Orondo, Waterville, Brewster, Bridgeport, Coulee City, Grand Coulee, Okanogan, Omak and Twisp.
Anderson said an employee of the bank’s financial audit firm violated the company’s security policies in mid-November by leaving the laptop in a vehicle.
An iPod, cellular phone and wallet also were taken, he said, indicating that the thief was probably looking for valuables, not personal information.
Anderson called the breach of security “very serious,” but added, “It’s a low-risk situation.”
[Evan] What?! If it is a low-risk situation, then why is it "very serious"? Considering how easy it probably is to get information off this laptop, I would consider this a higher risk than "low-risk".
He said the bank is not aware of any attempts to access or use the information.
The laptop did not contain any account passwords, credit card or debit card numbers, birthdates, addresses, telephone numbers or transaction information, so it’s unlikely the thief would be able to do much with the information, even if it is accessed, he said.
[Evan] Are you kidding me?! It is unlikely that a thief would be able to do much with names, account numbers and Social Security numbers? I am speechless.
Anderson said the bank has encouraged customers to get a free credit report every year, and offered some customers to sign up for free fraud monitoring for one year, which will notify them of key changes in their financial picture that can signify identity theft.
[Evan] Fraud monitoring notifies a customer AFTER fraud has already occurred. It can be a good detective measure, but it will do nothing preventative.
He also declined to name the financial firm whose employee left the laptop in the vehicle, and said it would be “premature” to seek a new audit company.
“They’re a good firm. They’ve been in the business for a long time, and this is an unfortunate information technology error they made,” he said.
[Evan] But didn't they violate policy? No sanctions or threat of sanctions = no compliance. I suspect one of three things. 1. The bank doesn't really have a policy that prohibits the actions that led to this breach. 2. The bank has a policy but doesn't necessarily take it seriously enough to communicate and/or enforce it. 3. The auditing firm made a mistake. I suppose there could be a fourth too, but I will leave it to your imagination.
Commentary:
We read about many breaches, but we rarely read the types of comments we read in this one (in totality). It's very disappointing.
I could understand (and even empathize) with an organization that doesn't understand information security and admits it. Isn't admitting you have a problem the first step? What I have trouble accepting is an organization that doesn't understand information security and tries to justify it. There seems to be some serious education needed.
I could comment much more, but I need to chill out a bit.
Past Breaches:
Unknown
Posted by Evan Francen at 12/22/2008 2:42 PM 
Categories: North Cascades National Bank, Stolen Laptop
Categories: North Cascades National Bank, Stolen Laptop
Posts Atom 1.0
12-23-08 @1 a.m.
Chill Evan.
The last guy I know of who said "ignorance is bliss" got run over by a truck he was ignorant of while walking across the street.
Some people are just cursed with wandering and wondering all night about why most of these blissful, ignorant people do not get run over by a truck, while others who check both directions 5 times before crossing the street get run over anyway. By the way, I want to express on behalf of the readers of the breach blog the great job you do in assimilating this information and educating us.
Reply to this