Computer With UK Bank Customer Data Sold On eBay

Walpurgiss tips a BBC News story about a man in Oxford who paid $140 for a computer on eBay, and was shocked to find on it bank records of several million customers of the Royal Bank of Scotland, its subsidiary Natwest, and one other bank. "Mr. Chapman said anyone with a basic knowledge of computer software would have been able to find the data fairly simply. 'The information was in back-up CDs and in ISO files so it would have been possibly quite easy to find...,' he said."

Honesty

Kudos for him for speaking up rather than trying to abuse the situation.

Re:Honesty

Agreed, although we shouldn't be forced to think that doing the right thing is so rare that we must laud it.

Still, good job.

Re:Honesty

"Always do good. It will gratify some and astonish the rest." ~Mark Twain

Re:Honesty

No, given that the computer will be seized by the police as evidence in some sort of criminal case, somebody owes him a computer, as well as their thanks and a pat on the back.

Re:Honesty

Man: "Look, I found eight million customer records on here!"

Bank tech: "That's weird, we always stored ten million records in those databases..."

Man: "Huh, no idea what happened to those other two million." (hides batch of CDs) "I can't believe you guys sold 8 million customer records on eBay!"

Re:Honesty

Man: "Look, I found eight million customer records on here!"

Bank tech: "That's weird, we always stored 7 million records in those databases..."

Bank tech2: "Funny I thought it was 12 million..."

Bank tech3: "What are records?"

Bank tech4: "Hey, didn't I just decommission that laptop using that online eBay-thingy service?"

Re:If he's REALLY Lucky, he could die conveniently

Yes and it's still being covered up today. That's why we've modded you -1. :)

I guess RBS stands for...

...Really Bad Security instead of Royal Bank of Scotland.

Defending the indefensible?

OK, I have to pipe up on this one.

I've previously worked a few freelance tech gigs at RBS and the one thing I can say with certainty is that their internal security is extremely tight. Tighter than anywhere else I've worked in my time. The fact that anything gets done, EVER, is a minor miracle in the face of the mountain of red-tape, security, bureaucracy and general faffing with sign-offs and corporate governance that is needed to do pretty much anything.

So, I'm going to pipe up on behalf of RBS, your honour... :-)

Thing is, one thing I categorically don't believe is that the responsibility for handling customer data like this would fall to one individual without direct accountability. Knowing RBS, there would be forms to fill in, checks made, audits done and any handling of customer data would need to be signed off at a high level, and would be entirely traceable. Which is to say that if there's a breach, I don't think it's likely to be a break-down in procedure.

Now, you might laugh about this, but I know how many hoops I had to jump through to get things like dev rights on a developer box ("so, let me get this straight, sir, why do you need to be able to write to the C: drive?" - that sort of dumb thing) so I really doubt that a half-wit in marketing or HR or whatever would be entrusted with such data. It is kept under lock and key and it would certainly be VERY UNUSUAL to be allowed to make a cd copy of customer data. To do so would require sign off from Very Senior Management (at Director level), and hence visibility at EVERY STAGE and accountability for EVERY ACTION would be enforced with *GREAT RIGOUR*...

So my money is that this isn't what it at first appears to be - it could be the case that this is something else and the press have got the wrong end of the stick.

Or maybe I'm wrong. Often am, you know... ;-)

Re:Defending the indefensible?

as another tech contractor who has worked in the past at 113DS, FR and GF - I know what you mean about getting dev access or access to one of the gigantic machine rooms. I would say that RBS core systems and its brands (natwest, coutts, Ulster(s)) are extremely secure to the point of not being able to do any work. Even the due process to make a change to a production system is amazing with full-time boards spending all day evaluating every change.

from what I read on finextra.com, it looks like this box was owned by a supplier firm and subsequently was stolen by an employee of the supplier firm and sold on ebay. Also, the box had not been used since 2005 - perhaps an old server in the cupboard (of the supplier Graphic data) that an employee thought they could sell on ebay. I am struggling to see how this would have happened as a badged RBS server at one of the EDI datacentres. They run a tight ship.

one thing for sure, Graphic Data can kiss goodbye to their contract with RBS - one thing I know abut RBS is that they are very worried about security breaches - especially public ones like this.

I got records from @home from an ebay purchase

I bought a pair of SGI Origin 200 machines that contained names, credit cards, and enough data to be a real problem for many thousands of people. The labels on the machines listed them as from @home which had closed their doors. I did the dd if=/dev/zero dance and reinstalled IRIX.

Re:I got records from @home from an ebay purchase

Some twenty years ago, back when those orange plasma displays were popular, a girl I used to work with said she'd gotten hold of some Compaq portables, and would I want to buy one? She was only asking a couple hundred bucks (I believe they cost several thousand new at the time.) So I stopped by to take a look, thinking I could really use a machine like that. That line of thought lasted right up until the system finished booting and a custom menu appeared with legend of a major national bank across the top. Given the price and the data on them, I figured they were hot (I asked what truck they'd fallen out of) and declined to buy one.

That was then, now we're in the Age of the World Wide Web, and there's just no excuse whatsoever for loading down a portable (read: easily stolen) computer system with vast quantities of confidential data. In fact, that really ought to be a law with few exceptions: customer and personal data must be stored on a server that is both physically and electronically protected. Period.

Re:I got records from @home from an ebay purchase

Yes, you could do that, but I think that erasure and encrypting the whole drive will also accomplish this. I believe that there is still a possibility of recovering the data even if wiped over several times. You can find lots of information about this on 'the Google' if you like. Here is a link to a zdnet blog about it: http://blogs.zdnet.com/storage/?p=129 [zdnet.com]

If you can simply smelt the drives, that is complete destruction. Anything else depends on the level of 'it's not there anymore' you need. Far too many people don't care or believe their data can be used from an old disk. They also don't understand that a format will not necessarily overwrite anything on the drive. sigh.

Encrypting the whole drive will scramble the bits fairly well. Follow up with low level formatting and it should be difficult enough to recover anything from the drive without the encryption password, never mind that the file system has been rewritten.

paid $140 for a computer on eBay

Somebody should have set a much higher reserve price.

Re:paid $140 for a computer on eBay

£77 is how much it cost including ebay fees and paypal !

Hand it back?

So in the article, they say that they expect him to hand "it" back.. does that means that the poor guy who paid 77£ to give back the computer for free?

Personally i'd charge a hefty sum to make them get back that computer, just to make them remember that he paid and he was nice enough to tell them.

Re:Hand it back?

i'd charge the pricks a consulting fee for my time. a few grand should cover it. i certainly wouldn't be handing back what is entirely his property, since he purchased it fair and square they have no recourse.

mind you in his day and age i wouldn't be suprised if he ends up in jail for his honesty, if it was me i wouldn't be saying anything. if i was a more desperate man i might even have sold those details online for a princely sum....

Re:Hand it back?

i'd charge the pricks a consulting fee for my time. a few grand should cover it. i certainly wouldn't be handing back what is entirely his property, since he purchased it fair and square they have no recourse.

Do that and you go straight to jail, don't pass go, don't collect $200. Your consulting fee will be seen as extortion.

Re:Hand it back?

it's my property, how can i extort someone when they WANT to purchase something i own? by that logic every service fee ever paid on new car sales is extortion.

now if i went to them and said "pay me or i'll tell the media what retards your IT security guys are" that's extortion. but since it's already all over the news sites it's not possible to call it extortion.

it's also pretty damn cheeky (and just the thing i'd expect from a bank) to expect him to just hand back his purchase.

this would in fact be an interesting case to test in court as to who owns data when you purchase a pc. no doubt IP lawyers would be foaming at the mouth saying your buying hardware not software (that might shoot some of their, but then this isn't software but plain data which they didn't license so he'd have a reasonable expectation that it came with the sale.

Taking bets!

How many days do you think it will be before the government tries to charge him with something or the bank in question tries to sue him? I'd be pleasantly surprised if neither happened.

Also, the summary leaves out something that might affect those of us on the other side of the pond:

A spokeswoman for the third company reported to be involved, American Express, said it took the security of its card members' data "extremely seriously".

Bold mine. I know they have different branches for countries and such, but I wonder if any of this data crossed international bounds.

Goodwill

I bought a sun box at goodwill once and besides an intact customer database for several large companies, it also had the admin's personal backup files, including his "My Documents" folder, his Palm cell phone, and 1200 dpi scans of his passport. Oh, and some file called "passwords.doc". No idea what is in there...

More details here:
http://lfnet.net/blog/?p=41 [lfnet.net]

But yeah... wipe it before you get rid of it.

Bugger....

I was just going to pick up a cheep 1U server for a Mod Project! Now i've no chance! Everyone will be buying up every server hoping for Disks full of Banking details now!! :(:(

Re:it's all an equation

Dummy says dummy...

They made an ISO, made 3 CDs of each ISO (one for the filing cabinet, one for off site back up, one for the on site safe), then didn't both deleting the ISOs...

It's dumb, but not as dumb as your ideas.

Re:outbid

Oh, crap.. i was outbid by £10. If only i knew the content..

Why? He is going to lose the system and runs the risk of being locked up as a thief. I would say you doged a bullet (unless you are joking).

Re:Wait... what!?

You might not have seen the video clip with the article [I don't know if it's visible outside the UK] but the guy said he bought two servers, one booted and had been wiped, the other didn't boot. It didn't boot because it was missing it's ram (or the chip was unseated), so anyway, he sorted that out, booted it up and found the data.

Soooo... one wonders if the machine didn't get wiped simply because the various techs could boot it and decided it was too much effort to move the drives to another machine?