Computer With UK Bank Customer Data Sold On eBay

Walpurgiss tips a BBC News story about a man in Oxford who paid $140 for a computer on eBay, and was shocked to find on it bank records of several million customers of the Royal Bank of Scotland, its subsidiary Natwest, and one other bank. "Mr. Chapman said anyone with a basic knowledge of computer software would have been able to find the data fairly simply. 'The information was in back-up CDs and in ISO files so it would have been possibly quite easy to find...,' he said."

Honesty

[Enderandrew]

Kudos for him for speaking up rather than trying to abuse the situation.

Re:Honesty

[PunkOfLinux]

Agreed, although we shouldn't be forced to think that doing the right thing is so rare that we must laud it.

Still, good job.

Re:Honesty

[Anonymous Coward]

"Always do good. It will gratify some and astonish the rest." ~Mark Twain

Re:

[David Gerard]

This sort of thing is huge in the news in the UK at present, and the general public are very very p*ssed off by it. So it's quite understandable someone taking this straight to the press.

Re:

[TapeCutter]

Possibly a thank-you due from me. I got a phone call from VISA today saying they were issuing me with a new card because of a Bank of Scotland security breach in the UK. I'm an Aussie and was last in the UK ~2yrs ago.

Re:Honesty

[Jimbob The Mighty]

No, given that the computer will be seized by the police as evidence in some sort of criminal case, somebody owes him a computer, as well as their thanks and a pat on the back.

Re:

[ewhenn]

Yes, that someone being the Royal Bank of Scotland.

Re:

[Walpurgiss]

I must have screwed up the conversion to USD$ when I submitted the story. Whoops.

Re:

[Brian Gordon]

Yeah I'm sure he'll be thanked for his trouble.. with a pair of handcuffs and a hood..

Re:

[BLAG-blast]

Yeah I'm sure he'll be thanked for his trouble.. with a pair of handcuffs and a hood..

Yeah, with the current level of collusion between the corporate world, the government and judicial system, there is very little incentive to do the right thing. He should be give 10% of what ever appropriately large fine should be placed on the Banks and companies involved.

Re:

[cayenne8]

Hell, even better, why doesn't he turn around and resell the stuff on eBay?

I'm sure he could raise a pretty penny for all that info.....

Re:If he's REALLY Lucky, he could die conveniently

[dintech]

Yes and it's still being covered up today. That's why we've modded you -1. :)

Re:

[skarphace]

You have a link? I can't find any reference to it on these here internats.

Re:

[X0563511]

While that kind of payment is good, it unfortunately encourages people to blackmail for the reward. I would rather people avoid trying to steal data with the intention of performing a "good deed" for the reward.

Re:

[BLAG-blast]

While that kind of payment is good, it unfortunately encourages people to blackmail for the reward. I would rather people avoid trying to steal data with the intention of performing a "good deed" for the reward.

If data about me stored by a 3rd party company can be easily stolen, I would prefer somebody did and exploited the 3rd party company rather than me. If they are not adequately protecting my data then they deserve to be punished (or punched as I had originally "mis-typed").

There are already laws in place to deal with people stealing data for what ever reason, people violating them to collect data will not be rewarded. This thread was started with the implication that such laws could be used by corporati

Re:

[ObsessiveMathsFreak]

Indeed. Naturally however, he will now be sued by BoS for his trouble.

Re:

[larien]

Doubt it. BoS (I assume you mean Bank Of Scotland) won't as it was information from RBS (Royal Bank of Scotland Group) which was lost. As far as I've heard, there hasn't been any sueing going on anyway.

The worst part is that RBS didn't atually have a breach, it was a 3rd party. That, of course, could well lead to someone getting sued.

Re:

[kabocox]

The worst part is that RBS didn't actually have a breach, it was a 3rd party. That, of course, could well lead to someone getting sued.

Um, by my logic, if its your data that you are required by law to keep "secure" every "third party" that you allow access to that data falls under your responsibility. Sure, the RBS is fully responsible for this. It sounds like they are doing every thing that they can to determine how the breach happened. I'd want automatic government fines against the RBS and every "third p

Re:

[Dan541]

How?

The someone sold that data to him, they are the ones who can get sued.

Re:

[Tony Hoyle]

He bought a working second hand computer for £50. It said on the news that that machine 'went missing' from the datacentre where it was stored... aka. it was nicked (well what did he expect from ebay, I guess).

So he could be charged with receiving stolen goods, given that the machine (if it was the same one that was pictured on the news - it was a server with internal RAID array) was worth *far* more than £50 and he will have known that.

Re:

[Dan541]

He got the machine of eBay, whether or not it's stolen has nothing to do with him.

of course it's different if you intentionally hide "merchandise" for your mate.

Re:Honesty

[Dekortage]

Man: "Look, I found eight million customer records on here!"

Bank tech: "That's weird, we always stored ten million records in those databases..."

Man: "Huh, no idea what happened to those other two million." (hides batch of CDs) "I can't believe you guys sold 8 million customer records on eBay!"

Re:Honesty

[The Great Pretender]

Man: "Look, I found eight million customer records on here!"

Bank tech: "That's weird, we always stored 7 million records in those databases..."

Bank tech2: "Funny I thought it was 12 million..."

Bank tech3: "What are records?"

Bank tech4: "Hey, didn't I just decommission that laptop using that online eBay-thingy service?"

Re:

[coachellamasada]

Kudos for him for speaking up rather than trying to abuse the situation.

Kudos indeed for bringing it to light to publicly shame them, but really, unless he had solid ties to the Russian mob how would he abuse the situation?

It's not like he found a bag of money lying in the street... Most folks wouldn't know what to do with this kind of database (or at least, how not to quickly get caught when exploiting it.)

Re:

[bit01]

Kudos for him for speaking up rather than trying to abuse the situation.

How do you know he didn't make a copy before speaking up? Get the cash and the kudos...

---

Virus scanners don't detect M$ and US government trojans.

Re:

[VJ42]

Why bother, except to attract troubles ?

Because this appears to be a huge breach of the Data protection Act by the companies involved, and if he didn't go to the police he may have later been found party to the crime (or of covering it up) if these files were found by someone else at a later date.

I guess RBS stands for...

[volxdragon]

...Really Bad Security instead of Royal Bank of Scotland.

Defending the indefensible?

[jtcedinburgh]

OK, I have to pipe up on this one.

I've previously worked a few freelance tech gigs at RBS and the one thing I can say with certainty is that their internal security is extremely tight. Tighter than anywhere else I've worked in my time. The fact that anything gets done, EVER, is a minor miracle in the face of the mountain of red-tape, security, bureaucracy and general faffing with sign-offs and corporate governance that is needed to do pretty much anything.

So, I'm going to pipe up on behalf of RBS, your honour... :-)

Thing is, one thing I categorically don't believe is that the responsibility for handling customer data like this would fall to one individual without direct accountability. Knowing RBS, there would be forms to fill in, checks made, audits done and any handling of customer data would need to be signed off at a high level, and would be entirely traceable. Which is to say that if there's a breach, I don't think it's likely to be a break-down in procedure.

Now, you might laugh about this, but I know how many hoops I had to jump through to get things like dev rights on a developer box ("so, let me get this straight, sir, why do you need to be able to write to the C: drive?" - that sort of dumb thing) so I really doubt that a half-wit in marketing or HR or whatever would be entrusted with such data. It is kept under lock and key and it would certainly be VERY UNUSUAL to be allowed to make a cd copy of customer data. To do so would require sign off from Very Senior Management (at Director level), and hence visibility at EVERY STAGE and accountability for EVERY ACTION would be enforced with *GREAT RIGOUR*...

So my money is that this isn't what it at first appears to be - it could be the case that this is something else and the press have got the wrong end of the stick.

Or maybe I'm wrong. Often am, you know... ;-)

Re:Defending the indefensible?

[rapiddescent]

as another tech contractor who has worked in the past at 113DS, FR and GF - I know what you mean about getting dev access or access to one of the gigantic machine rooms. I would say that RBS core systems and its brands (natwest, coutts, Ulster(s)) are extremely secure to the point of not being able to do any work. Even the due process to make a change to a production system is amazing with full-time boards spending all day evaluating every change.

from what I read on finextra.com, it looks like this box was owned by a supplier firm and subsequently was stolen by an employee of the supplier firm and sold on ebay. Also, the box had not been used since 2005 - perhaps an old server in the cupboard (of the supplier Graphic data) that an employee thought they could sell on ebay. I am struggling to see how this would have happened as a badged RBS server at one of the EDI datacentres. They run a tight ship.

one thing for sure, Graphic Data can kiss goodbye to their contract with RBS - one thing I know abut RBS is that they are very worried about security breaches - especially public ones like this.

Re:

[larien]

Except it wasn't them who lost the data, although what a 3rd party was doing with all those records I'm not sure.

Re:

[dintech]

Yeah, this is just one machine they found. I bet there are others and they could be anywhere by now...

I got records from @home from an ebay purchase

[jkinney3]

I bought a pair of SGI Origin 200 machines that contained names, credit cards, and enough data to be a real problem for many thousands of people. The labels on the machines listed them as from @home which had closed their doors. I did the dd if=/dev/zero dance and reinstalled IRIX.

Re:I got records from @home from an ebay purchase

[ScrewMaster]

Some twenty years ago, back when those orange plasma displays were popular, a girl I used to work with said she'd gotten hold of some Compaq portables, and would I want to buy one? She was only asking a couple hundred bucks (I believe they cost several thousand new at the time.) So I stopped by to take a look, thinking I could really use a machine like that. That line of thought lasted right up until the system finished booting and a custom menu appeared with legend of a major national bank across the top. Given the price and the data on them, I figured they were hot (I asked what truck they'd fallen out of) and declined to buy one.

That was then, now we're in the Age of the World Wide Web, and there's just no excuse whatsoever for loading down a portable (read: easily stolen) computer system with vast quantities of confidential data. In fact, that really ought to be a law with few exceptions: customer and personal data must be stored on a server that is both physically and electronically protected. Period.

Re:

[Guido von Guido]

In fact, that really ought to be a law with few exceptions: customer and personal data must be stored on a server that is both physically and electronically protected. Period.

Servers get decommissioned, too. All that protection isn't going to help if they screw up and leave unencrypted data on their drives. Decommissioned hardware may certainly get used again, depending on how it was disposed of. I'm aware of one company that disposes of hardware--they recycle some parts and sell others. (I believe they require their customers to scrub the data before they throw it out.)

For instance, I have a customer in an industry where that would be bad (which doesn't narrow things down, I

Re:

[zappepcs]

Destroying the data should be a simple as encrypting the harddrives with a 100 characters of randomnes followed by a reformat and a shutdown.

Yes, if someone was truly interested, it's possible they could recover it but it is rather unlikely. Most of the data breaches appear to happen by accident, where encryption would have kept the data safe.

So,

1 - erase the data
2 - encrypt the drive with a near impossible key
3 - reformat
4 - no profit for next owner

Re:I got records from @home from an ebay purchase

[zappepcs]

Yes, you could do that, but I think that erasure and encrypting the whole drive will also accomplish this. I believe that there is still a possibility of recovering the data even if wiped over several times. You can find lots of information about this on 'the Google' if you like. Here is a link to a zdnet blog about it: http://blogs.zdnet.com/storage/?p=129 [zdnet.com]

If you can simply smelt the drives, that is complete destruction. Anything else depends on the level of 'it's not there anymore' you need. Far too many people don't care or believe their data can be used from an old disk. They also don't understand that a format will not necessarily overwrite anything on the drive. sigh.

Encrypting the whole drive will scramble the bits fairly well. Follow up with low level formatting and it should be difficult enough to recover anything from the drive without the encryption password, never mind that the file system has been rewritten.

Re:

[XanC]

Why would you encrypt when you could just write randomness?

10 write zeros.
20 write randomness.
30 GOTO 10 (as many times as you like)

Re:

[utnapistim]

I believe PGP Purge File functionality (I used it around 5? years ago) was overwriting the file for a number of times with the following sequence:
0x55 (bit pattern 01010101)
0xAA (bit pattern 10101010)
0x00

The "number of times" defaulted to 20 (or was it forty?)

After overwriting (even the name was overwritten in the process), it would be deleted.

It's common sense, hardly new functionality and already on the market.

It just doesn't seem like they cared much for it (at least, not enough to have an enforced polic

Re:

[dintech]

I think any company that has sensitive data should be legally required not to resell hard disks or media by themselves or as part of system. That would also fix this kind of issue...

Re:

[dintech]

As an aside, I hope the guy who removed the PC without checking it gets some reprimanding...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[kabocox]

If you can simply smelt the drives, that is complete destruction. Anything else depends on the level of 'it's not there anymore' you need. Far too many people don't care or believe their data can be used from an old disk. They also don't understand that a format will not necessarily overwrite anything on the drive. sigh.

Just format it, stick linux on it, and then fill the rest of it up with your standard porn DVD. They'll be too busy viewing the porn to think that their may be a formerly useful windows part

Re:

[couchslug]

"I suggested physically destroying the disks."

Good you.

Laws should be enacted to require shredding of the entire machine (not just the hard disks, so none are left onboard) of computers containing sensitive data. Businesses cannot be trusted,so mechanisms should be put in place to control, monitor them for compliance, and punish breaches of trust.

Re:

[TapeCutter]

Pfft, I say nuke 'em and let the FSM sort it out.

Re:

[kabocox]

That was then, now we're in the Age of the World Wide Web, and there's just no excuse whatsoever for loading down a portable (read: easily stolen) computer system with vast quantities of confidential data. In fact, that really ought to be a law with few exceptions: customer and personal data must be stored on a server that is both physically and electronically protected. Period.

Um, that seems very short sighted. What happens when all the servers in the data center get reduced into the size of a briefcase or

paid $140 for a computer on eBay

[flaming error]

Somebody should have set a much higher reserve price.

Re:

[zonky]

According to many sites, he actually paid 35GBP! http://www.telegraph.co.uk/news/uknews/2622495/A-million-bank-customers-details-sold-on-eBay-for-35.html [telegraph.co.uk]

Re:

[z0idberg]

How the FUCK do these two articles have such different figures?

£35 and £77.

They are both UK so cant be a conversion thing. Or maybe the telegraph got it from a US source which had converted to dollars then just called it pounds? Did one not know the amount so they just guessed? What is up with journalism these days?

Re:

[zonky]

I'm guessing given the volume of sites which say 35gbp, that was converted to 77USD, which was mis-reported by the BBC as 77GBP, and was converted by /. to $140.

Re:paid $140 for a computer on eBay

[smoker2]

£77 is how much it cost including ebay fees and paypal !

it's all an equation

[ILuvRamen]

If you're dumb enough to make a backup CD and then save the ISO onto the hard drive just in case the hard drive crashes, you're dumb enough to sell it on ebay without wiping it. I suppose this could have been some sort of backup storage server and not the computer that actually contained the data to be backed up but for that price it's a little unlikely.

Re:it's all an equation

[BLAG-blast]

Dummy says dummy...

They made an ISO, made 3 CDs of each ISO (one for the filing cabinet, one for off site back up, one for the on site safe), then didn't both deleting the ISOs...

It's dumb, but not as dumb as your ideas.

Why this is funny

[symbolset]

A deleted file including an ISO can live on the hard drive forever in recoverable or partially recoverable form. Criminals routinely buy PCs from surplus and then re-sell the uninteresting ones in hopes of garnering some profit from deleted data - in many cases turning a profit just on the turnaround process. Security researchers do it also, to gain fame and credibility from pointing the finger of shame which leads to step 3: consulting profit! A PC that's been "quick formatted" and then had an OS install

Re:

[Gordonjcp]

Smelting the disks is paranoia anyway. On any hard disk made in the last decade, a *single overwrite pass* where all sectors are rewritten with new data will wipe the old data beyond any hope of recover.

No, your mate's data recovery firm won't get it back.

No, the NSA don't have a big magic machine that will get it back.

No, you can't look at the bits with an electron microscope.

The days when hard drives used simple on/off transitions to mark bits - which is crucial to the idea of recovering overwritten data

Re:

[ZorbaTHut]

Considering that a 320gb hard drive is worth somewhere around $100 now, and that the process required to read data off it would theoretically cost more than standard drive recovery - which itself costs in the region of $2k - I highly doubt that anyone is going to take you up on your offer. However, this is not in any way proof that the process doesn't exist, it's just proof that your junky old 320gb hard drive isn't a valuable enough prize.

Re:

[Gordonjcp]

cost more than standard drive recovery - which itself costs in the region of $2k

That's for reading data off a quick-formatted drive. You *cannot* under any circumstances read data off a drive that's been overwritten even once. Well, assuming it was built this century, I suppose. If you've got critical data on an old ST506 drive, then your problems are largely of your own making.

Re:

[ZorbaTHut]

I've seen security researchers say otherwise. I have to admit I believe them more than I believe some dude on Slashdot.

Re:

[tftp]

Very hard to fake in real time, but it can be done.

IANAP (I am not a prestidigitator [wikipedia.org]) but I saw many on TV. It would be possible to take an HDD, show it to witnesses and then drop a different HDD into the smelter. Notebook drives are particularly easy to substitute.

This can be defeated only by the customer personally dropping the HDD into the machine, and the machine has to be inspected before and after the process, including checking the weight of the scrap. This presumes that the machine is sufficien

Re:

[symbolset]

If I were the customer concerned about my secret data, I'd put the drives under a hydraulic press first, then I'd roll the resulting foil up and give to the operator of a smelter.

If I were that concerned, my data never would have hit the drive in an unencrypted format anyway. And then I'd smelt the platters myself. But then that's my normal MO anyway, so nobody would notice this info was special. Thank God I don't deal with sensitive data because I'd have to come up with a method that was more secure.

An

Oops. Sorry.

[symbolset]

Should I have not done that?

Re:

[pak9rabid]

I'm going to have to plead ignorance here...nobody told me that this sort of thing was frowned upon.

Hand it back?

[Mishotaki]

So in the article, they say that they expect him to hand "it" back.. does that means that the poor guy who paid 77£ to give back the computer for free?

Personally i'd charge a hefty sum to make them get back that computer, just to make them remember that he paid and he was nice enough to tell them.

Re:Hand it back?

[timmarhy]

i'd charge the pricks a consulting fee for my time. a few grand should cover it. i certainly wouldn't be handing back what is entirely his property, since he purchased it fair and square they have no recourse.

mind you in his day and age i wouldn't be suprised if he ends up in jail for his honesty, if it was me i wouldn't be saying anything. if i was a more desperate man i might even have sold those details online for a princely sum....

Re:Hand it back?

[MichaelSmith]

i'd charge the pricks a consulting fee for my time. a few grand should cover it. i certainly wouldn't be handing back what is entirely his property, since he purchased it fair and square they have no recourse.

Do that and you go straight to jail, don't pass go, don't collect $200. Your consulting fee will be seen as extortion.

Re:Hand it back?

[timmarhy]

it's my property, how can i extort someone when they WANT to purchase something i own? by that logic every service fee ever paid on new car sales is extortion.

now if i went to them and said "pay me or i'll tell the media what retards your IT security guys are" that's extortion. but since it's already all over the news sites it's not possible to call it extortion.

it's also pretty damn cheeky (and just the thing i'd expect from a bank) to expect him to just hand back his purchase.

this would in fact be an interesting case to test in court as to who owns data when you purchase a pc. no doubt IP lawyers would be foaming at the mouth saying your buying hardware not software (that might shoot some of their, but then this isn't software but plain data which they didn't license so he'd have a reasonable expectation that it came with the sale.

Re:

[ecavalli]

"by that logic every service fee ever paid on new car sales is extortion."

Have you seen those service fees? You aren't far off.

Re:

[elgatozorbas]

this would in fact be an interesting case to test in court as to who owns data when you purchase a pc. no doubt IP lawyers would be foaming at the mouth saying your buying hardware not software

Good point. I don't know the slightest about American copyright law (strong IANAL :-) but it seems barely reasonable that someone sells you a medium and thereafter forces you to delete contents on this medium (you own, sitting in your house) without any compensation. They can wipe it if they pry the HD from my cold dead hands...

Nope. It's a copy, remember?

[cheros]

Legally the bank is in a rotten place (actually, the contractor even more so). If this was original data someone would have missed it by now given the volume, but it is a copy. He bought the system as-is, so he did not establish a provable record of intention.

He has been honest in reporting the find, but the fact is that the hardware is still his. If the bank wants to do ANYTHING with that data they will have to compensate him, and the nature of that compensation is very much a matter of debate.

It's a di

Re:

[Schnoodledorfer]

Extortion for what? He bought the system and all of the items with it legally. By most laws, that data is physically located on his property, and is legally his to do with what he wants. The inadvertent sale is not his fault; it's pretty much akin (I would think; IANAL) to being sold a house with $25,000 in the attic.

IANAL, and I'm on the wrong side of the Atlantic, but TFA mentioned a Data Protection Act. Aspects of it may well apply to anyone in possession of the data. It may well have be stolen property, too. The article gives no indication one way or another, nor did it identify the seller. It could be that no one wants to make an accusation until facts are known.

There is actually very little to go on from that article. The reporter seemed to know little more than that some spokesmen, who didn't seem to known much t

Re:

[carlzum]

I was going to say the same thing. You'd think he would get a premium to encourage people to come forward in the future. If people are worried they'll be under suspicion or have their equipment taken away, why would they do the right thing? The honest ones will trash the data. If other systems were sold off in the lot it may be discovered too late.

Re:

[Tony Hoyle]

If you buy something and it turns out to be stolen as in this case (and he will have damned well known it - a server including hard drives for £35/£55??) then you don't own it and it must be returned to the original owners.

The same way as if you buy a car for $5 you can't claim it's yours just because you paid for it when it turns out to have been stolen.

Taking bets!

[RyoShin]

How many days do you think it will be before the government tries to charge him with something or the bank in question tries to sue him? I'd be pleasantly surprised if neither happened.

Also, the summary leaves out something that might affect those of us on the other side of the pond:

A spokeswoman for the third company reported to be involved, American Express, said it took the security of its card members' data "extremely seriously".

Bold mine. I know they have different branches for countries and such, but I wonder if any of this data crossed international bounds.

Re:

[ScrewMaster]

How many days do you think it will be before the government tries to charge him with something or the bank in question tries to sue him? I'd be pleasantly surprised if neither happened.

I dunno ... it would be seriously bad PR to do that now that the story is all over the place. You can get away with screwing somebody like that if they report it to you privately: call in the gendarmes and have the Good Samaritan hauled off to the slammer. That happens more often than you might think (too many CIO/admin ty

Re:

[RyoShin]

I absolutely do. Not what they should do, but what they would do.

You seem to think I have a vendetta against the UK or US Government. While I do believe both could use a swift kick in the pants, this isn't because it's US/UK Gov't, but Gov't and large corporations period. I'd say the same thing if it was Germany, Switzerland, or Brazil.

I'm sure I could run through Slashdot and dig up a dozen articles where someone got caught in the middle and did the right thing to report it, only for the government to c

Goodwill

[gnu-sucks]

I bought a sun box at goodwill once and besides an intact customer database for several large companies, it also had the admin's personal backup files, including his "My Documents" folder, his Palm cell phone, and 1200 dpi scans of his passport. Oh, and some file called "passwords.doc". No idea what is in there...

More details here:
http://lfnet.net/blog/?p=41 [lfnet.net]

But yeah... wipe it before you get rid of it.

Re:

[Ghworg]

Never mind wiping it, this stuff should never be stored unencrypted in the first place.

Bugger....

[s0litaire]

I was just going to pick up a cheep 1U server for a Mod Project! Now i've no chance! Everyone will be buying up every server hoping for Disks full of Banking details now!! :(:(

Its stupid, but understandable

[PPH]

Its tough to sell a machine with no O/S on it. Most buyers will take one look at the retail price of XP (for example) and subtract that from their eBay bid. Most sellers are unwilling to risk a complete disk scrub and reinstall. Even if they are, its doubtful that they still have (or ever had) media to do an install on a clean system. The most that the non-tech savvy will attempt is to drag the contents of 'My Documents' to the trash can icon.

This is an opportunity for a Linux distro. Include an easy-to-use boot/nuke/install mode and offer them to people who put systems up for sale on various web sites.

Apparently the buyer met the Federal Reserve price

[xmark]

bada-boom

[ducks]

DBAN

[GodfatherofSoul]

Learn it, know it [dban.org]. A very simple utility for wiping drives that you can run as a boot disk.

Not just computers

[SMS_Design]

I found a stack of customer record printouts with names, numbers, addresses, financial info, and SSNs in a house I bought just this year.

..I also found the former owner's hidden pot grow equipment.

Hah

[David Gerard]

In the UK, of course, the government distributes your information to everyone by USB key [today.com] ;-)

Srsly, the Information Commissioner is getting very shitty about this sort of thing and seriously talking about prosecuting government departments (i.e., senior civil servants) for data breaches. You can be sure a few private companies will make good notches on his Clue Gun.

My brother had the same experience

[smellsofbikes]

He's a computer tech, and bought 3 systems at an auction, to fix up and resell.
Every one of them booted up to Win2K, every one of them had enormous amounts of customer data for a local branch of a large stock/securities brokerage -- people's names, social security numbers, account numbers, account contents, you name it. The mother lode of high-$ personal information.
He said that what really worried him was that his sample size was 3 out of 3 computers he'd purchased, all loaded with personal information, b

Encryption is dead

[gilgongo]

Encryption must be dead. I mean, if even banks don't think to routinely encrypt sensitive data, what hope is there?

Surely it's not that hard to get into the groove of encrypting stuff like this? I would have thought that by the year 2008, all servers, however mundane, would have their drives encrypted to at least remove the possibility of them turning up on eBay with their data hanging out.

Yes, encryption won't protect from an inside job, and yes, most people forget passwords and put them onto stickies, but

Re:

[DarthJohn]

The thief who stole it?

Re:

[YrWrstNtmr]

Once again I am reminded of the boundlessness of human stupidity.

2 or more departments in the chain, that don't talk to each other.

IT, who removes it from the desk or floor. They are 'supposed' to wipe it. They don't, for whatever reason.
Disposal dept, gets a stack of random PC's to dispose of. "IT", according to policy, was supposed to have sanitized them, so Disposal never powers them up to check (doesn't have the time or resources).
Result - PC with sensitive CD still in the drive gets sold.

Re:Wait... what!?

[Zaiff Urgulbunger]

You might not have seen the video clip with the article [I don't know if it's visible outside the UK] but the guy said he bought two servers, one booted and had been wiped, the other didn't boot. It didn't boot because it was missing it's ram (or the chip was unseated), so anyway, he sorted that out, booted it up and found the data.

Soooo... one wonders if the machine didn't get wiped simply because the various techs could boot it and decided it was too much effort to move the drives to another machine?

Re:

[bernywork]

If the machine came in contact with this data, why the drives were even sold is beyond me. The drives should have been removed and run through a shredder / grinder.

Any machine that contained data or could have contained such as this should have been through a more... robust... decomissioning process.

Re:

[mikael]

Maybe the techs didn't have the right screwdriver to remove the hard disk drive? For some bizarre reason, certain manufacturers seem to delight in using Torx screws (hexagon socket) [exportpages.com] to secure their hard disk drives, while everything else is the standard PC screw (Reference diagram [uwa.edu.au]). The only way to remove this type of screw without damage is to have the exact Torx screwdriver available.

If the disks were in a RAID array, care would have to be taken to make sure they were replaced in the exact sequence as the

Re:

[mikael]

I usually have the torx bit close to hand, and it is easier to (un)tighten them than a phillips. I don't mind them at all.

If you have exactly the right screwdriver, they are a breeze to remove. If you don't have exactly the right screwdriver, they are almost impossible to remove, thus delaying the decommissioning of a system for two days until a toolkit could be delivered.

Trust but verify

[symbolset]

This is nothing less than bad management.

It should be understood by all involved in the disposal of surplus that a random few samples will be removed from the pallets at the last minute and tested for thorough data shredding outside of their organizational group, and this testing will complete before the surplus is released. It's very important that this testing actually be done. It's more important that this testing is believed to be done. The people responsible for doing the wiping should be trusted me

Re:outbid

[MichaelSmith]

Oh, crap.. i was outbid by £10. If only i knew the content..

Why? He is going to lose the system and runs the risk of being locked up as a thief. I would say you doged a bullet (unless you are joking).

Re:

[WK2]

I think tandiond was implying that he would not have made the mistake of telling anyone what he had found, but would instead use the opportunity for personal gain.

And I am sure that he was joking. How could he have known that the article was referring to the same computer that he recently lost a bid on?

Re:

[lz2pt]

Ach, don't worry..
In a couple of weeks, as the economy slips further into the blessed state of Titzup, you'll be able to purchase the bank itself on Ebay c/w whatever assets the FatCats have left it with for a fraction of what he paid for this server alone..

Re:

[timmarhy]

"You could have walked into a local branch and asked to speak to the manager, carrying the drive"

thats a really really stupid idea. he'd have been thrown in the slammr for sure. he only had 2 options. stay quiet and tell no one at all, or go full blown public screaming from the hill tops so that there was too much public attention to risk making him disappear.

Re:

[Anonymous Coward]

I know in the Slashdot world of spooks and big evil government everyone's out to get you and you have to play the paranoid schizophrenic... back in the real world you don't get disappeared for doing the large scale equivalent of handing in a wallet that you've bought from a guy down the pub and found to have someone else's credit cards in it.

Really, go out a bit in the world and relax - your bank manager is a human, maybe you even know them fairly well, and definitely they'll be happy with you for reportin

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[jeremyp]

To be honest, I don't care about your need to buy second hand hardware on eBay cheaply, but I do care about my bank's incompetence at keeping its data secure (I'm a customer of Nat West, possibly soon to be ex customer). If this man had tried either of your suggestions, I would never have known about their stupidity.

You really do need to get a sense of perspective.

Re:

[smashin234]

The CIA is already on their way, your tarring and feathering shall commence very soon. It took them only 2 more seconds to find you since you posted as AC.

Put that tin foil hat on ASAP

Re:

[David Gerard]

I'd think not. If you bought a computer and it was full of MP3s and movies you wouldn't suddenly own that data!