Computer With UK Bank Customer Data Sold On eBay 184
Walpurgiss tips a BBC News story about a man in Oxford who paid $140 for a computer on eBay, and was shocked to find on it bank records of several million customers of the Royal Bank of Scotland, its subsidiary Natwest, and one other bank. "Mr. Chapman said anyone with a basic knowledge of computer software would have been able to find the data fairly simply. 'The information was in back-up CDs and in ISO files so it would have been possibly quite easy to find...,' he said."
Re:I got records from @home from an ebay purchase (Score:5, Informative)
Yes, you could do that, but I think that erasure and encrypting the whole drive will also accomplish this. I believe that there is still a possibility of recovering the data even if wiped over several times. You can find lots of information about this on 'the Google' if you like. Here is a link to a zdnet blog about it: http://blogs.zdnet.com/storage/?p=129 [zdnet.com]
If you can simply smelt the drives, that is complete destruction. Anything else depends on the level of 'it's not there anymore' you need. Far too many people don't care or believe their data can be used from an old disk. They also don't understand that a format will not necessarily overwrite anything on the drive. sigh.
Encrypting the whole drive will scramble the bits fairly well. Follow up with low level formatting and it should be difficult enough to recover anything from the drive without the encryption password, never mind that the file system has been rewritten.
Re:I got records from @home from an ebay purchase (Score:1, Informative)
DBAN [dban.org]
DBAN (Score:3, Informative)
Defending the indefensible? (Score:4, Informative)
OK, I have to pipe up on this one.
I've previously worked a few freelance tech gigs at RBS and the one thing I can say with certainty is that their internal security is extremely tight. Tighter than anywhere else I've worked in my time. The fact that anything gets done, EVER, is a minor miracle in the face of the mountain of red-tape, security, bureaucracy and general faffing with sign-offs and corporate governance that is needed to do pretty much anything.
So, I'm going to pipe up on behalf of RBS, your honour... :-)
Thing is, one thing I categorically don't believe is that the responsibility for handling customer data like this would fall to one individual without direct accountability. Knowing RBS, there would be forms to fill in, checks made, audits done and any handling of customer data would need to be signed off at a high level, and would be entirely traceable. Which is to say that if there's a breach, I don't think it's likely to be a break-down in procedure.
Now, you might laugh about this, but I know how many hoops I had to jump through to get things like dev rights on a developer box ("so, let me get this straight, sir, why do you need to be able to write to the C: drive?" - that sort of dumb thing) so I really doubt that a half-wit in marketing or HR or whatever would be entrusted with such data. It is kept under lock and key and it would certainly be VERY UNUSUAL to be allowed to make a cd copy of customer data. To do so would require sign off from Very Senior Management (at Director level), and hence visibility at EVERY STAGE and accountability for EVERY ACTION would be enforced with *GREAT RIGOUR*...
So my money is that this isn't what it at first appears to be - it could be the case that this is something else and the press have got the wrong end of the stick.
Or maybe I'm wrong. Often am, you know... ;-)
Re:Honesty (Score:3, Informative)
The worst part is that RBS didn't atually have a breach, it was a 3rd party. That, of course, could well lead to someone getting sued.
Re:Defending the indefensible? (Score:5, Informative)
as another tech contractor who has worked in the past at 113DS, FR and GF - I know what you mean about getting dev access or access to one of the gigantic machine rooms. I would say that RBS core systems and its brands (natwest, coutts, Ulster(s)) are extremely secure to the point of not being able to do any work. Even the due process to make a change to a production system is amazing with full-time boards spending all day evaluating every change.
from what I read on finextra.com, it looks like this box was owned by a supplier firm and subsequently was stolen by an employee of the supplier firm and sold on ebay. Also, the box had not been used since 2005 - perhaps an old server in the cupboard (of the supplier Graphic data) that an employee thought they could sell on ebay. I am struggling to see how this would have happened as a badged RBS server at one of the EDI datacentres. They run a tight ship.
one thing for sure, Graphic Data can kiss goodbye to their contract with RBS - one thing I know abut RBS is that they are very worried about security breaches - especially public ones like this.