Help Sitemap Home Skip Navigation Contact Us Disability Statement

The hunt is On.
Sponsored by
The hunt is On.
Can you track down Scotland's wildest beastie?
 
 
Wednesday, 3rd December 2008 Change Date

Premium Article !

Your account has been frozen. For your available options click the below button.

Options

Premium Article !

To read this article in full you must have registered and have a Premium Content Subscription with the The Scotsman site.

Subscribe

Registered Article !

To read this article in full you must be registered with the site.

Sign In
Register

Banks warn millions after computer with personal details sold on eBay



View Video
Download Video

Video

Computer security expert Sal Viveros analyses the risks posed by lost personal data
Click on thumbnail to view image
Click on thumbnail to view image
Click on thumbnail to view image
Click on thumbnail to view image
Click on thumbnail to view image

Published Date: 27 August 2008
By BRIAN FERGUSON
ABOUT a million customers across the UK will be contacted by three high-street banks after a computer holding their personal details was sold on the auction website eBay for £35.
Information found on the computer included the bank account numbers, phone numbers, mothers' maiden names and signatures of customers of American Express, NatWest and Royal Bank of Scotland.

The eBay buyer, Andrew Chapman, an IT manager from Oxford, found the information on the computer's hard drive and raised the alarm.

The banks involved refused to disclose what advice would be given to customers whose details – understood to date back about three years – were on the computer. It is thought unlikely the computer had fallen into the hands of criminals. The customers affected are likely to be asked simply to check their account statements.

The computer belonged to a data processing company, Mail Source, part of Graphic Data, a firm that holds financial information for organisations, and was used at Mail Source's secure storage facility in Essex.

Mail Source said it was still investigating how an employee – who has since left the firm – had come by the computer, which had not had its disk wiped.

Mr Chapman, 56, said it was unlikely "any man on the street" would have bought the computer, as it was listed on eBay as a server from a data centre, but a basic knowledge of computers would have made accessing the information quite simple. He added: "It would possibly have been quite easy to find if you know something about computers. It's lucky I found it."

James Jones, of the credit reference agency Experian, said people should not panic as the information had not fallen into the wrong hands. He said: "This is a bit of a close shave, although it is hardly isolated. Unless you've been particularly careless with your details, the bank will always cover the cost of any fraudulent activity on your account."

Sandra Quinn, director of communications at the payments body Apacs, said: "Since this information appears to be more than three years old and the information does not itself appear to have been sold on, it's likely that the banks involved will simply write to customers and ask them to check their statements."

Mail Source insisted the employee who sold the computer had made an "honest mistake". The company is investigating how it was removed from a secure location, but stressed the sale was an "isolated incident".

A spokeswoman said: "The computer was removed from our secure storage facility and sold on eBay. It was neither planned nor instructed by the company to be disposed of. We know which employee took the server and sold it, but we believe it was an honest mistake and it wasn't intentional to sell it without the server being cleared. We're taking measures to ensure it'll never happen again."

An RBS spokeswoman said: "We take this issue extremely seriously and are working to resolve this regrettable loss as a matter of urgency."

A spokeswoman for American Express added: "We take the security of our card member data extremely seriously and have strict guidelines for suppliers around the security of information. We're currently working as a matter of priority to establish exactly what data is impacted and identify the card members who may be affected."

A spokeswoman for the Information Commissioner's Office said an investigation would be launched.

The full article contains 574 words and appears in The Scotsman newspaper.
Page 1 of 1

 
1

Matt there,

somewhere 27/08/2008 00:08:47
So it was all an honest mistake! Phew! That's all right, then, eh?

Well no it isn't. The Information Commissioner will be calling on everyone concerned.
2

AVRENIM,

Montvalent 27/08/2008 00:44:23
I would like to be an Information Commissioner - does the relevant government department have my CV ?
3

Charles Linskaill,

Edinburgh 27/08/2008 02:24:13

FOR GODS SAKE!

Again I told you all, we are living in a 'Loony Bin',..

Attacked by the 'Aliens' whilst we were all 'fast asleep',..

Them 'Cretors' came to cause 'Havoc' and 'Mischief' for us all! :)
4

!Ya basta!,

27/08/2008 05:27:45
Mail Source and Graphic Data should be suspended from business immediately until the banks and the Commissioners Office can ensure that their systems are safe. This is an almost unbelievable lapse for such a company and the banks also should have picked up on it.

Customers shoudl be fully informed immediately of course.

The banks through auditing and inspection should also have made sure a system was in place to prevent this from happening. There should be at least 3 stringent secuirty steps in place, it sounds as if there was only weak one. From the admittedly sketchy evidence in the article, there is a case for negligence on the banks side aswell as Graphic Data.

Anyone that knows anything about risk management and Failure Modes Effect Analysis (FMEA) knows that there is no such thing as an "isolated incident". There is need for a root cause analysis which will show the failings in the system. Dismissing it as an isolated incident is a very worrying attitude and implies even more that they don't know what they are doing.

We are continually told about the efficiency and sophistication of the private sector, especially in finance but with this kind of thing and the credit crunch the Banks don't look too strong on risk management at the moment do they?
5

Jim A,

27/08/2008 07:06:54
"Mail Source said it was still investigating how an employee – who has since left the firm – had come by the computer, which had not had its disk wiped".


Hmmm, this sounds like a simple ID10ts error
6

Boy Wonder,

27/08/2008 07:39:48
And Notrachucklus is here with dire warnings and predictions again @#3. Take note of his ravings. 94 year old men with senile dementia have been around the block you know. Chuckles is still going round his own particular bend!
7

Grumpy,

27/08/2008 07:44:16
Too many of this type of incident (losing customer confidential details) is happening these days. I agree with !Ya basta!

Not only should compensation be paid by RBS for letting this data get out of their hands in the first place, but both RBS (who engaged Graphic Data) and Graphic Data themselves should be fined extremely heavily for breaching the Data Protection Act. As should the individual who sold the laptop with the data still on it.
8

Harumph,

Falkirk 27/08/2008 08:52:51
Sounds to me like the server was stolen and sold for profit by some 'enterprising' former employee. Bet they wish they'd looked at the data first-that might have made it more worthwhile than the measly £35 they got for it on eBay!!
PS Is it just me or are Charles Linskaill's posts mental?
9

bluehead,

edinburgh 27/08/2008 09:52:20
my God!!!!is their nobody out there we can trust??
what a mess ,no wonder the people have given up all faith in governments, banks, and all the assorted politicians roaming this land and mucking up things as they go along,even when we change governments,all we do is change one bunch of nitwits for an other heap of chancers,the whole system should be reformed.
10

Jacqueline Hyde ,

On the shelf 27/08/2008 09:54:41
It's quite disgraceful that RBS employs an organisation that can't afford $45 to ensure that the data on its computer is fully encrypted. Presumably it has a new computer now and I hope it will spend its £35 on protecting the data with which it has been entrusted.
11

Jacqueline Hyde ,

On the shelf 27/08/2008 09:56:44
#9
They used to be mental but he's gone downhill a lot since then.
12

The Former Mr. Angry,

27/08/2008 09:58:51
#9 Harumph

Yes it looks very much like some private enterprise going on behind this company's back very much to their great embarrassment. However it's not good enough to dismiss it as a one-off and an "honest mistake" as it's been described. Honest? Mistake? With millions of pounds of customers' money at stake the very least it is is criminally irresponsible.

And to assume it is a one-off without further investigation is either naive, or they're trying to hush it up. How many other servers have been siphoned off and gone onto eBay? Is this with the complicity of management or is it purely a staff scam? Lots of questions need to be answered before anyone can feel safe that their data is secure with this company. The usual bleat of "we take security very seriously" is just ringing hollow now - what it demands is high profile convictions to focus minds.

Charles Linskaill's posts are - let us say - "unique" and very well but unnecessarily punctuated with quote marks round nouns wherever possible. Boy Wonder has it that he is a 94-yo suffering from senile dementia but his posts are usually quite amusing and occasionally cogent! He's a bit of character round these parts.


13

Edinburgh RBS customer,

edinburgh 27/08/2008 10:12:00
Good to see that the banks don't even handle their own data eh? Its like the prison service and the comedy prisoner taxis, once you relinquish control to third parties of critical systems, you are exposed to their integrity. Which in the cases of Reliance and Mail Source is clearly deficient.

#9, He's a complete loon, and midly annoying even to the casual observer. Makes threads tedious to read because you have to scroll past his inane rants. Really needs to get something more constructive on which to focus his long days.
14

Evan Owen,

Snowdonia 27/08/2008 10:36:49
Why not just sell everyone's details and get it over with?

The financial institutions already sell 'basic', information which includes contact details so that companies can 'target' them with 'offers' that might be of 'interest'. Strange how these 'customers' are never party to the payment for all this 'confidential' information, never mind, the men at the top will get £squillions in bonuses for selling or losing the information so who cares?

Well I DO!!
15

Harumph,

Falkirk 27/08/2008 10:57:58
Just had another thought having reread the posts - This may be an 'isolated incident' but so is going overdrawn for many people. Yet the banks will still charge for sending you a letter, interest on anything over the limit and probably a one off charge because they feel like it. So everyone who's details were on there should get at least £20 and we can each send them a letter demanding random amounts for our 'administration' costs. It sure costs me as much as £50 to look up my bank balance and post a letter ...
16

weewumman,

Bristol 27/08/2008 11:16:20
I wonder how many of you are aware that this kind of "appropriated/misplaced" PC equipment in government departments has also been going on for at least ten years to my knowledge!

An ex IT contractor, I was involved in an audit of one of the largest government department's IT equipment. The bottom line was that, as the audit progressed, they very often had absolutely no idea where some of it was or even if it was still in their possession! The equipment that they did have had to be audited for installed software as well as they really had no accurate idea what was being used on their PC's.

Satellite offices had some PC's they'd never been allocated and others appeared to be short of stuff they should have had (or so they thought!).
It was a total shambles!
17

G,

dundy 27/08/2008 12:31:32
Don't wait for the banks to tell you to check your statement......do it all the time...fraud is not difficult to do OR to spot...
18

Glenhuon,

NSW Australia 27/08/2008 13:37:41
It happens everywhere. As someone who has been a "recycler" of both personal and corporate computers for a long time, it still amazes me the personal and business information that is left on hard drives. Names, bank accounts, and in one case, pornographic pics on an ex school puter ( in the teacher restricted section). It's not so hard to "wash" the drive, there are lots of free programs there to do it. Just slackness on the part of the IT staff.

19

westview,

banking on independence safeguard my privacy. 27/08/2008 16:02:45
Why not cut out the middle man? The banks and the British Government can make money by just selling our details to the crooks or the mafia or foreign governments direct. No need for small scale crooks to sell on our stollen data ,just sell it direct to any one who wants it, and pocket all the profit! Or is THAT why they want us all to be identity carded and filed?
20

Jaime,

Scotland 27/08/2008 16:05:25
I rang my RBS Branch after this news broke to ask what they were doing to re-assure me that my accounts were safe, especially as I am to be on holiday abroad over the next few weeks. Answer? Check my accounts regularly. On holiday? On a public computer? So I rang their Fraud dept., who told me I could have added encryption on my personal details and they gave me a number to ring. And yes, I can have the added encryption - but only if I pay THEM £14.80 for the added protection. Or else, I can pay Experian to check my personal details and credit status for me - available through RBS - AT a hefty cost TO ME?? Getting suspicious here of RBS adding value to it's defunct operations? So am I.
21

RSBuff,

GA/USA 27/08/2008 17:16:08
I'd be making sure that my spell checker had the word "litigation" in it. I'd be looking for more than 35 pounds in compensation, too.
22

Active Sassenach,

Luton, England 27/08/2008 17:48:56
This story was covered in the The Scotsman here:

http://news.scotsman.com/latestnews/RBS-customer-details-among-those.4425930.jp#3159512

On that article I posted at #2 that Mail Source's fairy tale stank on the information that was available at the time. In my post I queried Mail Source's policy for disposing of equipment on E-Bay and you will see above that it is not their policy to dispose of it on E-Bay. So who took the £35.00 that Andrew Chapman paid?

The holes and inconsistencies in Mail Source's fairy tale become more apparent every time someone from the company opens their mouth. They may like to note that the maximum penalty for perverting the course of justice is life imprisonment and to review Archbold on justice offences on the CPS website - which they can look up for themselves.

Taking my employer's property and auctioning it on E-Bay when it is not my employer's policy for that property is NOT an honest mistake. It is a criminal offence of theft with potential for a seven-year jail sentence.

There is only one way to stop Mail Source from repeating this misconduct. Its creditors should apply for it to be wound up in the public interest and I urge them to do so. If American Express are taking the security of their customers' data so seriously, they will make the same plea to the creditors of Mail Source.
23

Kipling,

29/08/2008 18:00:29
RBS/natwest was careless with data long before this farrago. And their attitude was negligent. Now, due to the digitising of data and the size of memory available on memory sticks, discs, computer hard drives, what might have affected individuals who could not team up together, and therefore had no public impact, affects thousands of individuals and hopefully will have a significant impact. Once arrogant towards customers' rights and privacy, still arrogant towards customers' rights and privacy. Purge the lot of them and hold public trials.
24

St Monance,

Toronto & Fife 31/08/2008 21:15:18
As a RBS customer my major concern is that there is no indication that this honest purchaser has been rewarded. Imagine how much he could have made in selling on the information. Publicizing a big reward would encourage others in the same position to take the route to return the data rather than reap large rewards from those who would exploit us. Come on, RBC, American Express and the rest of you . . . what did the purchser/finder of data receive?

 

Comment on this Story

 

In order to post comments you must Register or Sign In

 
 
RSS Feed of this article's comments
Delivery formats: RSS, Atom, Javascript & Email
 
  

 
 

More Royal Bank of Scotland

More Royal Bank of Scotland >>

More eBay

More eBay >>

Today's Vote

Should banks be paying for staff Christmas parties as their customers suffer?
Yes, staff deserve to be rewarded for their year’s hard work
It’s okay making a contribution, but not £1 million
No, staff should have to pay for their own parties

Web Links:

Featured Advertising



Sister Newspapers:
Press Complaints Commission

This website and its associated newspaper adheres to the Press Complaints Commission’s Code of Practice. If you have a complaint about editorial content which relates to inaccuracy or intrusion, then contact the Editor by clicking here.

If you remain dissatisfied with the response provided then you can contact the PCC by clicking here.