Help Sitemap Home Skip Navigation Contact Us Disability Statement

The hunt is On.
Sponsored by
The hunt is On.
Can you track down Scotland's wildest beastie?
 
 
Wednesday, 3rd December 2008 Change Date

Premium Article !

Your account has been frozen. For your available options click the below button.

Options

Premium Article !

To read this article in full you must have registered and have a Premium Content Subscription with the The Scotsman site.

Subscribe

Registered Article !

To read this article in full you must be registered with the site.

Sign In
Register

RBS customer details among those found on £35 eBay computer



Click on thumbnail to view image
Click on thumbnail to view image
Click on thumbnail to view image
Click on thumbnail to view image
Click on thumbnail to view image

Published Date: 26 August 2008
PERSONAL details of customers of three high street banks, including the Royal Bank of Scotland, have been found on the hard drive of a computer sold on eBay for £35, it emerged today.
Information including bank account numbers, phone numbers, mothers' maiden names and signatures of customers of the Edinburgh-based bank, along with American Express and NatWest, were found on the computer.

The buyer, Andrew Chapman, an IT manager from Oxford, found the information on the computer's hard drive, the Independent newspaper reported.

It had belonged to data processing company Mail Source which is part of Graphic Data, a company that holds financial information for organisations, and was used at the firm's archive centre in Shoeburyness, Essex.

A Mail Source spokeswoman said today the employee who sold the computer had made an "honest mistake".

She said the company was investigating, but stressed that the sale had been an "isolated incident".

She said: "The computer was removed from our secure storage facility in Essex and sold on eBay.

"We know which employee took the server and sold it, but we believe it was an honest mistake and it was not intentional to sell it without the server being cleared.

"We want to stress that this is an isolated incident and we are investigating how the server was removed and sold. The security we have in place is what we are known for.

"This is a very unfortunate incident and we are taking measures to ensure it will never happen again."

Jenny Thomas, a spokeswoman for eBay, said that an item such as this should never have been sold on eBay and that the company is working with Graphic Data to investigate the sale.

An RBS spokeswoman said: "Graphic Data has confirmed to us that one of their machines appears to have been inappropriately sold on via a third party.

"As a result, historical data relating to credit card applications from some of our customers and data from other banks were not removed.

"We take this issue extremely seriously and are working to resolve this regrettable loss with Graphic Data as a matter of urgency."

A spokeswoman for the Information Commissioner's Office said that Mr Chapman had not yet handed the computer over to them but as soon as he did an investigation would be launched.

Ms Thomas said: "Clearly such details should never have been included in the hard drive of the computer offered for sale on eBay. We fully expect Mr Chapman to hand it back to Graphic Data as soon as possible.

"We will, of course, work with Graphic Data to establish how it came to be available for sale on our site."

The full article contains 455 words and appears in The Scotsman newspaper.
Page 1 of 1

 
1

Grumpy,

26/08/2008 10:19:37
So the answer is to fine Graphic Data heavily for breaches of the Data Protection Act - one fine for each and every breach. But what were they doing with the information anyway? Seems the Data Protection Act is doing what it's supopsed to do - i.e. protect yuor confidential data
2

Active Sassenach,

Luton, England 26/08/2008 11:21:06
Re-arrange into a well-known phrase or saying: rodent, odour, verb and subject in the first person.

Does Mail Source/Graphic Data normally sell its surplus and obsolete file servers on E-Bay? If so, in accordance with what company rules and policy? Surely that policy must provide that the "person known" who did this on the company's behalf took the file server and the procedural check list.

Item 1: tick this box and initial it to confirm you checked that all proprietary information and software has been cleared and the unit reduced to its basic generic operating system.

Item 2: tick this box and initial it to confirm that the E-Bay proceeds will be directed to the Mail Source/Graphic Data E-Bay account and no other.

The check list falls down at the point where Jenny Thomas of E-Bay says that this item should never have been sold on E-Bay. It would have cost Mail Source £35.00 to obtain and bank the proceeds of sale. Most companies would wipe this stuff and give it away or have a named and secure contractor to call every so often, clear the machines and take them away at an agreed price.

Mail Source's fairy tale stinks and they should be taken well and truly to town and back by the Data Protection system. Since the lack of security that Mail Source clearly has in place is now what they are known for, market discipline must surely follow the Information Commissioner and put them out of business so this cannot happen again.
3

The Former Mr. Angry,

Perth 26/08/2008 11:32:57
Hmmm, yes big companies like this always sell their old stock on EBay. An honest mistake? What one at a time? Looks like a possible security breach in letting employees do what they like with the old gear. What reassurance do we have that further breaches have not already happened and will not happen in future?
4

EK,

Edinburgh 26/08/2008 15:50:40
It always amazes me after an eventlike this that the powers that be are extremely sorry, how seriously they say they are taking the incident that they will investigate it thoroughly and that it will never happen again! (That's supposed to get them off the hook isn't it!) Shame they don't have the same level of dedication aimed at preventing this type of incident in the first place. It seems that with modern technology, no one knows exactly what is going on any more. We have been warned!
5

JT,

26/08/2008 17:27:43
Can the banks tell us what they are going to do for these customers who details are on these laptops?
6

The Former Mr. Angry,

Perth 26/08/2008 19:56:10
#5 JT

It would only be fair to warn them that if such a breach were to take place that there would £30 levied on them immediately for admin purposes in writing to them to get them to take action and a further £30 per day they did not take it and interest accrued. Plus of course sued for any damages incurred due to the security breach. Fair I'd say. It seems to work well the other way round.

7

MacFergus,

ZEIST, Netherlands 26/08/2008 21:53:35
So probably Graphic Data will now ensure that this particular mistake will not happen again. But as there are thousands of ways for security to go wrong, their total security will improve negligibly.

Security can never be reached via "post-event add-ons", but needs to be designed into the whole IT system (hardware, software, orgware, and the humans involved) right from the base up. For instance one needs to ask "why was this data on this hard disc at all, instead of only on a high-security central server?"

We need a major leap in the quality of security of all IT systems (in banks, civil service, and all other areas). That will only will come about when there is a legal requirement for all IT systems (in this broad sense) carrying sensitive data to receive approval from an independent "security audit" (just as financial audits are required). Failure to do so, or faulty audits, need to entrain full civil and penal liability. When the insurance premiums to cover these liabilities mount high, good security will pay, and become good business practice. We cannot expect business to invest these costs if there is no financial and legal incentive.
8

zigzag,

Canada 27/08/2008 02:12:21
So Mr Chapman should now sell this PC back to Graphic Data for the princely sum of 100,00 pounds sterling.
That should be an adequate amount to teach them a lesson in truly protecting confidential info in the future.
What is an "honest" mistake worth these days?

If it was me ,I'd squeeze them where it hurts big time.

 

Comment on this Story

 

In order to post comments you must Register or Sign In

 
 
RSS Feed of this article's comments
Delivery formats: RSS, Atom, Javascript & Email
 
  

 
 

More Royal Bank of Scotland

More Royal Bank of Scotland >>

Today's Vote

Should banks be paying for staff Christmas parties as their customers suffer?
Yes, staff deserve to be rewarded for their year’s hard work
It’s okay making a contribution, but not £1 million
No, staff should have to pay for their own parties

Web Links:

Featured Advertising



Sister Newspapers:
Press Complaints Commission

This website and its associated newspaper adheres to the Press Complaints Commission’s Code of Practice. If you have a complaint about editorial content which relates to inaccuracy or intrusion, then contact the Editor by clicking here.

If you remain dissatisfied with the response provided then you can contact the PCC by clicking here.