The Daily Mail reports that a UK Government investigation was launched after the personally identifiable information (PII) of more than a million bank customers was found on a computer sold on eBay.
Highly sensitive information on American Express, NatWest and Royal Bank of Scotland customers was found on the disk array sold for £35.88 (about $72).
The UK Government’s Information Commissioner’s Office today said it would examine how eBay customer Andrew Chapman came to acquire the names, addresses, mobile phone numbers, bank account numbers, credit card numbers, mothers’ maiden names and even signatures of bank customers.
The banking information was being held by the archiving firm Graphic Data, which copies paperwork from some of Britain’s biggest financial organisations, then stores it digitally.
This is the stuff that a CIO’s nightmares are made of. A third party supplier with lax data protection controls lets this sort of data out into the public domain. Only last week PA Consulting announced that one of it’s employees had lost a memory stick containing data held by the UK Government of all inmates of Her Majesties Prison system.
It was on a Quantum Snap! NFS drive array previously used at the company’s archive in Shoeburyness, Essex. A former employee sold it on eBay earlier this month.
Crucially, he did so without first erasing the internal hard drive. In addition the drive was not configured with data encryption on, thereby making the image data openly accessable.
According to the Daily Mail, some of the data came from NatWest and included thousands of applications for credit cards. There were also 1,314 credit card balance transfer requests received by American Express. Each contained the customer’s name, address and signature and the numbers of the cards. Information from RBS included yet more card applications and credit checks.
The massive data loss – one of the worst ever in Britain – is a clear breach of the banks’ obligation under the Data Protection Act to keep all personal information secure as well as their obligations to the Plastic Cards Industry (PCI) Association that has specific and tight rules for the management of Personally Identifiable Information (PII).
A similar data security breach happened with the UK’s Nationwide Building Society and that resulted in a fine of £1M (about $2M US). I bet that the culprits wish that the only consequence was the fine as the reputational damage suffered by NatWest and RBS is incalculable.
OK, so what can be done to protect sensitive data?
- Centrally manage all points where Personally Identifiable Information data leaves your organisation via a Data Protection Team – give the team the authority to stop any data movements immediately at their discretion
- Encrypt all copies of PII data including backups
- Document where all Personally Identifiable Information data is kept and for what reason
- Ensure rigerous asset management and decomissioning processes are in place to prevent disks or tapes leaving your care in an uncontrolled way
- Encrypt the disks of Laptop Computers
- Setup email scanners to detect and block Personally Identifiable data leaving your company
- Ban and technically prevent memory sticks and DVD/CD writers from being used except by the data protection team
- Use centrally defined and standard technology to ensure the data is encrypted at source
- Put in place well defined handshake processes to ensure that data is not tampered with or lost in transit. Ensure data is received by getting a positive acknowledgement.
- Ensure all PII data has a well defined and clear data deletion plan that is rigerously enforced.
- Consider using Digital Rights Management software and processes to wrap data in such a way that only those with a licence to use the data can have access
Take it seriously guys or this could be you…….
