Wednesday, September 03, 2008
How could this happen?
First off, this was in the UK, but that doesn't mean the same oversight couldn't happen here in the US. The Royal Bank of Scotland said their archiving company, Graphic Data, sold a server on eBay that had not been cleaned of all data. It appears that a former employee (I don't know when they became "former" in relation to this problem) sold the server without authorization from the company. It had about 1 million records on it, including data such as account numbers, passwords, cell numbers and signatures.
While there is an investigation, it appears the buyer, Andrew Chapman, may have disclosed the problem. He said he was appalled that this could happen. If he had planned on capitalizing on a sale of the data, he likely wouldn't have commented, unless the employee had first raised his hand and said he made a mistake. We don't yet know all the details. This should come out in the government's investigation.
Banks have policies and procedures that deal with inactive accounts. These signature cards are often separated and the accounts are watched for activity as a security measure and transactions are verified. Shouldn't there be a similar process for old technology that is put on the shelf? Yes, there should be security, accountability and a set time for the data to be completely and thoroughly erased and it should be in the data protection procedures that all staff are trained on. This shouldn't happen and banks should be proactive to ensure it doesn't.
First off, this was in the UK, but that doesn't mean the same oversight couldn't happen here in the US. The Royal Bank of Scotland said their archiving company, Graphic Data, sold a server on eBay that had not been cleaned of all data. It appears that a former employee (I don't know when they became "former" in relation to this problem) sold the server without authorization from the company. It had about 1 million records on it, including data such as account numbers, passwords, cell numbers and signatures.
While there is an investigation, it appears the buyer, Andrew Chapman, may have disclosed the problem. He said he was appalled that this could happen. If he had planned on capitalizing on a sale of the data, he likely wouldn't have commented, unless the employee had first raised his hand and said he made a mistake. We don't yet know all the details. This should come out in the government's investigation.
Banks have policies and procedures that deal with inactive accounts. These signature cards are often separated and the accounts are watched for activity as a security measure and transactions are verified. Shouldn't there be a similar process for old technology that is put on the shelf? Yes, there should be security, accountability and a set time for the data to be completely and thoroughly erased and it should be in the data protection procedures that all staff are trained on. This shouldn't happen and banks should be proactive to ensure it doesn't.
