22 Apr 2008

Chocolate firewalls

Author: will | Filed under: 2008, 4ds, crime, data retention, electronic identity, identity theft, information loss, legal, security

“Was given chocolate. That’s a far better freebie than bloomin’ memory sticks!” — Jemima Kiss via Twitter.

College Green, DublinImage via Wikipedia

By now everyone has heard the old story about people giving up their passwords for chocolate. Although Bruce Schneier has pointed out that he would gladly give a fake password for chocolate. Which is a little better than loosing a lot of information about your customers. Yes I’m typing about Bank Of Ireland.

This is an interesting problem for the Bank. In 2006 Bank Of Ireland agreed to refund phishing losses suffered by customers of their internet banking service. And later updated their terms of service to include

13 Indemnity

13.2 Without prejudice to the generality of Clause 13.1 above, the Bank shall have no liability whatsoever in respect of any loss suffered by the Customer as a result of their breach of Clause 4 [jm: Security/Authentication] by way of knowingly, negligently or recklessly disclosing the Security Devices or any of them.

– via Justin Mason.

Richard Burrows, Governor of the Bank of Ireland, has declared on a news report that

  1. monies lost will be refunded and that
  2. the laptops were secured with a password.

However I reply

  1. What hoops do victims of this loss have to jump through? After all some of the stolen information was not from BOI customers, but also those who had approached the bank for a life assurance quote. Besides, the usual procedure is to create a new account somewhere or getting credit cards in their identity, not touching the victims bank accounts directly, but ruining their credit rating in the process.
  2. This concerns data not the laptops. Its possible that the OS requires a password to be provided, however it is quite easy to remove a hard disk and attach it to a separate machine. Completely by-passing any password requirements of the OS. Either encrypting the customer data on the disk (as happened in the IBTS incident) or making the entire disk an encrypted file. The data was unencrypted.

The information on the four BOI laptops contained the names, addresses, financial details and some medial records of its life assurance customers. Gosh that is a goldmine of information for identity thieves, phishing operators and even the odd blackmailer (if the medical information reveals things). I’ve written about this before, and I don’t think things have gotten any better.

And it happened some time ago.

Bank of Ireland said the four laptops disappeared between June and October 2007 and contained the names, addresses, bank account details and medical histories of about 10,000 holders of the bank’s life insurance policies. Ireland’s second-largest bank made the admission after the chief regulator, Data Protection Commissioner Billy Hawkes, told Irish broadcasters RTE he had been informed of the lost customers’ data only last Friday.

via IHT

It’s the silence that is slightly worrying. The Irish Banking Federation hasn’t said anything. True that these were probably €900 laptops. But the information on them do open up the bank for potentially billions of damages; not that, given the statement by the Data Protection Commissioner, such punishment is likely to happen.

Now I’m hearing rumours that the banks are now encrypting customer data, but do you trust a bank with your data that can’t even link correctly to the page with the information about the incident on their own site? Hopefully someone will notice that correct things sooner than they noticed that the missing customer data might be important.

take care of your data,
Will

UPDATE – April 28 2008
Number affected by BoI laptop thefts trebles – “The technical investigation has identified that details relating to 31,500 policies, policy applications and a small number of mortgage customers were contained on the stolen laptops.” So the numbers are worse that previously announced, and the fact that not all of those at risk are customers of the BOI. If the Data Commissioner can’t deliver punishment via a 4×2 then his remit should be altered.

Tags: , , , , , , ,

One Response to “Chocolate firewalls”

  1. Digital Rights Ireland » Lessons from Laptop Loss - the Bank of Ireland case and Mandatory Reporting of Data Loss Says:

    [...] of customers – instead it’s common to take out new credit cards or loans in those names, ruining the credit ratings of those customers in the process. How would Bank of Ireland monitoring their own accounts protect customers from fraud elsewhere? [...]

Leave a Reply