Wednesday, August 27, 2008

Bank Details of 1 Million Customers Sold on eBay

Personal details of more than 1 million customers of Royal Bank of Scotland, American Express, and NatWest are found on a computer sold on auction site eBay.

read more | digg story

Scenario:

1. Bank hired a 3rd party company to handle archiving.
2. The archiving company had an employee who apparently copied data onto a personal machine.
3. The individual sold the machine on eBay without cleaning the drive.

In the end, the bank is responsible, but the 3rd party company should be held accountable for permitting a user to copy the data. Still the archiving company is clearly to blame and I would assume that any costs of "repairing" this issue will be collected from the archiving company. The former employee of the archiving company is obviously the one who is most to blame and should be prosecuted for a criminal offense.

But ...

This brings up an interesting issue for eBay as well.

Should they allow computers with "full hard drives" to be sold on their site? Should they allow used hard drives to be sold? Or should they distribute a free tool to Mac and PC users that erases the drive, I could see this as a fairly easy thing to do - it would require an enclosure or a target disk mode. It would also be able to tell eBay if the drive was capable of being sold (ie integrity test).

I once acquired some Apple laptops from Clemson University. None of the drives had been wiped and none of the information was password protected. The laptops contained current and past years basketball recruiting information and lots of notes regarding players. I wiped the drives completely, removed the hard drives, and used them personally before selling them a few years later.

1 comment:

I am a lover of children's literature said...

This is a very scary thing indeed! If my bank details were ever published, someone, somewhere could still all of my money in the bank. And I need my money - all four dollars of it!

Personally, I would never, ever sell a computer unless I either removed the drives are 'ZEROED" the drive/drives in question!