Forgot your password?
typodupeerror
Google The Almighty Buck The Courts Your Rights Online

Bank Goofs, and Judge Orders Gmail Account Nuked 594

Posted by kdawson
from the oops-our-bad dept.
An anonymous reader writes "The Rocky Mountain Bank, based in Wyoming, accidentally sent confidential financial information to the wrong Gmail account. When Google refused to identify the innocent account owner's information, citing its privacy policy, the bank filed in Federal court to have the account deactivated and the user's information revealed. District Judge James Ware granted the bank's request, with the result that the user has had his email access cut off without any wrongdoing or knowledge of why." The Reg's earlier story says, "Rocky Mountain Bank had asked to court to keep its suit under seal, hoping to avoid panic among its customers and a 'surge of inquiry.' But obviously, this wasn't successful."
This discussion has been archived. No new comments can be posted.

Bank Goofs, and Judge Orders Gmail Account Nuked

Comments Filter:
  • by Anonymous Coward on Saturday September 26, 2009 @05:48PM (#29550761)

    Quick! We need the normal lot of haters in here to spin this as Google being evil! Um... um... they... they host their services in a country that they very well know is subject to U.S. judges' decisions! Yeah! They should've known better! Obviously, Google is evil! TEH SIGNS ARE EVAREEWERE!

  • G-Mail? (Score:5, Insightful)

    by SeaFox (739806) on Saturday September 26, 2009 @05:49PM (#29550763)

    Why is the bank sending sensitive customer information to an email account hosted by a provider known for rifling though it's user's emails for information?

    • Re:G-Mail? (Score:5, Insightful)

      by wizardforce (1005805) on Saturday September 26, 2009 @06:01PM (#29550883) Journal

      why is the bank sending customer information through email at all? why is the bank not encrypting all sensitive customer data? answer: because they haven't been forced to do so. Everyone whose information was leaked to this account should sue them right into the ground. It's been far too long that banks carry little responsibility for other peoples' data and it's time they start.

      • Re:G-Mail? (Score:5, Interesting)

        by Anonymous Coward on Saturday September 26, 2009 @06:12PM (#29551009)
        I work as a supplier to the banking industry.

        I'll tell you why they do this, they are outright fucking dumb. That's basically it. If the IT guy knows about encryption, he has no power to make it happen, but most of the time he's barely able to type let alone do IT stuff.

        Banks just don't pay for shit unless you are a VP or own the place, so they get the crappiest IT help.

        "Due diligence" means "cover your ass", and has NO OTHER MEANING in the banking community. Everywhere else it means "make a good effort to do the best you can to the spirit of the task".

        Granted, this breech is considerably dumber than average, but of the banks I have worked with, every single one of them at one time or another had some sort of institutional problem understanding and implementing some of the most basic data safety measures.

        The Feds have been much more pushy about it recently, so it will improve. And a lot of the old guard is finally dying off, and you'll see bank leaders that have had more than "type this letter" (to the secretary) experience with computers.
        • Re:G-Mail? (Score:5, Insightful)

          by easyTree (1042254) on Saturday September 26, 2009 @06:41PM (#29551203)

          "Due diligence" means "cover your ass", and has NO OTHER MEANING in the banking community.

          Surely that doesn't need to be explicitly stated - after all this is the industry that has destroyed millions of family's lives whilst receiving payouts from governments and still paying their people massive bonuses. I guess they have the cream of the crop though, when it comes to staff skilled in screwing-over the ordinary person.

          • Re: (Score:2, Insightful)

            by easyTree (1042254)

            uhh, families' *

    • Re:G-Mail? (Score:4, Insightful)

      by mwvdlee (775178) on Saturday September 26, 2009 @06:02PM (#29550889) Homepage

      Why is the bank sending sensitive customer information to an email account?

      e-mail is an insecure protocol and they shouldn't be sending such data over SMTP even if the recipient address were correct.

    • Re:G-Mail? (Score:5, Informative)

      by FrozenGeek (1219968) on Saturday September 26, 2009 @06:04PM (#29550911)
      Because the customer in question gave the bank a gmail account and said "send me information via this email address". Do you really think that your ISP-based email address is any better than gmail? If so, could I interest you in some waterfront property in Florida? Seriously. Unless the contents of the email is encrypted before it is sent, assume the whole fricken' world (with lasers,even) has access to it.
      • Re:G-Mail? (Score:5, Informative)

        by SeaFox (739806) on Saturday September 26, 2009 @06:11PM (#29550999)

        Because the customer in question gave the bank a gmail account and said "send me information via this email address".

        The bank is worried about a panic amongest it's customer base. So they obviously sent informtaion on a large number of their customers, that tells you the person requesting the info was not a bank customer but another financial institution or a company they contract with of some sort. These type of recipients are going to have their own domain names and mail servers running on them, so there's no reason the email should have been addressed to a gmail account to start with if it dealt with official business.

        • Re: (Score:3, Funny)

          by Nethead (1563)

          The bank is worried about a panic amongest [sic] it's customer base.

          Kind of late for that after this last year.

      • Re: (Score:3, Informative)

        by Anonymous Coward

        If so, could I interest you in some waterfront property in Florida?

        Waterfront property in Florida is abundant. Florida is surrounded by water except on its northern state line, as well as being filled with lakes, marshes, and swampland. The saying is specifically "oceanfront property". The joke is, you say a landlocked state, such as... Arizona... and offer valuable "oceanfront property" there, because Arizona borders no ocean! Get it? It's a scam! You are supposed to know that Arizona has no ocean, just like you are supposed to know Florida is surround by water.

        Hey! There

  • by alex_guy_CA (748887) <.alex. .at. .schoenfeldt.com.> on Saturday September 26, 2009 @05:49PM (#29550765) Homepage
    If a bank did this to me I'd be all up in their butts with lawyers sewing for damages.

    Also having a moment of gratitude that I don't use gmail.

    Also wondering if I can send someone I don't like sensitive email, and then have a judge erase their email account erased.

  • Sooo hang on... (Score:5, Insightful)

    by Anonymous Coward on Saturday September 26, 2009 @05:49PM (#29550767)

    ...if a judge in, say, Korea granted the same request to have a gmail account blocked, an innocent user in, say, Germany would loose his email...even if that email contained confidental and critical information to be used by its owner...this is quite pathetic and something should be put in place to stop these low level distric judges making decisions that could affect users across the globe.

    • Re: (Score:3, Insightful)

      The answer is to not rely on Google for email.

      There's really no reason why a user in Germany should be relying on webmail from a company in the US, or some other place. The German user has a local ISP who can collect email on his behalf, and this ISP is only bound by German law. Moreover, there's no reason why the ISP should have control over the user's email archive, the user should download his messages and keep them on his own computer under lock and key.

      Problem solved.

      • Re: (Score:3, Insightful)

        by MartinSchou (1360093)

        The answer is to not rely on Google for email.

        I think you mean

        The answer is to not rely on anyone else for email.

        If the bank had asked your local ISP for the information identifying you, would they have waited for a court order before disclosing it, or would they have folded and just said 'here you go' to the bank? And if they waited for a court order, how the fuck would that be any different that what Google did? The judge would still be as stupid, the bank would be just as stupid, and the account would be

  • IMAP (Score:5, Insightful)

    by pushing-robot (1037830) on Saturday September 26, 2009 @05:53PM (#29550807)

    At least Google offers free POP and IMAP access, so it's trivial to back up your email locally. I'd still be pissed if something like this happened to me, but Google isn't to blame.

    • Re:IMAP (Score:5, Insightful)

      by Naturalis Philosopho (1160697) on Saturday September 26, 2009 @06:03PM (#29550909)
      You're right Google isn't to blame in this case. Not given the fact that the judge could have told the bank to suck it up, transfer the account to new numbers, and pay a fine to their customer for failing to live up to their security responsibilities. Instead he decided to punish the innocent people in this case. The bank screwed up, the bank should be held accountable. Anything less is yet another miscarriage of justice.
      • Most judges seem to be very uninformed about the ways of the web and emails. Most of them probably have secretaries who read their email, take print outs of non spams and put it up them in a regular bureaucratic binder tied with red tape. I wonder why Google did not use strong lawyers to explain to the judge, the bank screwed up. They should not be asking either Google or the account holder to suffer for the banks mistake.
      • Re:IMAP (Score:5, Insightful)

        by easyTree (1042254) on Saturday September 26, 2009 @06:49PM (#29551263)

        Perhaps you've not realised yet but banks aren't held responsible for their actions....

  • Spam (Score:5, Interesting)

    by mwvdlee (775178) on Saturday September 26, 2009 @05:56PM (#29550827) Homepage

    If I get e-mails from banks that I have no relation with, it is usually spam and gets instantly deleted.

    Perhaps that's why the recipient of the bank's private data didn't respond to any of their e-mails.

    Also, why is a bank sending it's customers' private information over an unsecure connection (e-mail)? Wouldn't the bank be violating security rules even if the e-mail address was correct?

    • Re:Spam (Score:5, Insightful)

      by BitterOak (537666) on Saturday September 26, 2009 @06:07PM (#29550951)

      If I get e-mails from banks that I have no relation with, it is usually spam and gets instantly deleted.

      Perhaps that's why the recipient of the bank's private data didn't respond to any of their e-mails.

      Or maybe the mailbox holder was simply on vacation? Is there a legal obligation to check your inbox on a regular basis? (There's a reason legal papers aren't sent by e-mail.)

    • Re: (Score:3, Insightful)

      by chrysrobyn (106763)
      Heck, it could be a gmailfs [wikipedia.org] user. They wouldn't even necessarily know they got the e-mail.
  • by BitterOak (537666) on Saturday September 26, 2009 @05:59PM (#29550855)
    Wouldn't this be like having a package wrongly delivered to your house (through no fault of your own: the sender had the wrong address), and since it contained highly confidential information, a judge ordered your house to be burned to the ground? (Okay, that's a bit extreme, but you get my point.)
    • by Anonymous Coward on Saturday September 26, 2009 @06:52PM (#29551287)

      Actually, your scenario kinda-sorta happened to the Mayor of Berwyn Maryland. A scam where drugs are shipped to a random (innocent) person, to be taken later from the porch by an accomplice. In this case, brain-dead police investigators and a swat team charged into the innocent man's house, shot his dogs, and arrested him, his wife, and his elderly mother. He still awaits even an apology for the horrifying incident. There is very little actual 'justice' in the justice system.

      http://www.washingtonpost.com/wp-dyn/content/article/2008/07/30/AR2008073003299.html

  • So... (Score:5, Interesting)

    by tnk1 (899206) on Saturday September 26, 2009 @05:59PM (#29550865)

    ...wait. I mean, the account holder at this point has probably seen and done any damage that they are going to do with this information. How precisely is this going to help the bank's cause?

    Of course, the account may be inactive and they may well have gotten to it before the person who owned it logged in again, but I do have to wonder why it is the recipient's problem that the bank sent this information. If the bank sent me that sort of information in the mail, does that mean that the county can order my house burned down to make sure I can't read that mail, even though I probably have already read it in full?

    These decisions make no sense to me sometimes and it scares me because for some things I use only one email account and if my contacts disappeared, I might not be able to find some of these people again easily. I guess it's time to start backing up all my account data to my home machine by default.

    This is yet another strike against "cloud computing" taking over. If they can order your account just plain zapped because a bank fucked up, I don't see how anyone's data is safe. At least if you had it stored at home or at work on your own machine, you'd at least know what the hell happened to it.

    • by cptdondo (59460)

      Well, the bank needs to launder some of the money it got from the feds. So it emails the "wrong" account, has the account nuked, owner of said account then sues bank for $500mil, bank settles for $499mil, and the lawyers, bankers and the "wronged" email account holder split the dough.

      Capiche?

    • by SeaFox (739806)

      ...wait. I mean, the account holder at this point has probably seen and done any damage that they are going to do with this information. How precisely is this going to help the bank's cause?

      They aren't trying to prevent the unintended recipient from seeing the info at this point, their plan was probably to remove the evidence and then play dumb if anyone had identity theft problems afterwards.

  • judge not... (Score:2, Interesting)

    by Anonymous Coward
    So why not post the judge's personal info: email, snail mail, phone, etc.?

    I'd imagine that a few months of being throttled to unusable status may make that judge rethink the decision.
  • Not a big surprise (Score:3, Informative)

    by Anonymous Coward on Saturday September 26, 2009 @06:03PM (#29550903)

    This decision was handed down by "Lying Judge" Ware. http://www.fa-ir.org/ai/judgeware.htm

    Talk about lifetime appointment gone haywire.

  • Why deactivated? (Score:5, Insightful)

    by FrozenGeek (1219968) on Saturday September 26, 2009 @06:12PM (#29551015)
    The bank requested the user's identity. Google refused to provide it. So then the bank goes to court not only to get the user's identity but to deactivate the user's account. I'm missing the logic. Okay, maybe the bank fears that enough time has passed that the user has seen the errant email and wants to prevent the user from misusing the information. Now, that might work if the user does not have a local copy of the email. On the other hand, if the user has a local copy and is now angry at the bank for having had their gmail account shut down, the user, who might otherwise have done nothing, now has both the means and the motive to do something. Good move. Wouldn't it have been possible for Google to contact the gmail user and ask him to delete any local copies? And Google, presumably, could have deleted the email from its own servers. I like Google's policy of protecting user identities. But this whole mess sounds like two bureaucrats blindly following policy to the detriment of the end-users. Can't anyone think anymore?
    • by Kohath (38547)

      Yours is one of the only thoughtful comments in this thread so far.

      I'm not sure what everyone here thinks should have happened in this case. Leaving the gmail account alone with 1300 bank records in it isn't the right answer. The bank had to go to court to get the email deleted. (Google can't just let anyone ask to delete an email from your email account, hence the need for the court action.)

      Closing the email account seems like overkill. But other than that, everyone else seems to have acted correctly a

      • by Baricom (763970) on Saturday September 26, 2009 @07:27PM (#29551549)

        Here's what Rocky Mountain Bank should have done. (I refuse to allow them to be anonymous because that's clearly what they want, and they should be held responsible for their mistake.)

        1. They should have e-mailed the 1,325 customers that had their data exposed.
        2. They should not have sued Google in an effort to get the e-mail deleted.
        3. They should not have tried to seal records in a lawsuit they filed to fix their mistake.
        4. They should have trained their employees to understand that recalling e-mails doesn't work more often than it does.

        Had they done this, this would not have been international news, and probably not even local news.

    • by Dhalka226 (559740) on Saturday September 26, 2009 @08:23PM (#29551931)

      The better question is this:

      How the hell did the bank even have standing to sue anybody? What wrong was done by anybody but them? How do you file, much less win, a lawsuit seeking to punish somebody who did nothing but receive an email you should never have been sending in the first place? How is it this man's legal responsibility to help them clean up their own fuck up, and how is it Google's legal responsibility to help the bank do so? What statute gives this judge the authority to destroy a third-party-to-a-fuck-up's email account because he didn't see fit to respond to an email he may not have even thought was legitimate? That's exactly what this ruling is saying; that this man somehow did something wrong by not helping the bank and he deserves to have his email account and potentially years of historical contacts lost.

      If I were this guy, I'd sue this bank for damages (and unfortunately, since I'm not even a party to the fucking lawsuit that unfairly harmed me I'd have to sue Google for an injunction against complying with the previous order). Big time. It's this kind of thing that makes me wish we could directly sue a judge for the idiocy of his decisions. Their total lack of accountability is reprehensible.

  • Truly great logic at work here. We screwed up, so nuke the presumed innocent user. Hell, if I was that guy and had gotten the file off before they killed my e-mail access I think I'd offer it up to Wikileaks in return for their heavy-handed treatment of me.
  • You know, if only the bank has include some serious sounding lawyerly language like, "This electronic communication is intended for our customer only. Sever legal action will be taken against unauthorized persons who receive this message and do not delete it immediately." That would have been enough right? Now all these lawyers who inflicted 25 line long legal boilerplate on every mail from corporations are high fiving in glee, laughing at the futile attempt of Rocky Mountain Bank trying to close (other p
  • by jayveekay (735967) on Saturday September 26, 2009 @06:34PM (#29551145)

    Presumably they need the user's identity because after step 1: Deactivate account, they need to proceed with step 2: Deactivate user (in case he read the email, he has confidential info in his brain.)

    Of course, if that user has communicated with anyone then they will need to be deactivated as well, and so on, and so on... All I know is in the future I'm autoforwarding all my emails from Rocky Mountain Bank to Rush Limbaugh! :)

  • First Amendment? (Score:3, Interesting)

    by srjh (1316705) on Saturday September 26, 2009 @06:36PM (#29551163)

    Not from the United States and not too familiar with the U.S. Constitution, but wouldn't this be a blatant violation of the first amendment?

    There is a clearly innocent party here who has had a primary communication medium forcibly disconnected. Not only can they not talk about this confidential material (which there may be an argument for preventing), but they can't talk to anyone about anything. That sounds like a massive violation of freedom of expression...

  • Hopefully the email recipient gets notice before they lose all of their email.

    And more hopefully, they find the offending message and forward it to the judge that made this ruling with a note akin to "Thank you for punishing me for having an email address. Here is the poison message, please order your accounts deactivated as well."

  • by MMC Monster (602931) on Saturday September 26, 2009 @08:37PM (#29552047)

    Who represented the rights of the user to the court?

    Was a public defendant even involved, or was no one assigned because there was no face to the account that was deleted?

  • by trawg (308495) on Saturday September 26, 2009 @09:29PM (#29552355) Homepage

    ...every few weeks. I have tried to contact the bank (Chase) to let them know that they're sending to the wrong account.

    They make it fucking impossible to contact them - UNLESS I log on with the account to do so (or call them, which I don't feel like doing because I don't live in the USA).

    Every couple weeks I reply to the email (even though it says "don't reply", it has a unique reply-to, so I hold out some hope that maybe someone keeps an eye on the occasional reply). This has been going on for months. Attempts to navigate the website to find a simple contact page appear to be futile - there /must/ be one (right?) but I can't find it at a glance, and how much time should I be investing in this, seriously?!

    I haven't looked at the emails closely because I don't care what's in them, but I'm sure there's some personal/confidential information in them - and if not, as the owner of the email address, I'm sure I could request some more stuff to get sent to me.

    I really want to fix this problem, rather than just hit 'spam' so gmail bins them all (which helps noone, I feel). But the bank has not taken this scenario into account adequately enough - and until they are forced to, they just won't bother.

    (Why do banks send emails at all? They should /only/ ever send emails to people that have opted in with a public key so they can be securely signed. Yes, that cuts out a lot of people, but seriously, the people that it cuts out will be better off for it.)

"Consistency requires you to be as ignorant today as you were a year ago." -- Bernard Berenson

Working...