Forgot your password?
typodupeerror
Privacy Security United Kingdom News Your Rights Online

Hundreds of Bank Account Details Left In London Pub 92

Posted by timothy
from the when-found-they-were-mumbling-and-bleary dept.
twoheadedboy writes "Another day, yet another data security failure. Two companies have been found in breach of the Data Protection Act after tens of thousands of tenants' details were left at a London pub, alongside 800 records with bank account details. A contractor who had stored data from two different companies on an unencrypted USB drive was responsible. We've all lost things on a night out, but rarely is it other people's banking information. The two firms involved have been told to get a grip on their security procedures, but they escaped a fine from the ICO."
This discussion has been archived. No new comments can be posted.

Hundreds of Bank Account Details Left In London Pub

Comments Filter:
  • Not even a fine? (Score:5, Insightful)

    by captainpanic (1173915) on Friday August 05, 2011 @05:30AM (#36994958)

    Companies are legal entities that can get away with far too much!

    The police can usually be quite creative when it comes to punishing people when they do something stupid on a night out. There are vague concepts like 'public disorder' or 'disturbing the peace' which allow them to lock up someone for at least a night. Can't they apply that to a company that gets drunk? Close it down for 12 hours until it's sober again?

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Companies are the sacred cows of capitalism. They create wealth. They run the economy. They are immortal. They can freely move across borders. They are untouchable.

      This is especially true in countries where the corporations and the governments are essentially the same.

      You and me, we're expendable. They aren't.

    • The ICO is useless (Score:5, Informative)

      by Heed00 (1473203) on Friday August 05, 2011 @05:59AM (#36995046)
      The ICO has failed time and time again to bring sanctions against infringers. Hell, BT tapped 100's of thousands of its customer's internet connections and never was sanctioned by the ICO or brought before a court to answer for its crimes. The ICO seems to take the attitude that the offenders just simply made a mistake and can't we just forget about it as we're sure they are sorry now -- they took action in just over 1% of cases and levied fines far less than that:

      ...the ICO acts on just 1.4% of data breaches and only fines 0.15% of offenders.

      http://www.techwatch.co.uk/2011/04/22/ico-penalises-less-than-1-of-security-breaches/ [techwatch.co.uk]

      • by Rich0 (548339)

        Yup, if everybody gets one free warning and the risk of prosecution is low to begin with, then there is virtually no incentive to not commit a crime.

    • by bkpark (1253468)

      Companies are legal entities that can get away with far too much!

      Really? Do you get caught and punished every time you do something bad? I've frankly sped (at 10, 20+ mph above posted limits) many times and done things that I'd be too embarrassed to admit on Slashdot. I've not been caught or punished for any of these transgressions. Yet.

      All persons (both real and legal) get away with a lot of things they do; after scaling for size and influence of each person, I don't think there's a preferential treatment

      • by Bert64 (520050) <bert@@@slashdot...firenzee...com> on Friday August 05, 2011 @06:32AM (#36995128) Homepage

        But the point is that if you were caught doing 10-20mph above the posted limit you would almost certainly be punished for doing so...
        Whereas many corporations are caught doing illegal things, and simply aren't punished at all.

        There's a difference between simply not being caught, and being caught but let off with little or no punishment. The fact we hear about something in the news means they've already been caught, how many other crimes go undetected?

        • by captainpanic (1173915) on Friday August 05, 2011 @07:21AM (#36995310)

          A 100 euro fine is normal for a person making a relatively minor mistake... like doing something stupid while drunk, or speeding 10-20 mph.
          100 euro is 0.25% of a regular annual income of 40000 euro/year...

          I'd like to see a big business take a fine of 0.25% of the revenue (revenue, not profit, obviously) for relatively small mistakes.
          Take British telecom (mentioned earlier in this thread) for example: A revenue of about 30 billion euro / year. A minor mistake should lead to 0.25% of 30 billion = 75 million euro.
          And that's for small mistakes.

          It would certainly bring an extra incentive to be careful.

          • by bkpark (1253468)

            Take British telecom (mentioned earlier in this thread) for example: A revenue of about 30 billion euro / year. A minor mistake should lead to 0.25% of 30 billion = 75 million euro.
            And that's for small mistakes.

            Revenue is the wrong number to use. Use the percentage of earnings (or, if not actual reported earnings, at a minimum, revenues minus expenses directly related to generating those revenues), which is more comparable to a person's salary. You should arrive at a figure in the millions or hundreds of th

            • Revenue is the wrong number to use. Use the percentage of earnings [...]

              You can argue that it must be paid from earnings (that's profit, isn't it?), or revenues minus expenses. Fair enough. But then we do that on both sides of the equation: We also calculate the percentage of a 100 euro fine compared to my annual savings.

              Companies can put a LOT of stuff on expenses. They can put new shiny offices, heating and electricity, transportation including business trips and team-building events, new furniture, and company dinners and even the investments and expansions on expenses.
              So, I

          • by Nimey (114278)

            Finland has an excellent law in this regard: fines are scaled in proportion to the perp's wealth. This means that an average person might pay (say) 25 euros for a moving violation, but a really rich person would pay tens of thousands.

            If the purpose of a fine is to dissuade people from doing something, then this is an excellent idea - a rich person would never notice 25 currency units, nor would a company.

          • by RockDoctor (15477)

            Take British telecom (mentioned earlier in this thread) for example: A revenue of about 30 billion euro / year. A minor mistake should lead to 0.25% of 30 billion = 75 million euro.
            And that's for small mistakes.

            By comparison, a couple of years ago when Shell Expro had a major gas leak in a production platform leg, killing two and putting several hundred at risk (if the gas had exploded, then one of the platform's three legs would have collapsed, dropping the whole platform into the sea in a matter of secon

      • by jhoegl (638955)
        Wow...
        I mean it is really obvious to your lopsided opinion on this, but I wonder if you really think that or not.
        The reality is that both entities, corporate and government are made up of people... people will do stupid things and probably at the same percentage or rate as both entities
        However, to read what you wrote, you tend to think that there are far more people doing stupid things in Government than business. Where do you get your opinion from? One can only guess, but it seems statistically flawed
        • by Calos (2281322)

          >> I mean it is really obvious to your lopsided opinion on this, but I wonder if you really think that or not.

          What does that even mean? What is really obvious?

          >> The reality is that both entities, corporate and government are made up of people... people will do stupid things and probably at the same percentage or rate as both entities

          I'd disagree. I have experience in both sectors, and from what I have seen... People in private entities are held more accountable for their actions. You can easily

    • The two firms involved have been told to get a grip on their security procedures

      If it happens again, they have to go see the headmaster. After that, it's a note to their mother. Then, things get really serious. Wet bus tickets will be involved.

    • The difference is that companies (especially large ones) have teams of lawyers to shoot down those charges, or at least stall them long enough to make it not worth the time, while an individual does not. Same thing applies to the rich.
  • by Anonymous Coward

    Why didnt they get a fine? The whole point of these acts is to stop this sort of thing happening so what is the exception? Lets see -

    "The device contained details of over 20,000 tenants of Lewisham Homes and 6,200 from Wandle Housing Association. Almost 800 of the records belonging to Lewisham Homes also contained tenants’ bank account details."

    So let 800 records that include customer bank accounts into the wild and no fine? But if I park my car on the street for an hour too long I get one. mmmm

    • by Dunbal (464142) *
      Not only did they not get a fine, the contractor's name hasn't even been published so we have no idea who it is. Lewisham Homes and Wandle Housing are the names of the companies whose client's data was leaked. But the name of the contractor responsible for the breach has not been released. So you could end up hiring/contracting this guy.
    • by xaxa (988988) on Friday August 05, 2011 @05:53AM (#36995020)

      The article says "The ICO will only enforce a monetary penalty when it believes there has been noticeable damage to affected parties."

      • The ICO is a toothless waste of tax-payers' money. They couldn't even be arsed to do anything about BT's use of Phorm.
        Fines should apply immediately (say £100 per breach), and quadrupled if the company did not disclose the breach itself. So in this case the contractor/councils should be staring down the barrel of a circa £2.6million fine. But they won't. All that will happen is that a few civil servants will be promoted, the council will mutter "lessons learned", the ICO will crow about monit

      • by Skapare (16644)

        So basically, there will be no incentive to prevent damages. And since the people who are damaged won't know who did it, it won't really ever come back to them. It sure sounds to me like the whole ICO is just a crock. My bet is they are all bribed.

  • more details (Score:5, Informative)

    by rbrausse (1319883) on Friday August 05, 2011 @05:32AM (#36994964)

    the BBC article has some more depth [bbc.co.uk] (and the site is _much_ faster...). the most interesting sentence is "The memory stick was handed into the police on the weekend of the 5th March and safely retrieved." (emphasis added)

    why took it 5 months to disclose the data breach?

    • this is normal in the case of data breaches. usually, an investigation is done to determine scope/size of privacy breach. and remember the sony "what outage" story from earlier this year.

      i'm mystified as to why the contractor in question isn't being named. that is an absolutely inexcusable lapse in judgment.
    • by Anonymous Coward

      why took it 5 months to disclose the data breach?

      Why took it 5 months? Speaking like Yoda we are, hrrmmmmm?

    • Probably because the ICO waited until the Silly Season before releasing the press release so that it got picked up by the news media. I doubt that any actual "investigative reporting" was involved.

  • From the article: "The two housing companies have agreed to ensure all portable devices are encrypted. Contractors, as well as other staff, will also have their personal data handling monitored."

    All they had to do was say they'd be more careful next time, and that was good enough? I almost feel safer hiding my money in a box under my bed at this point.
  • How in this day and age are companies still doing this? Are PHBs still demanding the company put everything in a single spreadsheet with no password?

    Do they just not know of Vista's BitLocker or Mac's FileVault?

    • by Pieroxy (222434)

      Do they just not know of Vista's BitLocker or Mac's FileVault?

      They probably run XP...

  • The drive should have been encrypted, but can't really blame the guy for being human. We've all told ourselves over and over again not to forget we just put a pizza in the oven and then 20 minutes later start to smell burning.
    • There's absolutely no excuse as to why the drive wasn't encrypted. I totally blame the guy for knowingly transferring other people's data onto an unencrypted drive. Losing it is understandable (and would be forgivable if he'd encrypted it).

      This is more like making a pizza with a dynamite topping and then leaving it in the oven too long (there's just no good reason to make a dynamite topped pizza).
  • We've all lost things on a night out

    No, we don't all.

    I wonder if the author is making excuses for what appears to be another incident stemming from Britain's wide-spread drinking problem. I can't think of any other country with as many stories of the form "restricted-access data from XXX was left in a pub by a contractor/employee with company/agency YYY". Maybe it's just that the British press covers this expecially aggressively, or maybe it's really that too many Brittons are foolish and irresponsible ab

    • by itsdapead (734413)

      I can't think of any other country with as many stories of the form "restricted-access data from XXX was left in a pub by a contractor/employee with company/agency YYY".

      I know its not exactly a USB stick with bank details, but other nationalities do quite famously leave things in bars [gizmodo.com] that they probably shouldn't.

      Maybe it's just that the British press covers this expecially aggressively,

      Ding!

    • by Teun (17872)
      An insightful observation, the average Brit can't handle alcohol and goes straight for abuse.

      Have a look in Amsterdam, when you see a drunk in broad daylight chances are nearly 100% he's a British 'tourist'.

      This point alone should be an incentive for companies that handle sensitive data to enforce a good and drunk-proof security.

      • Left in Pub does not mean left in Pub by Drunken contractor - probably went in for food at lunchtime, and left it behind, just like others have left them on trains, taxi's etc when not drunk ....Pubs in the UK are very often not just Bars, they are nearer Restaurants with a Bar ...

        There is a drinking culture in the UK, the problem is that the culture is to drink, without food, in order to get drunk, other countries drink as much, but with food (which lessens the effect), and consider being drunk to be ill

        • by pz (113803)

          Exactly. "Pub" is short for "public house" which explains why they feel like someone's livingroom. That's the whole idea, and part of the culture: rather than sitting in your home alone during the evening, you can pop down to the pub and hang out with your friends in essentially the same atmosphere. Local pubs are one of the things that make travelling through the English countryside such a joy! I used to fly through London a fair bit and often would schedule a long stop-over so that I could pop in to t

    • by julesh (229690)

      Britain doesn't have a drinking problem, at least not to the extent that our media would have you believe. It's been hyped out of proportion on the back of badly designed government statistics, which reveal that large numbers of people regularly binge drink. At least, they do if you define "binge drink" as "drink more than the daily recommended alcohol allowance in a day", where the daily recommended alcohol allowance is 3 units for women or 4 for men (i.e. 2 pints of any reasonably strong lager is "binge

      • by MoonBuggy (611105)

        It's actually defined as more than twice the daily limit, but the rest of your point still stands.

  • We've all lost things on a night out

    $ mv virginity /mnt/usb/

  • by SeaFox (739806) on Friday August 05, 2011 @07:34AM (#36995346)

    Lose a prototype iPhone?
    Men come busting in to search the apartment of the guy who buys it.

    Lose a USB drive with 800 banking records?
    A stern talking-to, but no fine.

    • One was the secret property of our corporate gadget-overlords, the other mere bank-account-info of faceless people. To hell with those!
    • by Threni (635302)

      Being involved with the sale of stolen property is a crime. Losing a USB key isn't.

      • by biodata (1981610)
        There is something called the data protection act that requires organisations which handle the private data of individuals to, like, protect it. We are all getting too used to the idea that when we give our personal data to a company, they somehow own it. They do not, and this is very clear in law, wherever sensible data protection legislation is in place.
    • by Syberz (1170343)
      It's not as bad as you make it sound, I'm pretty sure there was finger pointing and the culprits had to "promise not to do it again" as well.
    • Another difference: losing a USB stick doesn't usually involve claiming "I COMMITTED A FELONY!" on a very widely read blog. Do not taunt Happy Fun Police Officer.

    • by Cederic (9623)

      Lose a prototype iPhone: Get into shit at work
      Lose a USB drive with 800 banking records: Get into shit at work
      Sell someone else's property: Get investigated for receiving stolen goods, money laundering, etc.
      Hand in USB drive found in pub to police: Get thanked.

      I'm not seeing any major issues here.

      • by AmiMoJo (196126)

        The responsible course of action would be to anonymously post the data to Pastebin. Failure to do so will only result in the company in question getting off with little more than letter from the ICO.

        Until there is an effective system in place to punish this sort of thing we are going to have to do it ourselves, and civil disobedience is justified. We have exactly the same problem with protests - they are utterly ignored until they turn violent for a sustained period. 2 million marched against invading Iraq

  • I was wondering were I left those. If you just pass them along I would appreciate it. Please send to totallystoked@goingtodosomethingeviltoday.com

  • What the hell was a CONTRACTOR doing wandering around with unencrypted BANKING information from TWO DIFFERENT companies?

    • by Cederic (9623)

      Welcome to the world of contracting, where you charge a high daily rate because you "get things done".

      What you don't mention is that you get things done because you ignore all of the regulations, internal policies and procedures and other mechanisms designed to keep companies operating within the law and looking after their customers' data properly.

      Sometimes you fuck up and get asked to leave your current contract - but don't worry, there'll be another one available within a week or two.

      And contractors wond

  • Our Mission Statement:

    - encryption is obsolete and unnecessary
    - carry all client data in easily deposited usb drives for convenience
    - go for a pint in the pub daily

    • by biodata (1981610)
      Was just going to ask if this is the real company name then thought better. Honestly though, who was it? Someone must know.
  • ...when you have employees like them?
    • by u38cg (607297)
      "Any attack that can be carried out by an outsider, can be carried out by an insider".
  • Who the hell brings tens of thousands of case details with them on a USB stick when they go to the pub? Taking a bit of work home over the weekend? Surely you would just access it on the employers VPN in that case?

    The only plausible reason I can think of is that the person meant to give or sell it to someone who wasn't allowed to access it.

  • "We do like our binge drinking" -- Maurice Moss
  • Is to leave all secret documents all over the place, so eventually people get tired of reading all the stuff and leave it alone.

Slowly and surely the unix crept up on the Nintendo user ...

Working...