Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Data Storage The Almighty Buck Your Rights Online

Is Your Banking Information Accidentally On Ebay? 205

GraWil writes "The Toronto Star is reporting how two Bank of Montreal computers containing thousands, of sensitive customer files were sold to a student who fixes up machines and then resells them on eBay. It seems that the company responsible for scrubbing the disks (Rider Computer Services Ltd.) misfiled the machines in their warehouse and it was assumed they had been erased." It's not the first time this sort of thing has happened.
This discussion has been archived. No new comments can be posted.

Is Your Banking Information Accidentally On Ebay?

Comments Filter:
  • My take (Score:3, Insightful)

    by Matrix2110 ( 190829 ) * on Tuesday September 16, 2003 @05:12AM (#6973451) Journal
    My take on the whole issue is that somebody caught it and went public with the information soon enough to prevent damage.

    Lets hear it for the unsung heroes in life.

  • I don't get it.. (Score:5, Insightful)

    by Heartz ( 562803 ) on Tuesday September 16, 2003 @05:15AM (#6973462) Homepage
    But why don't banks just destroy the Hard Disks before selling off the Machines? No matter how much one scrubs off a HDD there's always the risk of exposure of private details of clients.

    They should just get rid of it and save us all alot of headaches while recouping some money from the second hand machine.

    • Re:I don't get it.. (Score:4, Interesting)

      by Rogerborg ( 306625 ) on Tuesday September 16, 2003 @06:04AM (#6973623) Homepage

      Point at the person who's job description says that they are responsible for ensuring that physical hard drives don't leave the bank's premises.

      Easy, it's the IT director. Um, except that because it's physical, perhaps it's the non-IT security director. Maybe it's the branch manager. Possibly it's none of the above. Possibly it's all of them.

      See the problem?

      • by gl4ss ( 559668 ) on Tuesday September 16, 2003 @06:09AM (#6973635) Homepage Journal
        most countries armies don't have such a problem of making sure of it(that harddrives don't leave the place, even if other computer scrap leaves).

        heck, everyone should make sure of it.

        it's not like you can set the company premises on fire even if you're not the one set to the ceromonial position of "the one who does not set the premises on fire".

        anyways.. they outsourced that problem to somebody who was willing to say to them(bank) that they're clean.

        • most countries armies don't have such a problem of making sure of it(that harddrives don't leave the place, even if other computer scrap leaves).

          Militaries are a lot more disciplined than banks.

      • Point at the person who's job description says that they are responsible for ensuring that physical hard drives don't leave the bank's premises.

        Precisely how it would be done. The CEO points at someone, and says "It is now your responsibility to to ensure physical hard drives don't leave."

        Either the IT director or the security director would be a reasonable person to whom to assign the task. Presumably there's already someone responsible for physical security of data--it should already be in someone

      • It's MY job! (Score:3, Interesting)

        by MarcQuadra ( 129430 ) *
        And I get paid under $20K/year to wipe the drives for a major U.S. bank. The guy before me let hundreds of machines full of customer and bank info out to various schools, when I found out I had to travel all over the state wiping out computers, but who knows what made it out before I got to them.

        When it boils down to it, these are ancient machines (mostly P166s and wiping a drive takes HOURS on them, and it ain't pretty work, it's dirty warehouse work and lots of heavy lifting. Nobody want's to pay profess
    • Re:I don't get it.. (Score:3, Interesting)

      by TheMidget ( 512188 )
      But why don't banks just destroy the Hard Disks before selling off the Machines?

      And more importantly, why do the bank trust a third party (Ecosys) with the "scrubbing", rather than doing it themselves?

      My take on this is that even if the procedure had said "destroy hard drives", the actual work of removing the hard drives and destroying them would still have been subcontracted, and the same "warehouse" error might still have occurred ("is this a machine which still has its original drives, or is it one wh

      • by Pig Hogger ( 10379 )
        And more importantly, why do the bank trust a third party (Ecosys) with the scrubbing, rather than doing it themselves?
        Because some fucking asshole with a MBA on the wall figured it would be cheaper than do it in-house.
    • Re:I don't get it.. (Score:3, Interesting)

      by budgenator ( 254554 )
      No it seems to be plain old piss poor proceedures to me, it's not that hard to fix either. The machine is physical so someone has to physicaly remove it from the bank branch/dept;

      1 so that person unplugs the ethernet, pops in a linux cd, turns on the computer, boots into linus and shreds all of the harddrives on the machine.

      2 turns off the machine, and signs a line on the frome that the machine has been shredded; and wittnessed by the branch/dept manager. Places a sticker on the machine that states it is
    • Who don't they just destory the disks? Mmm, yeah after all destorying a HD is pretty easy, screw it open and shred the platters. I found out a few years ago that my laptop drive contains GLASS platters. Well I say platters, mine contained shards but I presume they once were platters.

      Anyway so why don't banks do it? I think they may walk into a whole mess of employment rules. You see you need proper equipment, proper safety equipment, proper enviromental protection. Banks just ain't equipped to handle this.

  • by Rhinobird ( 151521 ) on Tuesday September 16, 2003 @05:15AM (#6973465) Homepage
    My bank is my matress and if it starts talking, then I have other issues to deal with.
  • by Ckwop ( 707653 ) on Tuesday September 16, 2003 @05:16AM (#6973473) Homepage
    Personally, i think that any hard-drive that has been used for that purpose should be securely destroyed instead of being sold. Simon.
    • Are you implying that banks aren't out to make money, at any and all costs...? Shock! Awe!
    • Well, seeing how subcontractors bill, physically removing and destroying the disk would require a 'break-fix' technician and they typically cost oodles more than 'lackey with a wipe-disk' technicians. The supply/purchasing arms of a bank are typically not well-endowed and are often staffed by 'newbies' to the bank, because it's easy work, they're not going to pay several times more than they already do for secure data destruction.

      I know, I suggested it to the client where I was the 'wipe-disk lackey' and h
  • Physical shredding (Score:4, Interesting)

    by khaine ( 260889 ) on Tuesday September 16, 2003 @05:17AM (#6973475)
    Personally I have always been a big fan of physically shredding hard drives which have contained sensitive data. Although the risks associated with re-assembling and recovering wiped data from, say, a RAID 0+1 array is pretty minute, the cost in terms of loss of corporate image outweighs the few hundred bucks made by trading in used disks.
    • As appealing as physical destruction of an HD is, it is not a wise course of action. As with most electonics, HDs contain lead, glass fibers in the circuitboard, and caustic chemicals in the electrolytic capacitors. And I have no idea of the potential toxicity of the materials coating the platters or used in the rare earth magnets in the actuators and motor.

      Turning data into dust creates an environmental hazard. Therefore, it's better to send old electronics to an institution that has the tools and pr
    • I have always been a big fan of physically shredding hard drives which have contained sensitive data What's the bit density of a modern hard drive?
  • PR Shills (Score:5, Insightful)

    by CaptainZapp ( 182233 ) * on Tuesday September 16, 2003 @05:21AM (#6973492) Homepage
    "Our number one priority as an organization is the protection of customer information," said Dina Palozzi, chief privacy officer for the bank, which swiftly seized the computers' hard drives on Saturday afternoon within 24 hours of learning their whereabouts. "This kind of issue we take very, very seriously."

    Don't you just love it? If protection of customer information indeed is your number one priority then why the fsck don't you have procedures is place, which make such a blunder outright impossible? And if you do have such procedures in place why don't you enforce them?

    Are those PR liars (and what else could such a "chief privacy officer" making such an outragous statement actually be?) all cranked out by the Forked Tongue Institute for Marketing & PR, or what?

    • Re:PR Shills (Score:3, Informative)

      by larien ( 5608 )
      Er, they sent the systems to a company which was supposed to blank the disks but didn't. The data clearing company failed to do their job not the bank.
      • Even then (Score:5, Informative)

        by CaptainZapp ( 182233 ) * on Tuesday September 16, 2003 @06:48AM (#6973792) Homepage
        I worked for a bank for a few years (in a country far away, where they have numbered accounts and you're actually looking at jail time for revealing customer data) and something like this was just unheard of.

        The absolute main security issue was customer data. Not that they would have fancied embezzlement or theft but this was looked upon far less serious then compromising customer data, period.

        In the data centers (which you had to physically access in order to query real customer data, safe for the front office and also there it was very restricted what you could look at) you had to go through multiple layers of security and where not permitted to even remove a printout.

        Computers where dismanteled and disks shredded, they where never for resale. This was applicable for every last computer from every last branch and office

        Now, I agree shit happens. Probably in their case it started with outsourcing such a critical tasks to "ACMEs chep disk blanking operation" in order to save a few bucks. This is not really excusable, but it happens.

        But what really gets my blood boiling are statements like the one from that PR bimbo, which are just utter bullshit.

        Maybe she should apply for a job at Microsoft to sell "trustworthy computing".

      • Er, they sent the systems to a company which was supposed to blank the disks but didn't. The data clearing company failed to do their job not the bank.

        Excuuuuuse me, but just because they outsourced the job to some other company does NOT excuse the bank from their responsibility. If the customer data is with the bank, it (destruction) is the bank's responsibility, irrespective of how they go about doing it (i.e. by outsourcing it or doing it inhouse).

      • Er, they sent the systems to a company which was supposed to blank the disks but didn't. The data clearing company failed to do their job not the bank.

        Sending the systems to someone else before they are cleaned up is not the act of a company whose first priority is privacy. It is the act of a company whose first priority is saving a few pennies.

        So the bank failed to do their job, and then the people they payed to do the job for them failed.

      • Looks like they outsourced the job to someone with different priorities.

        Which yet another reason why I think this outsourcing thing is overrated.

        Outsourcing is just an excuse for management to sack people, temporarily cut costs, blame the resulting crappy service on "transitionary period", use the savings to pay themselves big bonuses, complete contract, leave to slash and burn another company.
    • Re:PR Shills (Score:4, Insightful)

      by Rogerborg ( 306625 ) on Tuesday September 16, 2003 @06:07AM (#6973630) Homepage
      Never mind, they can console themselves with the thought that despite bungling their number one priority, they still managed to hit their number two goal, which is to turn a metric assload of other people's money into an assload and a half simply by shuffling it around.
    • If a company outsources something it either means:
      1) It's not important to the company.
      2) The company is in the wrong business.

      No matter what they _say_ or even think their priorities are.
    • Are those PR liars (and what else could such a "chief privacy officer" making such an outragous statement actually be?) all cranked out by the Forked Tongue Institute for Marketing & PR, or what?

      Canadian companies larger than about 20 or 30 people are required by law to have a privacy officer. Thus calling the title PR-driven is at least somewhat mistaken.

      -Rob
  • Encrypted HDs (Score:5, Interesting)

    by G4from128k ( 686170 ) on Tuesday September 16, 2003 @05:31AM (#6973513)
    Seems like this event makes the case for encrypted HDs -- schemes that render data unretrievable without the proper passwords/biometric signatures/magic hardware dongles. The idea that all our personal records are stored in clear text on thousands of HDs and backup tapes at a myriad of institutions is not too pleasant.

    As a purchaser/fixer/collector of old computers, I have seen many a file that some prior owner would probably have prefered I not. Although I, personally, have seen nothing of a criminal nature (or of a nature that would allow me to perpetrate a crime) I know others who have found strange files on old computers. Psychotic diary entries that advocated violence, financial records, proprietary engineering data, etc. all have an odd way of being left on HDs of obsolete machines. If a old machine stops working, few people make the effort to fix it in order to erase data. Systems that automatically make the data inaccessible in all but valid/authorized machine states would ensure the protection of the data.

    Although any encryption system can be broken, by social engineering at the very least, it would be better if there were at least some barriers between sensitive data and potentially prying eyes.
    • I wonder how hard/expensive it would be to integrate a low-grade encryption layer at the IDE-controller level?
      • Re:Encrypted HDs (Score:3, Informative)

        by Rogerborg ( 306625 )

        Most 2.5" HDDs plus 3.5" IBM Deskstars (and perhaps others) support ATAPI passwords. The password is written to the platter, and if it's there, the only thing the controller will respond to is the password. You can't talk to it at all in a system that doesn't know about ATAPI passwords. The only solution (that I know of) is to use a custom controller to access the platter, which is beyond the means of casual or even semi-pro Bad Men.

        See this previous Ask Slashdot [slashdot.org] for more.

    • Re:Encrypted HDs (Score:5, Interesting)

      by oolon ( 43347 ) on Tuesday September 16, 2003 @05:54AM (#6973588)
      Old hard disks are not worth THAT much compared to the risk envolved, rip out the disks and Crush them, then sell on whats left of the machine. This is what the nuclear industry (here in the UK) has done for years. Its all standard practise for sensitive military work.

      This is the only way to be sure, its not worth paying 100 Bucks (just a guess) for a disk with encryption only to get 10 Bucks a disk on resale!

      James

      • Crushing may not be enough to prevent data recovery. To truely prevent data recovery you have to change the structure of the metal itself. Usually the easiest way to do this is with an acyteline (surely spelled wrong) torch that is used to heat the platters white hot. This will actually physically change the molecular structure of the platter, and prevents any form of data recovery. After this they are then sent directly to a recycling company that will slag them. I have a sample platter that went through t
    • I once picked up a PC from a council tip (dump) and that contained full patient record, drug charts, names, addresses, even patient photographs. It was from a local mental institution apparently. In order to prevent this material becoming public they had taken the well thought out step of unplugging the IDE cable. Marvellous. That got formatted and ended up on Ebay. Seems the person responsible was doubley stupid as it seem he was throwing away a high end P2 (this was a fair few years back folks) because th
    • nope, as has been pointed out numerous times, the company's IS security people just need to do their job properly. wipe them if they're penny-pinching enough to want to sell the old drives. start encrypting drives and you'll have several problems:

      support/maintenance will become nightmarish very quickly. even if you can get hardware encryption on, say, a RAID array it won't be easy to look after. likewise, people WILL lose their keys. also, you're assuming that encrypted hard disks exist that don't have

      • you're assuming that encrypted hard disks exist that don't have master keys in escrow with large governmental agencies.

        And don't you think that if the hard disk manufacturers have gotten onboard the conspiracy bandwagon, the banks were already there to greet them?

        Really. If the Three-Letter-Agencies are anywhere near as malicious as the conspiracy people suggest them to be, they have a little thing called priorities, and already have things very well in hand.

        Not that I really believe any of that crap. I
    • Psychotic diary entries that advocated violence, financial records, proprietary engineering data, etc.

      I know Slashdot is somewhat biased, but is it really fair to say that someone who advocates proprietary engineering data is PSYCHOTIC?
  • by m_dob ( 639585 ) on Tuesday September 16, 2003 @05:32AM (#6973519) Homepage
    A nice old lady I know who was in Britain's MI5 realised after throwing away her computer that it was not wise to leave a hard drive full of sensitive information. She and her son then drove back to the rubbish dump and pelted the hard drive with bricks until it gave in.
  • A few notes (Score:4, Interesting)

    by Anonymous Coward on Tuesday September 16, 2003 @05:34AM (#6973524)
    While its fine to scrub hard disk clean of their data when they are working fine, what do you do when the hard disk has bad sectors?
    That happened to me 2 years back. A Maxtor HDD went bad. Sent it back to Maxtor, got another one. The replacement turned out to be bad too.
    Had to send that one back and got the 3rd HDD.
    There was a lot of data on the 1st HDD I sent back to Maxtor.

    I checked the Maxtor website for any statements as to what they do with their data but couldn't find anything.

    Many people(unless they have 2 computers and know how to deal with IDE pins) will just send the disk to their manufacturers, whether it contains data or not. Scrubbing a disk clean with bad sectors requires you to isolate the bad sectors by partitioning.
    • Re:A few notes (Score:3, Interesting)

      by zakezuke ( 229119 )
      Assuming I was interested in "security", and needed to wipe non-fuctional drives, I would either

      1. Use a strong magnetic field and zap the data [hince zapping the data but still able to return to the maker for replacement]
      or
      2. Disassemble the drive and use the platters as coasters.

      Other people use a slightly more brutish technique and drill a hole directly through the unit, but to be honest, without an erase the data still might be recovered. Why anyone would bother is beyond me, but it's possible.

      ---
    • Or an industrial magnet.
  • by Lumpy ( 12016 ) on Tuesday September 16, 2003 @05:34AM (#6973525) Homepage
    First off unless the entire IT department of the bank are complete morons, most financial data is NOT kept on loacl machines but the file server and the main database machines.

    I know that the caches and things MAY hold some sensitive data but it's highly unlikely.

    Unless the person that used that PC in the bank was also a incompetent boob and say saved a spreadsheet of 200 credit card numbers and information in the local drive (why the hell are you making an insecure document like that?) it's only a mild security breach.

    It shakes the confidence of the customers more than anything else.

    • He paid $400 each for two powerful IBM Netfinity servers that would have cost about $5,000 new.

      kinda sounds like severs to me, IT fucked up by alowing them out the door un-shredded whether it was policy or not.
    • Procedure for all files on servers at bank I work at (for remote offices, like 'governament banking':

      copy them to local drive, edit, copy back.

      this reduces load on the frame-relays at the remote office.
  • by ideatrack ( 702667 ) on Tuesday September 16, 2003 @05:36AM (#6973533)
    So this kid buys and repairs machines, but didn't even turn the machine on until long after he'd put it up for sale?

    Wow I wish I was as efficient as him...
  • by yuri ( 22724 ) on Tuesday September 16, 2003 @05:39AM (#6973543)
    Thats outrageous, now they have my passwords as well.

    What you guys don't use your social security and bank account numbers as passwords?
  • Well. (Score:2, Interesting)

    by wirah ( 707347 )
    Most companies who's machines hold sensitive data do retain/destroy the hard drives. You can find plenty of machines on ebay, sold stating 'without hard drive' or 'just requires hard drive'.

    If it was law, rather than just good practice, maybe we'd feel a lot safer.
  • by twilight30 ( 84644 ) on Tuesday September 16, 2003 @05:42AM (#6973559) Homepage
    If you look at the article no one appears willing to take the blame for it, from the bank itself to its two subcontractors tasked with verifying that data is indeed gone from hard drives.

    I find it appalling that the 'computer security team' sent to this guy's house were told to 'seize' the drives when clearly he was doing them a favour. Though they thanked him later and gave him replacement (presumably blank) drives, fuckups like these should have proper ramifications. Along the lines of dismissals.

    Figures it was the Bank of Montreal. Those idiots can't do anything right, from paying their then-CEO too much [222youth.com] to stupid online banking [mbanx.com] to hypocritical ad campaigns in 1996 [uwaterloo.ca]. Losers!

    In Googling I came across this [inkindcanada.ca], which lists voluntary sector computing activities in Canada supported by the banks. Just think what interesting fundraising activities could have been made possible by this kind of donation...
    • ... is that when a person or organization is wrong, and defends itself, or passes the buck, or excuses itself, or goes on the counterattack, or even if their face locks up in a mask to hide their true feelings, then you know that they have not learned their lesson, and the error/offense is going to happen again.
    • I was outraged when I saw how much they get paid! Then I remembered it's Canadian Dollars, so it's not that bad. ;)
  • by Loosewire ( 628916 ) * on Tuesday September 16, 2003 @05:46AM (#6973568) Homepage Journal
    Of course not - i put it there
  • Often people who steal computers are much more interested in the data than the hardware. Probably because it is a lot more complicated to track data theft than following the physical trail of stolen hardware.
  • drive erasure (Score:5, Interesting)

    by ajs318 ( 655362 ) <sd_resp2@earthsho[ ]o.uk ['d.c' in gap]> on Tuesday September 16, 2003 @06:38AM (#6973761)
    Physical destruction of used disk drives is not necessary and could in fact engender a false sense of security. Think about it ..... a "secure disposal company" could bake a drive at curie temperature for 24 hours in an alternating magnetic field of varying frequency, strap a hand-grenade to it and drop it down a disused mineshaft, but how can you be sure it's the same drive, or that they haven't made a backup of its contents? If you wanted to get hold of stuff people wanted rid of, what would be a better front for getting it?

    Overwriting the drive using software is more verifiable. You de-network the machine, boot it up from a CD, and can analyse the drive contents before starting a wipe cycle. You switch off and back on to prove there is no cheating. Then you can analyse the drive contents again and be sure they are different. The drive never left the machine, but you can be sure the data left the drive.

    Whatever anyone may say, remember these "secure disposal companies" are after your money and don't mind playing on your most groundless fears to get hold of it ..... there are a lot of things they thought were impossible ..... what if someone finds a way ..... Hell, sooner or later someone is going to come up with a scheme for disposing of the air from meeting rooms where secret conversations have been held. The simple scientific fact is that it takes only one overwrite cycle to make data unreadable. You can prove this to yourself using a disk sector editor, but it should be obvious anyway. If the drive could tell a "1 that used to be a 0" from a "1 that has always been a 1", or a "0 that has always been a 0" from a "0 that used to be a 1" with any degree of reliability, someone would already have used that as a capacity-doubling mechanism! It's possible that there might be some difference detectable with a sensitive analogue circuit, since there is a hysteresis loop and there really are the four states I described above. Two overwrites of opposite polarity will force the magnetic media into a known state. Even so, just one overwrite will give someone a massive headache trying to recover the data, because the "used-to-be" data has an inherently high error rate. It's already hard to tell "X that used to be !X" from "X that always has been X" and if the overwriting data is random enough, then it's hard to work out what was ever meant to be what.

    dd if=/dev/audio of=/dev/hda might conceivably do a good job on a used drive, if you make sure the gain is turned up nice and high and there is nothing plugged into the sound card. Filtered static and power hum are the nearest you're going to get to true randomness.

    My drives are invariably thrashed for as long as they work, then get the magnets removed for use in experiments {and wiped a few times across the platters for good measure}.
    • Sorry, you are all wrong...
      a) you have disks silent errors (because error-correcting codes corrected them) that will copy sector data to a reserve sector without notice, that makes your old data inaccessible at software level but readable at controler level
      b) you can use high resolution magnetic imagery to recover several rewrites of the same track
      c) in my books, a hum is very far from random, it's predictable !!!

      Physical destruction is the only reasonably secure solution.

      • The magazin CT made a test using different wipes:
        1. Overwrite with zeros
        2. overwrite with random zero/one
        3 5 passes of random owerwrite.

        Then they were send to leading data recovery firms. They couldnt even rescue data from the first disk.

        • Well that depends on your budget.

          I recommend sanitization by melting HDDs into a molten puddle of metal with a blowtorch or some other high temperature (if you're in Hawaii chuck HDD into lava - but make sure it ends up in the lava, and you don't get charcoaled ;) ), if anyone can recover data from that it'll be worth watching.

          Sure simple overwriting may not be recoverable with a budget of up to USD10K. Or maybe even USD100K. But once you hit millions or more, they might pay a bunch of very smart people t
    • What about using a/an {insert your favorite audio format here} playlist of music you own and use the same technique? The DMCA would have to be violated many times for your information to be retrieved. Just a thought.
    • a "secure disposal company" could bake a drive at curie temperature for 24 hours in an alternating magnetic field of varying frequency, strap a hand-grenade to it and drop it down a disused mineshaft, but how can you be sure it's the same drive, or that they haven't made a backup of its contents?

      If a company is THAT paranoid about security, they will send an agent to accompany the sensitive drives to the oven/grenade/mineshaft facility and confirm that they are not mirrored or swapped out for other drives
  • CBC Radio 1 had an interview with a security representative from the bank last night on As It Happens. An audio recording of the program is available here [www.cbc.ca]. (It's the ninth item of the programme.)
  • Real easy to fix (Score:2, Interesting)

    by JLSigman ( 699615 )
    Here in South Carolina, some state government agencies are required to physically destroy the hard drive before we send them off to be sold. It usually took approximately 2 minutes to do. At this point, forget the finger pointing and give the lowest IT peon in the bank the job of taking a screwdriver and making gashes in the platters.

  • Copyright? (Score:5, Insightful)

    by Quixote ( 154172 ) on Tuesday September 16, 2003 @07:11AM (#6973897) Homepage Journal
    Here's a question. Why is it that the RIAA can (with a straight face) claim that each of their songs that a person shares is worth $150K [boycott-riaa.com], and yet my private information with the bank is worth zilch? Why is it that the RIAA can get $12K from a 12-year old girl [knac.com] and yet the general public can get nothing from these companies that share our private information?

    Shouldn't customers' private information have at least as much rights as some stupid Brittany Spears song?

  • use HD built in wipe (Score:5, Informative)

    by j_dot_bomb ( 560211 ) on Tuesday September 16, 2003 @07:14AM (#6973919)
    Modern hard drives have commands "SECURITY ERASE" and "ENHANCED SECURITY ERASE". Search for those terms and hdparm on google. Also below is a link to the quality of the erasure. Note: these will erase even bad "mapped out" sectors. Enhanced erase will even go off track + and minus which erases the edges. atapwd.zip does regular erase (search).

    http://www.tomcoughlin.com/Techpapers/Secure%20E ra se%20Article%20for%20IDEMA,%20042502.pdf
    • Modern hard drives have commands "SECURITY ERASE" and "ENHANCED SECURITY ERASE".

      These are commands that the average user of a $100 ATA hard drive will never execute.

      How likely do you think it is that some HD manufacturers omit support for these commands from their disk controllers as a cost-saving measure?
  • ebay (Score:2, Funny)

    by dmitri2060 ( 325200 )
    Scarey. Humans make mistakes. Security disk cleaning should be done by robot workers run by a robotic management. A huge organization is only as smart as its dumbest employee.

    I hope he got back his ebay listing fees.
    • Not really. A well run organization is organized so that the less competent and trustworthy aren't always put in positions of great responsibility and power.

      Which is why outsourcing important/core stuff doesn't work. It usually takes time to see how trustworthy someone is. You get them to do a little job for you. Slowly give them bigger and bigger jobs.

      If company outsources something it either means that:
      1) It's not important to the company.
      2) The company is in the wrong business.

      A Mafia Don doesn't let
  • by dpbsmith ( 263124 ) on Tuesday September 16, 2003 @07:46AM (#6974125) Homepage
    Bravo to them! A refreshing change from all the stories of corporations responding to security issues by shooting the messenger.
  • Happens all the time (Score:5, Interesting)

    by computerlady ( 707043 ) on Tuesday September 16, 2003 @07:53AM (#6974200) Journal

    I was consulting at a community bank last spring, helping them getting ready for an IT audit by the FDIC. They were replacing some machines, and I persuaded them to donate the old ones to a local computer group who refurbishes them and places them in schools and non-profits. I could see that their IT policy manual contained nothing about even wiping drives let alone destroying them.

    As soon as I got them to my office, I invited the CEO in to see how much customer info his IT department had "donated." He was, of course, shocked. The sad thing is, probably 30 people were involved in that transfer and not one of them had the slightest clue. Another said thing is that the donation fiasco was just one of hundreds of examples of failure to adequately protect the privacy of customer information.

    The good news is that the FDIC is taking customer data security very serious and is coming down hard on breaches and potential problems during their IT audits and their Safety and Soundness audits. So maybe it will get better. Except we are talking about humans...

  • Since I am a consultant I have a GST number.
    I recently got some GST mail saying that every business in Canada needs to come up with a privacy policy. It said (something like): Privacy, its good for business.
  • Has anybody stopped to thank the kid that let the bank know? It is comforting to know that there are still a handful of people out there who are still honest.
    Just my humble opinion,
    SirLantos
  • Secuirty Check (Score:5, Insightful)

    by failedlogic ( 627314 ) on Tuesday September 16, 2003 @09:34AM (#6975129)
    Gov't employees, military personnel and law enforcement in sensitive areas have to go through a background check.

    This begs the question, what sort of background checks are performed on the technicians fixing the computers? And what sort of computer security experience do they have?

    I would at least expect a "student" not be employed in this type of position. Give it only to a qualified full-time employee w/ good compensation and benefits - that in itself should be a deterrent.
  • Just the other day, I was helping organize furniture in a community furniture bank, and we came across a dsek that was chock full of this guy's fianancial history. Bills, receipts, loans, credit card statements, everything. We joked around that we could go shopping and get ourselves a new car, had any of us had loser morals this guy would have been screwed. Just goes to show, it happens in the real world too still.
  • by Unknown Poltroon ( 31628 ) * <unknown_poltroon1sp@myahoo.com> on Tuesday September 16, 2003 @10:01AM (#6975397)
    We used to destroy HHD by letting the techs(me) go apeshit on them with a hammer, then some sandpapaer, then my supervisor would litereally wake someof them home for target practice with his .45.

    THey now require the disks to be physically shredded, but i think we came pretty damn close.
  • Obviously eBay is liable because they failed to ensure that no banking information was available for sale on their site. Furthermore, anyone whose web site contains a LINK to an eBay page is EQUALLY liable, because linking to information is the same as hosting that information. And, since I have it on good authority that music CDs and adult videos are also sold on eBay, anyone with a link to eBay should be sued by the RIAA as well as prosecuted for obscenity if a child has access to the link.

    You think I'm
  • We Drill 'Em!! (Score:3, Informative)

    by CrazyLegs ( 257161 ) <crazylegstoo@gmail.com> on Tuesday September 16, 2003 @11:43AM (#6976684) Homepage
    At a bank I used to work at, the policy was that any computer being sold off would:
    • have the hard drive physically removed by bank IT staff
    • have several holes drilled through the platters
    • finally disposed of as garbage
  • Well.... (Score:3, Interesting)

    by madcow_ucsb ( 222054 ) <slashdot2@@@sanks...net> on Tuesday September 16, 2003 @12:38PM (#6977349)
    sometimes it ends up on there from individual users' stupidity too. A friend of mine just bought a 17" powerbook off ebay a few weeks back. I was playing with it and saw that it had this guy's quicken files dating back to like 1997. It had U of Maine school/financial aid records. It had all kinds of personal documents on there. It would be SO easy to steal this guy's identity. There were SSN, DL #, bank account numbers, credit card numbers, addresses, phone numbers, EVERYTHING in one convenient location.

    It just boggled my mind that someone could be so stupid as to leave that kind of thing on their computer when they sold it.
  • by Awptimus Prime ( 695459 ) on Tuesday September 16, 2003 @02:34PM (#6978480)
    The banks should have 0'd or trashed these drives before selling them. I see this type of neglect as soley the responsibility of the bank.

    Why? Well, if you hire an accountant and don't double check his work, it's your arse. Why should it be any different with a corporation's responsibility when it comes to guarding customer data?

    Personally, I would like to see more laws guarding US. Not slapstick anti-terrorism laws directed at destroying personal privacy, but real laws that protect real people. As we are the source of America's economic might. At the point where citizens don't have money to throw at giants, then the giants won't exist anymore. At least, not inside our borders.

  • by FCKGW ( 664530 ) <cclpez802NO@SPAMsneakemail.com> on Wednesday September 17, 2003 @12:03AM (#6983132)
    The PHB at the small office where I work bought about 20-30 old Pentium 133 machines at auction. I bought/traded for two of them, since we weren't going to use them all at work. They still had their installs of Win95 with a NetWare client and a few company documents. Nothing very interesting, though. I still have a backup of one of them; maybe I'll look through it some more and see what I can find.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...