Hundreds of Bank Account Details Left In London Pub 92
twoheadedboy writes "Another day, yet another data security failure. Two companies have been found in breach of the Data Protection Act after tens of thousands of tenants' details were left at a London pub, alongside 800 records with bank account details. A contractor who had stored data from two different companies on an unencrypted USB drive was responsible. We've all lost things on a night out, but rarely is it other people's banking information. The two firms involved have been told to get a grip on their security procedures, but they escaped a fine from the ICO."
Not even a fine? (Score:5, Insightful)
Companies are legal entities that can get away with far too much!
The police can usually be quite creative when it comes to punishing people when they do something stupid on a night out. There are vague concepts like 'public disorder' or 'disturbing the peace' which allow them to lock up someone for at least a night. Can't they apply that to a company that gets drunk? Close it down for 12 hours until it's sober again?
Re: (Score:1, Insightful)
Companies are the sacred cows of capitalism. They create wealth. They run the economy. They are immortal. They can freely move across borders. They are untouchable.
This is especially true in countries where the corporations and the governments are essentially the same.
You and me, we're expendable. They aren't.
Re:Not even a fine? (Score:4, Funny)
I need to go to the pub for breakfast and beer.
Re: (Score:1)
Re: (Score:3)
Don't leave your USB drive there..
Re: (Score:2)
If I owned a pub open early in the day, I would do like the cereal manufacturersfor a TV commercial: "Our pilsen is a delicious part of this balanced breakfast!"
The ICO is useless (Score:5, Informative)
...the ICO acts on just 1.4% of data breaches and only fines 0.15% of offenders.
http://www.techwatch.co.uk/2011/04/22/ico-penalises-less-than-1-of-security-breaches/ [techwatch.co.uk]
Re: (Score:3)
Yup, if everybody gets one free warning and the risk of prosecution is low to begin with, then there is virtually no incentive to not commit a crime.
Re: (Score:2)
Really? Do you get caught and punished every time you do something bad? I've frankly sped (at 10, 20+ mph above posted limits) many times and done things that I'd be too embarrassed to admit on Slashdot. I've not been caught or punished for any of these transgressions. Yet.
All persons (both real and legal) get away with a lot of things they do; after scaling for size and influence of each person, I don't think there's a preferential treatment
Re:Not even a fine? (Score:5, Insightful)
But the point is that if you were caught doing 10-20mph above the posted limit you would almost certainly be punished for doing so...
Whereas many corporations are caught doing illegal things, and simply aren't punished at all.
There's a difference between simply not being caught, and being caught but let off with little or no punishment. The fact we hear about something in the news means they've already been caught, how many other crimes go undetected?
Re:Not even a fine? (Score:5, Insightful)
A 100 euro fine is normal for a person making a relatively minor mistake... like doing something stupid while drunk, or speeding 10-20 mph.
100 euro is 0.25% of a regular annual income of 40000 euro/year...
I'd like to see a big business take a fine of 0.25% of the revenue (revenue, not profit, obviously) for relatively small mistakes.
Take British telecom (mentioned earlier in this thread) for example: A revenue of about 30 billion euro / year. A minor mistake should lead to 0.25% of 30 billion = 75 million euro.
And that's for small mistakes.
It would certainly bring an extra incentive to be careful.
Re: (Score:3)
Revenue is the wrong number to use. Use the percentage of earnings (or, if not actual reported earnings, at a minimum, revenues minus expenses directly related to generating those revenues), which is more comparable to a person's salary. You should arrive at a figure in the millions or hundreds of th
Re: (Score:2)
Revenue is the wrong number to use. Use the percentage of earnings [...]
You can argue that it must be paid from earnings (that's profit, isn't it?), or revenues minus expenses. Fair enough. But then we do that on both sides of the equation: We also calculate the percentage of a 100 euro fine compared to my annual savings.
Companies can put a LOT of stuff on expenses. They can put new shiny offices, heating and electricity, transportation including business trips and team-building events, new furniture, and company dinners and even the investments and expansions on expenses.
So, I
Re: (Score:2)
So their customers move to other banks and they go bankrupt. Or they eat it by paying fewer/smaller bonuses for a couple of years and keep their customers and stay in business.
Re: (Score:2)
Or they raise their fees so they can continue paying the same or larger bonuses, and then when on the verge of bankruptcy they go to the government and ask for a handout.
Re: (Score:2)
If the government is stupid enough to bail out a bank which is broke because they have next to no customers (the opposite of too big to fail), then that's not really a problem with the bank...
Re: (Score:2)
Re: (Score:2)
Finland has an excellent law in this regard: fines are scaled in proportion to the perp's wealth. This means that an average person might pay (say) 25 euros for a moving violation, but a really rich person would pay tens of thousands.
If the purpose of a fine is to dissuade people from doing something, then this is an excellent idea - a rich person would never notice 25 currency units, nor would a company.
Re: (Score:2)
By comparison, a couple of years ago when Shell Expro had a major gas leak in a production platform leg, killing two and putting several hundred at risk (if the gas had exploded, then one of the platform's three legs would have collapsed, dropping the whole platform into the sea in a matter of secon
Re: (Score:2)
I mean it is really obvious to your lopsided opinion on this, but I wonder if you really think that or not.
The reality is that both entities, corporate and government are made up of people... people will do stupid things and probably at the same percentage or rate as both entities
However, to read what you wrote, you tend to think that there are far more people doing stupid things in Government than business. Where do you get your opinion from? One can only guess, but it seems statistically flawed
Re: (Score:2)
>> I mean it is really obvious to your lopsided opinion on this, but I wonder if you really think that or not.
What does that even mean? What is really obvious?
>> The reality is that both entities, corporate and government are made up of people... people will do stupid things and probably at the same percentage or rate as both entities
I'd disagree. I have experience in both sectors, and from what I have seen... People in private entities are held more accountable for their actions. You can easily
Re: (Score:1)
The two firms involved have been told to get a grip on their security procedures
If it happens again, they have to go see the headmaster. After that, it's a note to their mother. Then, things get really serious. Wet bus tickets will be involved.
Re: (Score:2)
Why didnt they get a fine? (Score:1)
Why didnt they get a fine? The whole point of these acts is to stop this sort of thing happening so what is the exception? Lets see -
"The device contained details of over 20,000 tenants of Lewisham Homes and 6,200 from Wandle Housing Association. Almost 800 of the records belonging to Lewisham Homes also contained tenants’ bank account details."
So let 800 records that include customer bank accounts into the wild and no fine? But if I park my car on the street for an hour too long I get one. mmmm
Re: (Score:3)
Re:Why didnt they get a fine? (Score:5, Informative)
The article says "The ICO will only enforce a monetary penalty when it believes there has been noticeable damage to affected parties."
Re: (Score:2)
The ICO is a toothless waste of tax-payers' money. They couldn't even be arsed to do anything about BT's use of Phorm.
Fines should apply immediately (say £100 per breach), and quadrupled if the company did not disclose the breach itself. So in this case the contractor/councils should be staring down the barrel of a circa £2.6million fine. But they won't. All that will happen is that a few civil servants will be promoted, the council will mutter "lessons learned", the ICO will crow about monit
Re: (Score:2)
So basically, there will be no incentive to prevent damages. And since the people who are damaged won't know who did it, it won't really ever come back to them. It sure sounds to me like the whole ICO is just a crock. My bet is they are all bribed.
more details (Score:5, Informative)
the BBC article has some more depth [bbc.co.uk] (and the site is _much_ faster...). the most interesting sentence is "The memory stick was handed into the police on the weekend of the 5th March and safely retrieved." (emphasis added)
why took it 5 months to disclose the data breach?
re: more details (Score:2)
i'm mystified as to why the contractor in question isn't being named. that is an absolutely inexcusable lapse in judgment.
Re: (Score:1)
why took it 5 months to disclose the data breach?
Why took it 5 months? Speaking like Yoda we are, hrrmmmmm?
Re: (Score:2)
Probably because the ICO waited until the Silly Season before releasing the press release so that it got picked up by the news media. I doubt that any actual "investigative reporting" was involved.
So no punishment at all? Really? (Score:2)
All they had to do was say they'd be more careful next time, and that was good enough? I almost feel safer hiding my money in a box under my bed at this point.
Re: (Score:1)
Re: (Score:3, Funny)
Reminds me of the other story of the memory device left in a pub.
Clearly, pubs are dangerous places. Let's close them all down.
That was meant ironically, for all of you tards on /. who see a troll under every bridge.
Lost your memory in a pub? I thought that was why one went there.
How in this day and age (Score:2)
How in this day and age are companies still doing this? Are PHBs still demanding the company put everything in a single spreadsheet with no password?
Do they just not know of Vista's BitLocker or Mac's FileVault?
Re: (Score:2)
Do they just not know of Vista's BitLocker or Mac's FileVault?
They probably run XP...
Yay for human error (Score:1)
Re: (Score:2)
This is more like making a pizza with a dynamite topping and then leaving it in the oven too long (there's just no good reason to make a dynamite topped pizza).
Re: (Score:2)
Maybe it's a pizza for angina sufferers?
No, we haven't (Score:1)
No, we don't all.
I wonder if the author is making excuses for what appears to be another incident stemming from Britain's wide-spread drinking problem. I can't think of any other country with as many stories of the form "restricted-access data from XXX was left in a pub by a contractor/employee with company/agency YYY". Maybe it's just that the British press covers this expecially aggressively, or maybe it's really that too many Brittons are foolish and irresponsible ab
Re: (Score:3)
I can't think of any other country with as many stories of the form "restricted-access data from XXX was left in a pub by a contractor/employee with company/agency YYY".
I know its not exactly a USB stick with bank details, but other nationalities do quite famously leave things in bars [gizmodo.com] that they probably shouldn't.
Maybe it's just that the British press covers this expecially aggressively,
Ding!
Re: (Score:1)
Have a look in Amsterdam, when you see a drunk in broad daylight chances are nearly 100% he's a British 'tourist'.
This point alone should be an incentive for companies that handle sensitive data to enforce a good and drunk-proof security.
Re: (Score:2)
Left in Pub does not mean left in Pub by Drunken contractor - probably went in for food at lunchtime, and left it behind, just like others have left them on trains, taxi's etc when not drunk ....Pubs in the UK are very often not just Bars, they are nearer Restaurants with a Bar ...
There is a drinking culture in the UK, the problem is that the culture is to drink, without food, in order to get drunk, other countries drink as much, but with food (which lessens the effect), and consider being drunk to be ill
Re: (Score:2)
Exactly. "Pub" is short for "public house" which explains why they feel like someone's livingroom. That's the whole idea, and part of the culture: rather than sitting in your home alone during the evening, you can pop down to the pub and hang out with your friends in essentially the same atmosphere. Local pubs are one of the things that make travelling through the English countryside such a joy! I used to fly through London a fair bit and often would schedule a long stop-over so that I could pop in to t
Re: (Score:2)
A country one. Every generation goes through it.
I personally don't understand the appeal, but I'm deaf enough that pubs are horrendous conversation blackspots for me and I don't buy the "it's fun to get drunk" angle.
Then again, I bought a litre of vodka an hour ago.. :)
The UK does appear to drink differently to most other European nations. I personally put it down to the puritans and their fucked up approach to life - by demonising alcohol they influenced the country into a lifestyle that doesn't introduce
Re: (Score:3)
Britain doesn't have a drinking problem, at least not to the extent that our media would have you believe. It's been hyped out of proportion on the back of badly designed government statistics, which reveal that large numbers of people regularly binge drink. At least, they do if you define "binge drink" as "drink more than the daily recommended alcohol allowance in a day", where the daily recommended alcohol allowance is 3 units for women or 4 for men (i.e. 2 pints of any reasonably strong lager is "binge
Re: (Score:2)
Time to lose mine (Score:2)
We've all lost things on a night out
$ mv virginity /mnt/usb/
We got our priorities straight here... (Score:4, Insightful)
Lose a prototype iPhone?
Men come busting in to search the apartment of the guy who buys it.
Lose a USB drive with 800 banking records?
A stern talking-to, but no fine.
Totally. (Score:1)
Re: (Score:1)
Being involved with the sale of stolen property is a crime. Losing a USB key isn't.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Another difference: losing a USB stick doesn't usually involve claiming "I COMMITTED A FELONY!" on a very widely read blog. Do not taunt Happy Fun Police Officer.
Re: (Score:3)
Lose a prototype iPhone: Get into shit at work
Lose a USB drive with 800 banking records: Get into shit at work
Sell someone else's property: Get investigated for receiving stolen goods, money laundering, etc.
Hand in USB drive found in pub to police: Get thanked.
I'm not seeing any major issues here.
Re: (Score:2)
The responsible course of action would be to anonymously post the data to Pastebin. Failure to do so will only result in the company in question getting off with little more than letter from the ICO.
Until there is an effective system in place to punish this sort of thing we are going to have to do it ourselves, and civil disobedience is justified. We have exactly the same problem with protests - they are utterly ignored until they turn violent for a sustained period. 2 million marched against invading Iraq
Thank You! (Score:2)
I was wondering were I left those. If you just pass them along I would appreciate it. Please send to totallystoked@goingtodosomethingeviltoday.com
WTF??? (Score:2)
What the hell was a CONTRACTOR doing wandering around with unencrypted BANKING information from TWO DIFFERENT companies?
Re: (Score:2)
Re: (Score:2)
Welcome to the world of contracting, where you charge a high daily rate because you "get things done".
What you don't mention is that you get things done because you ignore all of the regulations, internal policies and procedures and other mechanisms designed to keep companies operating within the law and looking after their customers' data properly.
Sometimes you fuck up and get asked to leave your current contract - but don't worry, there'll be another one available within a week or two.
And contractors wond
ID-10-T Consulting (Score:2)
Our Mission Statement:
- encryption is obsolete and unnecessary
- carry all client data in easily deposited usb drives for convenience
- go for a pint in the pub daily
Re: (Score:1)
Who needs to get hacked... (Score:2)
Re: (Score:2)
Why was it on a USB stick? (Score:2)
Who the hell brings tens of thousands of case details with them on a USB stick when they go to the pub? Taking a bit of work home over the weekend? Surely you would just access it on the employers VPN in that case?
The only plausible reason I can think of is that the person meant to give or sell it to someone who wasn't allowed to access it.
Re: (Score:1)
The English (Score:2)
The British security method (Score:2)
Is to leave all secret documents all over the place, so eventually people get tired of reading all the stuff and leave it alone.