board gais stolen laptops

Fnergg

partyatmygaff wrote: »

Whats the fuss about like?

Lets say I work as a sales rep for whatever and get paid by cheque. I ask for Name address phone etc

So now I have their full name, their address, their phone and their sort code and bank A/C no.

Does this mean I can waltz up into their bank and make a withdrawl from their account?

No


An A/C no and sort code is quite surprisingly not enough to make a withdrawl.

Jeremy Clarkson in the Sunday Times made the same point last year and proceeded to publish his bank account number and Sorting Code. Somebody successfully set up a Standing Order on his account.

Regards,

Fnergg

discostu1

I'd forgotten about Mr Clarkson, for those who think "this is of no consequence" have a read. Thankfully we live in a country with a high level of regulation of the banking industry and NEVER have any issues with the quality of those employed or the standards they bring to the workplace

http://news.bbc.co.uk/2/hi/entertainment/7174760.stm

skywalker_208

who will be responsible if any money is taken from bank accounts because of this fiasco? Bord Gais? I doubt they will cover it!

db

This was not just one breach of security - there are at least four measures that should have been in place
1 The data should not have been on the laptop.
2 The laptop should have been encrypted regardless of whether there was sensitive information on it.
3 The laptops should have been physically secured with Kensington locks.
4 Building security should not have allowed the theft to occur.

If ANY of these measures had been in place there would be no problem. Bord Gais are saying that all laptops are now encrypted - what a joke. The HSE thought that all their laps were encrypted until some were stolen this week and it turned out that one of them wasn't encrypted.

I use a laptop for work and if I was found to have sensitive customer data on it I would be fired. If I leave it unlocked on my desk it will be removed by security and my department head informed.

To those that say "What's the fuss about" a criminal who knows what they are doing doesn't need much to get into your accounts. If the person who stole these laptops knows what they have, the data will be in eastern europe or India by now.

parsi

Fnergg wrote: »

I find it incredible that Bord Gais with all their purported media savvy attributes - their presence on YouTube, their Twitter account, their courting of the Irish blogosphere in the lead up to their launch into the domestic market back in Ferbruary, etc., - should have been so STUPID - as to have confidential details of 75, 000 (!!!!) customers on an unencrypted laptop.

On a bloody laptop! What the hell was the data doing there? And unencrypted!

Clearly, there is a wide gulf - nay, a veritable chasm - between their marketing froth and the reality on the ground.

I wouldn't trust those bozos as far as I could throw them.

Regards,

Fnergg

Hmm. We've BGE dealing dodgily with laptops, ESB sending out solicitors letters , Lord knows what Airtricity's scandal will turn out to be.

Basic fact is that companies don't care about your info.

Mickelodian

Okay... so a lot of money was spent for people to change from using one state service they 'own' to another state service they 'own' and get a couple of bob off the bill... that in itself is a waste of public money..

think of all the money spent on those fancy smancy ads with lucy whatsherhead! and a new website and all the money they spent in the papers etc.

We are paying to move our account to a cheaper alternative all within the one company Ireland & Co.

Now we find that two state agencies who incidentally can't even get people moved from one organisation to another because they have compatiilibity issues (thats why you're all still waiting for this big switch btw)

Now we find out that some idiot leaves all the customers bank details on a laptop which is then 'coincidentally' stolen during a brurglary... this is all very James Bond...

I've had enough of this... If I'm switching it'll be to Airtricity... at least if they screw up like this I can sue!

With a semi state there will be an enquiry so that the evidence can't be used in a real court and the civil servents can keep their job regardless of their incompetence and then there would be talking in meetings for three years and all sorts of shenanigans..

If a private company screw up you just take them to court and do them for damages and whatnot.

dade

chilly wrote: »

According to the Deputy Data Protection Commissioner in the wrong hands these details are enough to put you at considerable risk of identity theft or bank withdrawals.I thought it would be less serious but I presume he should know best.

someone having access to your account detail can be a serious risk, but all you have to do is carefully monitor all transactions of your account and contact your bank if there are irregularities.

my personal opinion of the DPC is that they are inefficient, haven't a clue and have no powers to do anything. that's why no one was held accountable when social welfare information went missing on laptops and USB keys in the last few years, same when the banks notified of breaches, in one case i think almost a year or more passed before the customers received notice.

the fact is that data protection has no clue what they can or can't do. I sent them an email recently on the powers they have for prosecution and I was told that they had no power to directly prosecute, that they refer the matter to the matter to the court, someone else was told they do have the power to directly processed, but prefer to let the "embarrassment" of a known breach be punishment enough. the feel that if a company looses data customers will be P'd off and leave and that company will then have to improve their practises. All well and good in theory but when the company doesn't have to actually inform the customer then that it might be hard for the customer to move because of a breach.

chilly wrote: »

There's a chance that details on stolen laptops may have been sold onto criminal gangs outside of Ireland in Russia or China. More than likely though it was an opportunistic robbery and all details on the laptops were immediately deleted so the laptops could be sold in Ireland. I don't think you need to cancel anything immediately. Just be vigilant and keep an eye on your account until you know more.

I did my thesis on mobile device data breaches, the vast majority of laptop thefts are opportunistic, its stolen wiped and used by the thief or hocked so they can get a quick hit or sold down the pub.

Sleipnir wrote: »

I'm amazed that the banking details of 75,000 people could be kept on an unencrypted laptop. How could a company like Bord Gais allow that?!?!?

Ask Bank of Ireland, AIB, various government departments. the truth is that there is no requirement under Irish or EU law for data to be encrypted on mobile devices under current data protection legislation. all they have to do is take reasonable measures to protect that data, but those measures are not defined.

twenty8 wrote: »

There is little chance that this data can be used by anyone. Chances are that the laptop was robbed by kids and all data deleted within hours and then the laptop sold on. .

i would think this is the case, I'd say its an opportunistic theft by a kid/junkie/scummer that saw a window open and say a chance for a quick few quid

twenty8 wrote: »

I am sure that Bord Gais said nothing because if they had then the thieves may become aware that they had something valuable and then an entirely different issue would have happened.

.

under current Irish law there is no requirement for a company to inform a customer of a data breach unlike in the US in which 44 states have data breach notification laws (but no one Federal law). that's why when I think Bank of Ireland misplaced a few laptops no one was told for months/years except the data protection commission, same when the blood transfusion service had a laptop stoled in NYC. I believe Dermot Ahern was looking into mandatory notification but that process only began early this year.

Alun

Stekelly wrote: »

People nowadays have this belief that once someone gets a hold of your 8 digit account number, they have the keys to your life.

Not only that, but in large swathes of continental Europe it's commonplace to pay many debts by direct payment to peoples bank accounts, and you need all their bank details to do that, sometimes including their address. Needless to say it's not a problem there so neither should it be here.

dade

db wrote: »

This was not just one breach of security - there are at least four measures that should have been in place
1 The data should not have been on the laptop.
2 The laptop should have been encrypted regardless of whether there was sensitive information on it.
3 The laptops should have been physically secured with Kensington locks.
4 Building security should not have allowed the theft to occur.
.

who says they should have? there is no requirement under law for any of the above. granted all the above are within the bounds of good practise for securing data on devices only companies that are required to comply with the likes of SOX, SAAS70, ISO etc would have to employ the first three of these measures.

like i said it is good practise, one i have implemented long ago in the company i work in and one i have put forward in my thesis for the protection of portable devices.

the problem is like i said business do not HAVE to do any of this and that's why time and again we see this happening, I mean the day before we hear of 15 laptops stoled from the HSE, granted 13 were encrypted but this isn't the first time that the gov has experienced a mobile data breach and many ministers during Dail sessions have said that their department are implementing such measures and that was mid to late last year.

db wrote: »

If ANY of these measures had been in place there would be no problem. Bord Gais are saying that all laptops are now encrypted - what a joke. The HSE thought that all their laps were encrypted until some were stolen this week and it turned out that one of them wasn't encrypted..

actually encryption is only good if the laptop is powered off, once powered on and the encryption key entered then you only have to access the OS security also it depends on if full or partial disk encryption is used, if only partial disk encryption is used that only some data is protected, the hard drive can be taken out of the laptop and plugged into a small usb chassis and the data that has not been encrypted read straight off it.

a bolt cutters will solve the problem of your kingston lock, also the lock is attached to a slit on the laptop that is made of plastic, so could be broken off unless its one of those metal loops thats stuck on.

db wrote: »

I use a laptop for work and if I was found to have sensitive customer data on it I would be fired. If I leave it unlocked on my desk it will be removed by security and my department head informed..

i fear your business is the exception rather than the rule, is it in the financial sector? must you comply with SOX?


also in this article it claims that only 2% of breachea lead to identity fraud

http://www.techdirt.com/articles/20051024/0443257.shtml


some examples or recent breaches:

Bank of ireland,
Account information, addresses, and medical information of 10,000 on stolen laptops
they waited about a year to tell data protection about it.
http://datalossdb.org/incidents/963-account-information-addresses-and-medical-information-of-10-000-on-stolen-laptops


Ireland Department of Social and Family Affairs
Stolen laptop contains personal information for 380,000
http://datalossdb.org/incidents/1084-stolen-laptop-contains-personal-information-for-380-000

Northern Ireland Department Human Resources:
Stolen laptop contained names, addresses, insurance numbers, dates of birth and bank account details 30000 records
http://datalossdb.org/incidents/2093-stolen-laptop-contained-names-addresses-insurance-numbers-dates-of-birth-and-bank-account-details

Bank of Ireland:
Missing USB key with 894 customer account numbers, names and addresses
http://datalossdb.org/incidents/1188-missing-usb-key-with-894-customer-account-numbers-names-and-addresses

Irish blood transfusion service
laptop and CD with 175000 records stolen in NYC

http://www.independent.ie/business/technology/firms-need-to-open-up-to-laptop-theft-1322894.html

jor el

Fnergg wrote: »

Jeremy Clarkson in the Sunday Times made the same point last year and proceeded to publish his bank account number and Sorting Code. Somebody successfully set up a Standing Order on his account.

Regards,

Fnergg

Yes, but the only reason the direct debit was allowed to go through, was because of the flaws that are inherent in that system. Signatures or proof are not required, mainly because if it's found that the direct debit is wrong, the bank must cover the loss to the customer.

A criminal would find it hard to set up direct debits, as it's not as simple as just giving the two bank accounts and hey presto, all the money goes through. In Clarkson's case, someone set up a direct debit using his details, with the proceeds going to a registered charity that had direct debit capability. This is NOT the same thing as a criminal stealing money from your account.

skywalker_208 wrote: »

who will be responsible if any money is taken from bank accounts because of this fiasco? Bord Gais? I doubt they will cover it!

BG will have to be liable, and if in the unlikely event that your details are used, you can sue them. Get a good solicitor if it happens to you.

Mailman

security procedures in place in my company for laptops:
kensington lock
bios password
long non dictionary mixed cased alphanumeric password
nothing kept on laptop hard drive.
everything kept on network.
security card needed to log on to network.
really important stuff kept in vault locations and really important systems in DMZs.
security officer in place.
regular patching of all clients and servers.......
and I don't even work with particularly valuable or sensitive data.

if a thief can figure out who I am, where I work and get past all of that security they've earned the right to steal the data.

and bord gais? unencrypted data stored locally on an unsecured laptop.

Mailman

BTW. I appear to be one of the 75,000 who had their bank details stolen.

In the last 8 months I've been in contact with the data protection commissioner on another issue with a Company in the state where the Company was in breach of the Data Protection Act. I only recently got acknowledgement from them that the Company has now changed policy to comply with the data protection act. The breach was a very basic one that was obviously completely unacceptable but it still took eight months to get it corrected. The company was not punished and no negative publicity will be seen in the media. The company appeared to be very nonchalant in their dealings with the data protection commissioner. The Commissioner commands no respect.

dade

Mailman wrote: »

kensington lock.

bolt cutters but a good deterrant for opportunistic theft

Mailman wrote: »

bios password.

i believe removing the cmos battery and power may remove this. at least id did back in the day. also plugging the hard drive into an external chassis will bypass the bios and mate the data readable unless encrypted.

Mailman wrote: »

long non dictionary mixed cased alphanumeric password.

above USB chassis will negate the effective of this. but good practise.

Mailman wrote: »

nothing kept on laptop hard drive.
everything kept on network..

difficult to enforce in my experience. but a good policy

Mailman wrote: »

and bord gais? unencrypted data stored locally on an unsecured laptop.

even if it was encrypted it's no guarantee of protection. I did my thesis on data breaches on mobile devices, a number of articles i read said that some users disable the encryption, or in one case in the US a government department hadn't encrypted the laptops properly so they were not protected.

hell one report Carried out in US airports cited a number of individuals that left there laptop under the watchful eye of an unknown fellow passenger while they went for a leak.

dade

Mailman wrote: »

The breach was a very basic one that was obviously completely unacceptable but it still took eight months to get it corrected. The company was not punished and no negative publicity will be seen in the media. The company appeared to be very nonchalant in their dealings with the data protection commissioner. The Commissioner commands no respect.

yep that was a conclusion i drew in my thesis, they have no real power because there are no mandidoty laws under than "take reasonable measures to protect"

Jip

Plain and simply, as has been said, there should be no sensitive data stored on any local devices, it should have all been on servers.

MOH

Davy wrote: »

it would be very interesting to see how many actually switch over because of this. Chances are fraud transactions wont happen but no one likes taking chances when it comes to there cash

I was already thinking of going to Airtricity after they took so long to process my switch, this is the last straw. Great FAQ they have:

Were the laptops not encrypted?
All of the laptops had levels of security on them – however only one of them had hard drive encryption – the remaining three had password protection.

So, "no", then.

db

Any form of security can be broken but each acts as a deterrant. As you say a bolt cutters will cut a kensington lock but an opportunistic thief probably wouldn't have one in his pocket. Internal procedures on having customer data on laptops can be enforced with regular audits and disciplinary measures. Properly secured database access will prevent users running adhoc reports to import data into excel.

I'm a developer not a security expert but in my company there are strict controls over who has access to live data. The response from Bord Gais to this incident shows that they still don't "get it" when it comes to data security.

dade

db wrote: »

Any form of security can be broken but each acts as a deterrent. As you say a bolt cutters will cut a Kensington lock but an opportunistic thief probably wouldn't have one in his pocket. .

agreed and again that's one of our conclusions you make it less likely for the device to be stolen, use non standard laptop bags etc.

db wrote: »

Internal procedures on having customer data on laptops can be enforced with regular audits and disciplinary measures. Properly secured database access will prevent users running adhoc reports to import data into excel. .

but are companies doing this? articles i read during my research found that in the majority of cases no one is held accountable for a breach be it internally or through prosecution. IIRC i can recall only two cases, both in the UK. one manager was sacked coz his laptop was stolen from his car. and one company was fined a fair bit in the UK by the financial regulator. I agree that there should be controls in place to prevent sensitive data leaving the network if not encrypted.

db wrote: »

I'm a developer not a security expert but in my company there are strict controls over who has access to live data. The response from Bord Gais to this incident shows that they still don't "get it" when it comes to data security.

Board Gais are not the only ones, i worked in many firms that kept private data on portable devices and even though i suggested encryption it was deemed as unnecessary even after a break in and laptop theft.

some business just don't understand the repercussions of a breach, as a developer you know about the man hours needed to develop your product, a lot of companies don't factor that into the cost of the breach, in the case of Boeing they had documents stolen by an employee, something to do with aircraft specs, proposals etc they valued the data at 380 million if it had got into the hands of their competitors. I assume that's through lost revenue/sales and previous expenditure in getting the projects to that stage.

Even encryption isn't fool proof when you have reports of IT managers disabling the encryption or putting stickers on the laptop with the password on it.

I think the best tool of all is user education. teach them about the risks involved. I mean all these laptops were stolen from a building. So as was said by others desk locks are a great deterrent for all but the most determined. my point of bolt cutters is that just that if the thief is determined then they will find a way.

Mickelodian

Okay... so a lot of money was spent for people to change from using one state service they 'own' to another state service they 'own' and get a couple of bob off the bill... that in itself is a waste of public money..

think of all the money spent on those fancy smancy ads with lucy whatsherhead! and a new website and all the money they spent in the papers etc.

We are paying to move our account to a cheaper alternative all within the one company Ireland & Co.

Now we find that two state agencies who incidentally can't even get people moved from one organisation to another because they have compatiilibity issues (thats why you're all still waiting for this big switch btw)

Now we find out that some idiot leaves all the customers bank details on a laptop which is then 'coincidentally' stolen during a brurglary... this is all very James Bond...

I've had enough of this... If I'm switching it'll be to Airtricity... at least if they screw up like this I can sue!

With a semi state there will be an enquiry so that the evidence can't be used in a real court and the civil servents can keep their job regardless of their incompetence and then there would be talking in meetings for three years and all sorts of shenanigans..

If a private company screw up you just take them to court and do them for damages and whatnot.

darc

Initially I hd no worries about this as I only gave bord gais the same details that are on my cheques (still use them once in a blue moon) and that those I give cheques to have my name / address.

However, after further thought I realised that the person who has the computer is not the normal type of honest person you would give your bank details to and that with the bank details & address it would be possible for someone to attempt identity fraud.

Its an outside chance and I'll simply be doing spot checks on my bank account just in case of anything untoward.

ElNino

Anyone affected should contact your own bank and ask for advice. If you are advised to change your bank account number then your bank should have procedures for automatically transferring your direct debits and standing orders to the new account.

Guy:Incognito

jor el wrote: »

Yes, but the only reason the direct debit was allowed to go through, was because of the flaws that are inherent in that system. Signatures or proof are not required, mainly because if it's found that the direct debit is wrong, the bank must cover the loss to the customer.

A criminal would find it hard to set up direct debits, as it's not as simple as just giving the two bank accounts and hey presto, all the money goes through. In Clarkson's case, someone set up a direct debit using his details, with the proceeds going to a registered charity that had direct debit capability. This is NOT the same thing as a criminal stealing money from your account.


.

Was it not down to a rule in the UK that allows charities specifically to set up direct debits without written authorisation? So that they can do things like get people to sign up over the phone.

jor el

Stekelly wrote: »

Was it not down to a rule in the UK that allows charities specifically to set up direct debits without written authorisation? So that they can do things like get people to sign up over the phone.

Perhaps that was it, but it's not the same thing as having your account compromised by thieves, and Clarkson was right in his assertion. If he was wrong, anyone could have stolen his money, but they couldn't. It's like the companies here who use Direct Debit Plus, they can set up direct debits on anyone's account without any permission from the account holder. It's wide open to abuse, but only by companies.

Either way, Clarkson's account was set up to donate to a charity, and it would not be possible for thieves to get this kind of setup. Unless of course they set up a legitimate business, get direct debits set up, take loads of money from accounts and then scarper before anyone realises what's happened.

Fnergg

Mickelodian wrote: »

...Now we find that two state agencies who incidentally can't even get people moved from one organisation to another because they have compatiilibity issues (thats why you're all still waiting for this big switch btw)...

It's nothing to do with compatibility issues. It's all down to Bord Gais' (private sector) outsourced contact centre Conduit being unable to cope with the level of applications received. There is no issue from the ESB side.


Regards,

Fnergg

chrislad

The Big Switch: Save up to 14%...off your wages!

discostu1

Right I'm going back to CASH

http://www.newscientist.com/article/mg20227135.700-cash-machines-hacked-to-spew-out-card-details.html?full=true

"SKULDUGGERY," says Andrew Henwood, "is a very good word to describe what this extremely advanced, cleverly written malware gets up to. We've never seen anything like it."
What he has discovered is a devious piece of criminal coding that has been quietly at work in a clutch of cash machines at banks in Russia and Ukraine. It allows a gang member to walk up to an ATM, insert a "trigger" card, and use the machine's receipt printer to produce a list of all the debit card numbers used that day, including their start and expiry dates - and their PINs. Everything needed, in fact, to clone those cards and start emptying bank accounts. In some cases, the malicious software even allows the criminal to eject the machine's banknote storage cassette into the street.

parsi

Fnergg wrote: »

It's nothing to do with compatibility issues. It's all down to Bord Gais' (private sector) outsourced contact centre Conduit being unable to cope with the level of applications received. There is no issue from the ESB side.


Regards,

Fnergg

No issue from the esb side ? Then why are folk reporting solictors letters and dodgy final bills ? Do you happen to work for the ESB perchance ?

Max Power1

parsi wrote: »

No issue from the esb side ? Then why are folk reporting solictors letters and dodgy final bills ? Do you happen to work for the ESB perchance ?

Well as yoou have mentioned Final Bills, i presume you are referring to ESB Customer Supply. As they have no interaction with other supply companies, there is no issue here!

Also - why would he defend ESB if he worked for them? Its widely acknowledged that the ESB (Customer Supply) need to lose the vast majority of their market share before they are allowed to price competitevly again. In another regulated market (RTF Gas) the incumbent supplier has under 30% market share, and is still heavily regulated. The quicker ESB CS lose a majority of their customers, the quicker they will be allowed price themselves,as opposed to having their prices set by the CER.

foggy_lad

it seems from the news today that the data protection commissioner was ready to force bord gais to disclose this breach of security as they were apparently dragging their heels about informing customers and going public on their incompetance

jimmycrackcorm

foggy_lad wrote: »

it seems from the news today that the data protection commissioner was ready to force bord gais to disclose this breach of security as they were apparently dragging their heels about informing customers and going public on their incompetance

Ironically the situation would be much better if nothing had been published at all. I mean, if you stole a laptop or received one such, would you trawl through thousands of files looking for possible bank account details? Now anyone who has gotten a dodgy laptop that hasn't been wiped will start looking....