Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Computer With UK Bank Customer Data Sold On eBay

kdawson posted more than 6 years ago | from the fingers-pointing-in-a-circle dept.

Security 184

Walpurgiss tips a BBC News story about a man in Oxford who paid $140 for a computer on eBay, and was shocked to find on it bank records of several million customers of the Royal Bank of Scotland, its subsidiary Natwest, and one other bank. "Mr. Chapman said anyone with a basic knowledge of computer software would have been able to find the data fairly simply. 'The information was in back-up CDs and in ISO files so it would have been possibly quite easy to find...,' he said."

cancel ×

184 comments

Sorry! There are no comments related to the filter you selected.

Honesty (5, Insightful)

Enderandrew (866215) | more than 6 years ago | (#24759149)

Kudos for him for speaking up rather than trying to abuse the situation.

Re:Honesty (5, Insightful)

PunkOfLinux (870955) | more than 6 years ago | (#24759195)

Agreed, although we shouldn't be forced to think that doing the right thing is so rare that we must laud it.

Still, good job.

Re:Honesty (5, Interesting)

Anonymous Coward | more than 6 years ago | (#24759561)

"Always do good. It will gratify some and astonish the rest." ~Mark Twain

Re:Honesty (1)

KliX (164895) | more than 6 years ago | (#24759609)

He was on the UK main media tonight - though the Police will probably now take this up, I'd far rather have him working out what exactly went on.

Re:Honesty (0)

Anonymous Coward | more than 6 years ago | (#24759645)

Even if it wasn't so rare, doing the right thing should still be lauded.

Re:Honesty (4, Insightful)

Jimbob The Mighty (1282418) | more than 6 years ago | (#24760503)

No, given that the computer will be seized by the police as evidence in some sort of criminal case, somebody owes him a computer, as well as their thanks and a pat on the back.

Re:Honesty (2, Insightful)

Brian Gordon (987471) | more than 6 years ago | (#24759211)

Yeah I'm sure he'll be thanked for his trouble.. with a pair of handcuffs and a hood..

Re:Honesty (1)

BLAG-blast (302533) | more than 6 years ago | (#24759421)

Yeah I'm sure he'll be thanked for his trouble.. with a pair of handcuffs and a hood..

Yeah, with the current level of collusion between the corporate world, the government and judicial system, there is very little incentive to do the right thing. He should be give 10% of what ever appropriately large fine should be placed on the Banks and companies involved.

Re:Honesty (2, Funny)

cayenne8 (626475) | more than 6 years ago | (#24759525)

Hell, even better, why doesn't he turn around and resell the stuff on eBay?

I'm sure he could raise a pretty penny for all that info.....

If he's REALLY Lucky, he could die conveniently. (2)

Shturmovik (632314) | more than 6 years ago | (#24761707)

Just like Paul White, a New Zealander who, in the early '90s, bought a used computer full of highly sensitive Citibank data, which included information detailing some major tax fraud, as well as stuff linked to the NZ Security Intelligence Service.

White was just a two-bit Computer Broker-wannabe who tried to gain financially from the situation by ransoming the data back to Citibank. Very soon after acquiring the data and offering it back to the bank for a price, he died in a highly mysterious car accident, one which still remains unexplained and uninvestigated.

Re:Honesty (1)

X0563511 (793323) | more than 6 years ago | (#24760535)

While that kind of payment is good, it unfortunately encourages people to blackmail for the reward. I would rather people avoid trying to steal data with the intention of performing a "good deed" for the reward.

Re:Honesty (1)

BLAG-blast (302533) | more than 6 years ago | (#24760761)

While that kind of payment is good, it unfortunately encourages people to blackmail for the reward. I would rather people avoid trying to steal data with the intention of performing a "good deed" for the reward.

If data about me stored by a 3rd party company can be easily stolen, I would prefer somebody did and exploited the 3rd party company rather than me. If they are not adequately protecting my data then they deserve to be punished (or punched as I had originally "mis-typed").

There are already laws in place to deal with people stealing data for what ever reason, people violating them to collect data will not be rewarded. This thread was started with the implication that such laws could be used by corporations to silence honest people.

Re:Honesty (0)

Anonymous Coward | more than 6 years ago | (#24759707)

Betcha good money they arrest him.

Re:Honesty (2)

ObsessiveMathsFreak (773371) | more than 6 years ago | (#24759773)

Indeed. Naturally however, he will now be sued by BoS for his trouble.

Re:Honesty (2, Informative)

larien (5608) | more than 6 years ago | (#24761857)

Doubt it. BoS (I assume you mean Bank Of Scotland) won't as it was information from RBS (Royal Bank of Scotland Group) which was lost. As far as I've heard, there hasn't been any sueing going on anyway.

The worst part is that RBS didn't atually have a breach, it was a 3rd party. That, of course, could well lead to someone getting sued.

Re:Honesty (1)

digital_rich (1085385) | more than 6 years ago | (#24759895)

Feedback left for seller... "A+++++ great Ebayer, would def do business with again ;) brb shopping"

Re:Honesty (5, Funny)

Dekortage (697532) | more than 6 years ago | (#24759963)

Man: "Look, I found eight million customer records on here!"

Bank tech: "That's weird, we always stored ten million records in those databases..."

Man: "Huh, no idea what happened to those other two million." (hides batch of CDs) "I can't believe you guys sold 8 million customer records on eBay!"

Re:Honesty (1, Interesting)

Anonymous Coward | more than 6 years ago | (#24761237)

I've a shared $webHosting on bluehost -- i found bunch of text files in /tmp directory with credit card details.

Re:Honesty (4, Funny)

The Great Pretender (975978) | more than 6 years ago | (#24761461)

Man: "Look, I found eight million customer records on here!"

Bank tech: "That's weird, we always stored 7 million records in those databases..."

Bank tech2: "Funny I thought it was 12 million..."

Bank tech3: "What are records?"

Bank tech4: "Hey, didn't I just decommission that laptop using that online eBay-thingy service?"

Re:Honesty (2, Insightful)

coachellamasada (1350549) | more than 6 years ago | (#24760845)

Kudos for him for speaking up rather than trying to abuse the situation.

Kudos indeed for bringing it to light to publicly shame them, but really, unless he had solid ties to the Russian mob how would he abuse the situation?

It's not like he found a bag of money lying in the street... Most folks wouldn't know what to do with this kind of database (or at least, how not to quickly get caught when exploiting it.)

I guess RBS stands for... (4, Funny)

volxdragon (1297215) | more than 6 years ago | (#24759161)

...Really Bad Security instead of Royal Bank of Scotland.

Obligatory (1)

The Grim Reefer2 (1195989) | more than 6 years ago | (#24759431)

Perhaps they should re-evaluate their slogan of, "Less talk, more action" in their IT security meetings.

Re:I guess RBS stands for... (1)

RealGrouchy (943109) | more than 6 years ago | (#24760293)

Don't fear; the bank has issued a press release, titled:

"Customer info secure": Royal BS

- RG>

Defending the indefensible? (4, Informative)

jtcedinburgh (626412) | more than 6 years ago | (#24761821)

OK, I have to pipe up on this one.

I've previously worked a few freelance tech gigs at RBS and the one thing I can say with certainty is that their internal security is extremely tight. Tighter than anywhere else I've worked in my time. The fact that anything gets done, EVER, is a minor miracle in the face of the mountain of red-tape, security, bureaucracy and general faffing with sign-offs and corporate governance that is needed to do pretty much anything.

So, I'm going to pipe up on behalf of RBS, your honour... :-)

Thing is, one thing I categorically don't believe is that the responsibility for handling customer data like this would fall to one individual without direct accountability. Knowing RBS, there would be forms to fill in, checks made, audits done and any handling of customer data would need to be signed off at a high level, and would be entirely traceable. Which is to say that if there's a breach, I don't think it's likely to be a break-down in procedure.

Now, you might laugh about this, but I know how many hoops I had to jump through to get things like dev rights on a developer box ("so, let me get this straight, sir, why do you need to be able to write to the C: drive?" - that sort of dumb thing) so I really doubt that a half-wit in marketing or HR or whatever would be entrusted with such data. It is kept under lock and key and it would certainly be VERY UNUSUAL to be allowed to make a cd copy of customer data. To do so would require sign off from Very Senior Management (at Director level), and hence visibility at EVERY STAGE and accountability for EVERY ACTION would be enforced with *GREAT RIGOUR*...

So my money is that this isn't what it at first appears to be - it could be the case that this is something else and the press have got the wrong end of the stick.

Or maybe I'm wrong. Often am, you know... ;-)

Re:I guess RBS stands for... (2, Interesting)

larien (5608) | more than 6 years ago | (#24761863)

Except it wasn't them who lost the data, although what a 3rd party was doing with all those records I'm not sure.

I got records from @home from an ebay purchase (5, Interesting)

jkinney3 (535278) | more than 6 years ago | (#24759165)

I bought a pair of SGI Origin 200 machines that contained names, credit cards, and enough data to be a real problem for many thousands of people. The labels on the machines listed them as from @home which had closed their doors. I did the dd if=/dev/zero dance and reinstalled IRIX.

Re:I got records from @home from an ebay purchase (0)

Anonymous Coward | more than 6 years ago | (#24759389)

I bought a pair of SGI Origin 200 machines that contained names, credit cards, and enough data to be a real problem for many thousands of people. The labels on the machines listed them as from @home which had closed their doors.
I did the dd if=/dev/zero dance and reinstalled IRIX.

Same here. From HT Computers or something similar right?

Re:I got records from @home from an ebay purchase (3, Insightful)

ScrewMaster (602015) | more than 6 years ago | (#24759673)

Some twenty years ago, back when those orange plasma displays were popular, a girl I used to work with said she'd gotten hold of some Compaq portables, and would I want to buy one? She was only asking a couple hundred bucks (I believe they cost several thousand new at the time.) So I stopped by to take a look, thinking I could really use a machine like that. That line of thought lasted right up until the system finished booting and a custom menu appeared with legend of a major national bank across the top. Given the price and the data on them, I figured they were hot (I asked what truck they'd fallen out of) and declined to buy one.

That was then, now we're in the Age of the World Wide Web, and there's just no excuse whatsoever for loading down a portable (read: easily stolen) computer system with vast quantities of confidential data. In fact, that really ought to be a law with few exceptions: customer and personal data must be stored on a server that is both physically and electronically protected. Period.

Re:I got records from @home from an ebay purchase (2, Insightful)

Guido von Guido (548827) | more than 6 years ago | (#24759867)

In fact, that really ought to be a law with few exceptions: customer and personal data must be stored on a server that is both physically and electronically protected. Period.

Servers get decommissioned, too. All that protection isn't going to help if they screw up and leave unencrypted data on their drives. Decommissioned hardware may certainly get used again, depending on how it was disposed of. I'm aware of one company that disposes of hardware--they recycle some parts and sell others. (I believe they require their customers to scrub the data before they throw it out.)

For instance, I have a customer in an industry where that would be bad (which doesn't narrow things down, I admit). I was helping them with some server consolidation, and they wanted some recommendations on wiping the disks. I suggested physically destroying the disks. They didn't like that--apparently the disks (and everything else) were leased.

Standards for encrypting the data and for data disposal might help.

Re:I got records from @home from an ebay purchase (1)

zappepcs (820751) | more than 6 years ago | (#24759941)

Destroying the data should be a simple as encrypting the harddrives with a 100 characters of randomnes followed by a reformat and a shutdown.

Yes, if someone was truly interested, it's possible they could recover it but it is rather unlikely. Most of the data breaches appear to happen by accident, where encryption would have kept the data safe.

So,

1 - erase the data
2 - encrypt the drive with a near impossible key
3 - reformat
4 - no profit for next owner

Re:I got records from @home from an ebay purchase (0)

Anonymous Coward | more than 6 years ago | (#24760097)

Can't you make a low level program that sets all of the bits/bytes on the drive to 0 or 1?(255 for bytes) If there is no magnetic residue, then that would be the simplest way.

Re:I got records from @home from an ebay purchase (4, Informative)

zappepcs (820751) | more than 6 years ago | (#24760277)

Yes, you could do that, but I think that erasure and encrypting the whole drive will also accomplish this. I believe that there is still a possibility of recovering the data even if wiped over several times. You can find lots of information about this on 'the Google' if you like. Here is a link to a zdnet blog about it: http://blogs.zdnet.com/storage/?p=129 [zdnet.com]

If you can simply smelt the drives, that is complete destruction. Anything else depends on the level of 'it's not there anymore' you need. Far too many people don't care or believe their data can be used from an old disk. They also don't understand that a format will not necessarily overwrite anything on the drive. sigh.

Encrypting the whole drive will scramble the bits fairly well. Follow up with low level formatting and it should be difficult enough to recover anything from the drive without the encryption password, never mind that the file system has been rewritten.

Re:I got records from @home from an ebay purchase (2, Interesting)

XanC (644172) | more than 6 years ago | (#24760619)

Why would you encrypt when you could just write randomness?

10 write zeros.
20 write randomness.
30 GOTO 10 (as many times as you like)

Re:I got records from @home from an ebay purchase (1, Informative)

Anonymous Coward | more than 6 years ago | (#24761017)

DBAN [dban.org]

Re:I got records from @home from an ebay purchase (0)

Anonymous Coward | more than 6 years ago | (#24761633)

If you can simply smelt the drives, that is complete destruction.

There's an easier, quicker way. Put a hole in the top of the drive and pour in an acid like ferric chloride. The first thing that happens is the magnetic film on the platters dissolves.

The acid's reaction is exothermic (releases heat), and that heat speeds up the reaction further. It can be dangerous ~ the first time I did this it melted all the plastic parts on the outside of the drive, not to mention smoking and boiling out.

That was a magical afternoon. BTW, don't inhale the fumes.

Re:I got records from @home from an ebay purchase (0)

Anonymous Coward | more than 6 years ago | (#24761231)

I bought a computer (by th' pound) that turned out to be the old web/mail server for a companyâ¦Âverified it on the wayback machine that i had it as it was when it was yanked off the web.. i had some contacts at another branch of the co, and they weren't interested in it back. Always keep a copy of http://www.dban.org/ [dban.org] around before anything goes out the door..

paid $140 for a computer on eBay (4, Funny)

flaming error (1041742) | more than 6 years ago | (#24759199)

Somebody should have set a much higher reserve price.

Re:paid $140 for a computer on eBay (1)

zonky (1153039) | more than 6 years ago | (#24759301)

Re:paid $140 for a computer on eBay (1)

z0idberg (888892) | more than 6 years ago | (#24759633)

How the FUCK do these two articles have such different figures?

£35 and £77.

They are both UK so cant be a conversion thing. Or maybe the telegraph got it from a US source which had converted to dollars then just called it pounds? Did one not know the amount so they just guessed? What is up with journalism these days?

Re:paid $140 for a computer on eBay (1)

zonky (1153039) | more than 6 years ago | (#24759681)

I'm guessing given the volume of sites which say 35gbp, that was converted to 77USD, which was mis-reported by the BBC as 77GBP, and was converted by /. to $140.

Re:paid $140 for a computer on eBay (1, Funny)

Anonymous Coward | more than 6 years ago | (#24759929)

Wow, so he paid 280gbp for this after all?!

Re:paid $140 for a computer on eBay (3, Funny)

smoker2 (750216) | more than 6 years ago | (#24759689)

£77 is how much it cost including ebay fees and paypal !

Re:paid $140 for a computer on eBay (0)

chubs730 (1095151) | more than 6 years ago | (#24760551)

Nobody knows how much the dollar is actually worth, so to Europeans 70 us dollars vs 140 isn't that big of a difference.

The felonious felons and ther fannies (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24759207)

Are fun for the polus odf ceromulescent gnachsis friend? wHEN THE DOORS OF CHADKRE SMOLT DRAFT GREWTH, smake the snelth of dog dog dog.

Re:The felonious felons and ther fannies (0, Troll)

Anonymous Coward | more than 6 years ago | (#24759249)

I see we have some users from Scotland among us...

Wait... what!? (1)

srjh (1316705) | more than 6 years ago | (#24759245)

Once again I am reminded of the boundlessness of human stupidity.

Selling a computer with sensitive information on it without destroying said information is understandable, if seriously negligent and worthy of termination (the employment kind, not the Schwarzenegger kind, although it's a close call).

But selling the backups of that sensitive information with the computer? Who the hell thought that would be a bright idea?

Re:Wait... what!? (2, Insightful)

DarthJohn (1160097) | more than 6 years ago | (#24759321)

The thief who stole it?

Re:Wait... what!? (2, Insightful)

YrWrstNtmr (564987) | more than 6 years ago | (#24759399)

Once again I am reminded of the boundlessness of human stupidity.

2 or more departments in the chain, that don't talk to each other.

IT, who removes it from the desk or floor. They are 'supposed' to wipe it. They don't, for whatever reason.
Disposal dept, gets a stack of random PC's to dispose of. "IT", according to policy, was supposed to have sanitized them, so Disposal never powers them up to check (doesn't have the time or resources).
Result - PC with sensitive CD still in the drive gets sold.

Re:Wait... what!? (4, Insightful)

Zaiff Urgulbunger (591514) | more than 6 years ago | (#24759849)

You might not have seen the video clip with the article [I don't know if it's visible outside the UK] but the guy said he bought two servers, one booted and had been wiped, the other didn't boot. It didn't boot because it was missing it's ram (or the chip was unseated), so anyway, he sorted that out, booted it up and found the data.

Soooo... one wonders if the machine didn't get wiped simply because the various techs could boot it and decided it was too much effort to move the drives to another machine?

Re:Wait... what!? (2, Interesting)

bernywork (57298) | more than 6 years ago | (#24760141)

If the machine came in contact with this data, why the drives were even sold is beyond me. The drives should have been removed and run through a shredder / grinder.

Any machine that contained data or could have contained such as this should have been through a more... robust... decomissioning process.

Trust but verify (1)

symbolset (646467) | more than 6 years ago | (#24760371)

This is nothing less than bad management.

It should be understood by all involved in the disposal of surplus that a random few samples will be removed from the pallets at the last minute and tested for thorough data shredding outside of their organizational group, and this testing will complete before the surplus is released. It's very important that this testing actually be done. It's more important that this testing is believed to be done. The people responsible for doing the wiping should be trusted members of the team, but information is cash. You audit the cash, don't you?

The correct policy is that if wiping is required and for whatever reason (machine failure, drive failure) the wiping cannot complete successfully, then the platters must be thoroughly physically destroyed by smelting, sandblasting or other certain method. Everyone should understand that indefinite storage is preferable to giving proper wiping a kiss and a promise.

I'm also a big fan of full disk encryption for machines that are expected to handle sensitive data and all notebooks. It's a 1% performance hit. You can afford paying extra for the faster machine for the confidence that there was never any unencrypted sensitive data on the disk to begin with. If you're not using FDE on laptops at this point, you're crazy. No employee has no data on his laptop that is in some way useful or profitable to a thief except maybe junior vice presidents.

So if this happened on your watch, you've failed as a manager. This applies for several levels up from the person actually responsible for wiping the drives.

it's all an equation (2, Insightful)

ILuvRamen (1026668) | more than 6 years ago | (#24759247)

If you're dumb enough to make a backup CD and then save the ISO onto the hard drive just in case the hard drive crashes, you're dumb enough to sell it on ebay without wiping it. I suppose this could have been some sort of backup storage server and not the computer that actually contained the data to be backed up but for that price it's a little unlikely.

Re:it's all an equation (4, Insightful)

BLAG-blast (302533) | more than 6 years ago | (#24759341)

Dummy says dummy...

They made an ISO, made 3 CDs of each ISO (one for the filing cabinet, one for off site back up, one for the on site safe), then didn't both deleting the ISOs...

It's dumb, but not as dumb as your ideas.

Re:it's all an equation (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24759715)

then didn't both deleting the ISOs...

It's dumb, but not as dumb as your ideas.

ENGLISH, MOTHERFUCKER, DO YOU SPEAK IT!

Hypocritical moron.

Why this is funny (1)

symbolset (646467) | more than 6 years ago | (#24759869)

A deleted file including an ISO can live on the hard drive forever in recoverable or partially recoverable form. Criminals routinely buy PCs from surplus and then re-sell the uninteresting ones in hopes of garnering some profit from deleted data - in many cases turning a profit just on the turnaround process. Security researchers do it also, to gain fame and credibility from pointing the finger of shame which leads to step 3: consulting profit! A PC that's been "quick formatted" and then had an OS installed on it still has considerable valuable data on the "blanked" space - and on the disk the valuable user data almost always occupies the same space on the disk in the space that would still be blank after an OS install, it would be easy to find. The correct course for personal data is some low level drive wiping program like DODWipe (a commercial application) or Darik's Boot and Nuke DBAN [dban.org] (free). These programs overwrite every byte on the disk they can access, but cannot overwrite blocks "marked bad" by the hard drive itself - which is a much lower risk because those blocks are almost never readable anyway. Just using the software is no panacea either. It has to be used correctly.

For a drive that may have had a credit application, job application or similar data on it (even just one) the risk is too great to take chances with. So:

  1. It had better have had full disk encryption first. This is not the '70s. and !
  2. Smelting, chipping, sandblasting, drilling or bending platters are preferable to wiping. Drilling and bending are not recommended as data can still be recovered with enough investment. The cost of fully audited destruction is negligible compared to the benefit.

Just handle that data as if it were a level 4 biohazard that would wipe out your company if it were released, and you'll have the general idea. Wiping before chipping or smelting, though, is just paranoid and should be left to the TLA and tinfoil hat types, and swiss banks where disclosure of data is a capital offense.

It's dumb, but not as dumb as your ideas.

Are you seeing the irony here yet?

Re:Why this is funny (1)

dullnev (999335) | more than 6 years ago | (#24760337)

Wiping before chipping or smelting, though, is just paranoid and should be left to the TLA and tinfoil hat types, and swiss banks where disclosure of data is a capital offense.

Except if the drives go missing in transit to the smelter.

Re:Why this is funny (1)

symbolset (646467) | more than 6 years ago | (#24760475)

The professional houses as part of the auditing process set up the smelter in your parking lot and give video all the way to the melted product. Very hard to fake in real time, but it can be done. If you care that much, you're probably one of the aforementioned exceptions.

Re:Why this is funny (1)

tftp (111690) | more than 6 years ago | (#24760979)

Very hard to fake in real time, but it can be done.

IANAP (I am not a prestidigitator [wikipedia.org] ) but I saw many on TV. It would be possible to take an HDD, show it to witnesses and then drop a different HDD into the smelter. Notebook drives are particularly easy to substitute.

This can be defeated only by the customer personally dropping the HDD into the machine, and the machine has to be inspected before and after the process, including checking the weight of the scrap. This presumes that the machine is sufficiently simple to verify.

If I were the customer concerned about my secret data, I'd put the drives under a hydraulic press first, then I'd roll the resulting foil up and give to the operator of a smelter.

Re:Why this is funny (1)

symbolset (646467) | more than 6 years ago | (#24761779)

If I were the customer concerned about my secret data, I'd put the drives under a hydraulic press first, then I'd roll the resulting foil up and give to the operator of a smelter.

If I were that concerned, my data never would have hit the drive in an unencrypted format anyway. And then I'd smelt the platters myself. But then that's my normal MO anyway, so nobody would notice this info was special. Thank God I don't deal with sensitive data because I'd have to come up with a method that was more secure.

And we wore an onion on our belt, which was the fashion of the day.

Oops. Sorry. (1)

symbolset (646467) | more than 6 years ago | (#24759317)

Should I have not done that?

Re:Oops. Sorry. (1)

pak9rabid (1011935) | more than 6 years ago | (#24760329)

I'm going to have to plead ignorance here...nobody told me that this sort of thing was frowned upon.

Hand it back? (5, Interesting)

Mishotaki (957104) | more than 6 years ago | (#24759329)

So in the article, they say that they expect him to hand "it" back.. does that means that the poor guy who paid 77£ to give back the computer for free?

Personally i'd charge a hefty sum to make them get back that computer, just to make them remember that he paid and he was nice enough to tell them.

Re:Hand it back? (3, Interesting)

timmarhy (659436) | more than 6 years ago | (#24759539)

i'd charge the pricks a consulting fee for my time. a few grand should cover it. i certainly wouldn't be handing back what is entirely his property, since he purchased it fair and square they have no recourse.

mind you in his day and age i wouldn't be suprised if he ends up in jail for his honesty, if it was me i wouldn't be saying anything. if i was a more desperate man i might even have sold those details online for a princely sum....

Re:Hand it back? (5, Insightful)

MichaelSmith (789609) | more than 6 years ago | (#24759635)

i'd charge the pricks a consulting fee for my time. a few grand should cover it. i certainly wouldn't be handing back what is entirely his property, since he purchased it fair and square they have no recourse.

Do that and you go straight to jail, don't pass go, don't collect $200. Your consulting fee will be seen as extortion.

Re:Hand it back? (4, Insightful)

timmarhy (659436) | more than 6 years ago | (#24760159)

it's my property, how can i extort someone when they WANT to purchase something i own? by that logic every service fee ever paid on new car sales is extortion.

now if i went to them and said "pay me or i'll tell the media what retards your IT security guys are" that's extortion. but since it's already all over the news sites it's not possible to call it extortion.

it's also pretty damn cheeky (and just the thing i'd expect from a bank) to expect him to just hand back his purchase.

this would in fact be an interesting case to test in court as to who owns data when you purchase a pc. no doubt IP lawyers would be foaming at the mouth saying your buying hardware not software (that might shoot some of their, but then this isn't software but plain data which they didn't license so he'd have a reasonable expectation that it came with the sale.

Re:Hand it back? (0, Troll)

Anonymous Coward | more than 6 years ago | (#24761057)

If it's a stolen computer he doesn't own it anyway. "Hot" items can't legally be purchased.

Re:Hand it back? (1)

RealGrouchy (943109) | more than 6 years ago | (#24760385)

Is the necessarily stolen property just because some data on it was stolen? (Assuming it was stolen and not just incompetence on the part of the bank or a contractor)

- RG>

Re:Hand it back? (1, Interesting)

Anonymous Coward | more than 6 years ago | (#24760511)

Extortion for what? He bought the system and all of the items with it legally. By most laws, that data is physically located on his property, and is legally his to do with what he wants. The inadvertent sale is not his fault; it's pretty much akin (I would think; IANAL) to being sold a house with $25,000 in the attic.

Which oddly, friends of mine had happen... and they reported and turned it over to the police. If the money has no illegal connections attached to it, it's theirs.

Re:Hand it back? (2, Insightful)

Schnoodledorfer (1223854) | more than 6 years ago | (#24761095)

Extortion for what? He bought the system and all of the items with it legally. By most laws, that data is physically located on his property, and is legally his to do with what he wants. The inadvertent sale is not his fault; it's pretty much akin (I would think; IANAL) to being sold a house with $25,000 in the attic.

IANAL, and I'm on the wrong side of the Atlantic, but TFA mentioned a Data Protection Act. Aspects of it may well apply to anyone in possession of the data. It may well have be stolen property, too. The article gives no indication one way or another, nor did it identify the seller. It could be that no one wants to make an accusation until facts are known.

There is actually very little to go on from that article. The reporter seemed to know little more than that some spokesmen, who didn't seem to known much themselves, had said some PR-type stuff. The reporter even managed this gem:

The Information Commissioner's Office said an investigation would be launched as soon as Mr Chapman had handed the computer in to them.

A spokeswoman said: "We are now investigating this potential data breach...

Beyond the timing, who does "them" refer to? Graphic Data or the Information Commissioner's Office? The article certainly wasn't clear about that, either.

Re:Hand it back? (0)

Anonymous Coward | more than 6 years ago | (#24760783)

> since he purchased it fair and square t
What if a tech sneaked it out the back door to make a few bucks on the side? Wouldn't that be stolen property? (Just using my imagination)

Re:Hand it back? (2, Insightful)

carlzum (832868) | more than 6 years ago | (#24760015)

I was going to say the same thing. You'd think he would get a premium to encourage people to come forward in the future. If people are worried they'll be under suspicion or have their equipment taken away, why would they do the right thing? The honest ones will trash the data. If other systems were sold off in the lot it may be discovered too late.

Re:Hand it back? (0)

Anonymous Coward | more than 6 years ago | (#24760033)

Just ask them to send someone over the replace the hard disk for him.

No extortion -- and if they get the "hint" , they will just buy him a new computer to get the problem under the carpet pronto.

Re:Hand it back? (1)

goopie (547816) | more than 6 years ago | (#24760603)

According to the article it was an eBay spokesperson who stated that it was expected he hand the computer back.

The company that was to be archiving the data for the back is claiming that the computer was `inappropriately sold on via a third party`. It could be that the stance that eBay is taking is that it was stolen property.

I'm not sure what the laws in the UK are regarding receiving stolen goods.

Of course, I don't actually believe the item was stolen. I think it is far more likely to be a clerical error.

If it was my division that was responsible for this kind of screw-up, I'd offer the guy a a finders fee (something in the neighbourhood of a grand or so). Make it worth his while, and the resulting PR would also encourage others who stumble across `wayward` bank property to turn it in for a reward.

outbid (1)

tandiond (1134803) | more than 6 years ago | (#24759395)

Oh, crap.. i was outbid by £10. If only i knew the content..

Re:outbid (3, Insightful)

MichaelSmith (789609) | more than 6 years ago | (#24759647)

Oh, crap.. i was outbid by £10. If only i knew the content..

Why? He is going to lose the system and runs the risk of being locked up as a thief. I would say you doged a bullet (unless you are joking).

Re:outbid (2, Funny)

lz2pt (1210056) | more than 6 years ago | (#24760767)

Ach, don't worry..
In a couple of weeks, as the economy slips further into the blessed state of Titzup, you'll be able to purchase the bank itself on Ebay c/w whatever assets the FatCats have left it with for a fraction of what he paid for this server alone..

Taking bets! (4, Insightful)

RyoShin (610051) | more than 6 years ago | (#24759401)

How many days do you think it will be before the government tries to charge him with something or the bank in question tries to sue him? I'd be pleasantly surprised if neither happened.

Also, the summary leaves out something that might affect those of us on the other side of the pond:

A spokeswoman for the third company reported to be involved, American Express, said it took the security of its card members' data "extremely seriously".

Bold mine. I know they have different branches for countries and such, but I wonder if any of this data crossed international bounds.

Re:Taking bets! (1)

ScrewMaster (602015) | more than 6 years ago | (#24759619)

How many days do you think it will be before the government tries to charge him with something or the bank in question tries to sue him? I'd be pleasantly surprised if neither happened.

I dunno ... it would be seriously bad PR to do that now that the story is all over the place. You can get away with screwing somebody like that if they report it to you privately: call in the gendarmes and have the Good Samaritan hauled off to the slammer. That happens more often than you might think (too many CIO/admin types that like to shift blame from themselves, and too many overzealous cops that take the easy way out.)

Goodwill (4, Interesting)

gnu-sucks (561404) | more than 6 years ago | (#24759547)

I bought a sun box at goodwill once and besides an intact customer database for several large companies, it also had the admin's personal backup files, including his "My Documents" folder, his Palm cell phone, and 1200 dpi scans of his passport. Oh, and some file called "passwords.doc". No idea what is in there...

More details here:
http://lfnet.net/blog/?p=41 [lfnet.net]

But yeah... wipe it before you get rid of it.

Re:Goodwill (2, Insightful)

Ghworg (177484) | more than 6 years ago | (#24759627)

Never mind wiping it, this stuff should never be stored unencrypted in the first place.

Re:Goodwill (0)

Anonymous Coward | more than 6 years ago | (#24759997)

it also had the admin's personal backup files

I wonder how many of these are related to "high security" firings and lay-offs? After the individual or department is escorted directly out the door, who takes care of their machines? Especially in downsizing. The PHB and rentacops don't know what to do with it, and the remaining staff have their own computers & work to do on them.

The orphaned box will be tagged to be 'looked at', but anyone with the clearance and knowledge to deal with it won't have the time or billable mandate.

Probably the PHB has a "contactor" (janitor, or a nephew) remove it to free up space so he can mark it as 'job done'.

Come to think of it a publisher I dealt with went bust by locking the doors on payday. Given the utter chaos of sorting contracts & records in the ensuing liquidation, I don't doubt at all that their machines were never sanitized before being auctioned.

Re:Goodwill (1)

Tubal-Cain (1289912) | more than 6 years ago | (#24760151)

B-B-but the passwords.doc file at my work is password-protected!

Re:Goodwill (0)

Anonymous Coward | more than 6 years ago | (#24760579)

I bought a sun box at goodwill once

Sweet and sour Jesus! Where on earth do you live, behind Scott McNealy's house?

Bugger.... (4, Funny)

s0litaire (1205168) | more than 6 years ago | (#24759599)

I was just going to pick up a cheep 1U server for a Mod Project! Now i've no chance! Everyone will be buying up every server hoping for Disks full of Banking details now!! :(:(

Anonymous Coward (0)

Anonymous Coward | more than 6 years ago | (#24759653)

"Wiping" it is not sufficient.

Do not sell/give systems with storage drives.

Shred them.

Missing VA laptops (1)

ilovesymbian (1341639) | more than 6 years ago | (#24759721)

Maybe we can find the missing Virginia laptops on ebay too!

Its stupid, but understandable (2, Interesting)

PPH (736903) | more than 6 years ago | (#24759909)

Its tough to sell a machine with no O/S on it. Most buyers will take one look at the retail price of XP (for example) and subtract that from their eBay bid. Most sellers are unwilling to risk a complete disk scrub and reinstall. Even if they are, its doubtful that they still have (or ever had) media to do an install on a clean system. The most that the non-tech savvy will attempt is to drag the contents of 'My Documents' to the trash can icon.

This is an opportunity for a Linux distro. Include an easy-to-use boot/nuke/install mode and offer them to people who put systems up for sale on various web sites.

fri5t 4sot? (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24760027)

parties, but here you. The tirelees troubles of Walnut Questions, then

Interesting (1)

Nate75Sanders (743234) | more than 6 years ago | (#24760047)

That's the bank where Pokerstars keeps their money.

Re:Interesting (1)

Zwicky (702757) | more than 6 years ago | (#24760883)

Not anymore.

To be honest this kind of thing worries me. You would think that the IT dept would grok the importance of a proper decommissioning procedure and securing items against theft (security, regular auditing and so on) but this is still too much to ask.

Every time I read a story like this it concerns me that I cannot be absolutely sure that my details haven't fallen into the wrong hands.

There need to be harsher penalties. It is highly unfortunate that RBS will be planning damage limitation as we speak and will succeed in sweeping this news under the carpet without making a single change to their procedures because just like it is "easier to ask forgiveness than it is to get permission" it appears to be "cheaper to pay the PR dept than it is to implement proper security policies".

fuck you, buyer, fuck you (0, Flamebait)

Anonymous Coward | more than 6 years ago | (#24760063)

You could have wiped the data and kept things quiet. You could have walked into a local branch and asked to speak to the manager, carrying the drive.

But no. You chose to help ruin the second hand market for machines by going public. It's bad enough that we have WEEE regulations meaning now "give them to hobbyists" is more convoluted, and crappier solder meaning equipment won't last the 20 years it used to anyway (yes, that's right, people under 30, SOME equipment does actually remain useful for that long).

You know what'll happen now? They'll just implement the more secure practices of UBS etc and crush whole machines, when in fact all they would have to do is destroy the drives at worst.

I've had machines ranging from Pfizer and Racal (military electronics) land in my hands with unwiped drives with confidential data, though not through public channels, and I was trusted to "remove everything on the drive" - god knows why the admins didn't wipe the drives on decommission, but there you go. In the Pfizer case, it was as simple as management telling employees "we're getting rid of everything *there* - feel free to take it home", and then an employee totally unrelated to IT passing to me.

But I wasn't enough of a fuck to go to the media about the huge mistake.

Re:fuck you, buyer, fuck you (2, Insightful)

timmarhy (659436) | more than 6 years ago | (#24760239)

"You could have walked into a local branch and asked to speak to the manager, carrying the drive"

thats a really really stupid idea. he'd have been thrown in the slammr for sure. he only had 2 options. stay quiet and tell no one at all, or go full blown public screaming from the hill tops so that there was too much public attention to risk making him disappear.

Re:fuck you, buyer, fuck you (2, Insightful)

Anonymous Coward | more than 6 years ago | (#24760721)

I know in the Slashdot world of spooks and big evil government everyone's out to get you and you have to play the paranoid schizophrenic... back in the real world you don't get disappeared for doing the large scale equivalent of handing in a wallet that you've bought from a guy down the pub and found to have someone else's credit cards in it.

Really, go out a bit in the world and relax - your bank manager is a human, maybe you even know them fairly well, and definitely they'll be happy with you for reporting it: the best possible outcome is a bonus for them, and that means more love for you. The worst is that he doesn't believe your story, which is fairly easy to defend to him, his boss, the police or a court given that you have evidence that you just bought the machine on eBay and you've walked right into the bank with the offending kit.

(Now if the documents were national security then you might want to do as this man has done. But you're fairly misguided if you think a high street bank has the power to intern you.)

Re:fuck you, buyer, fuck you (2, Insightful)

bds1986 (1268378) | more than 6 years ago | (#24761591)

Sorry, but I think my need to have companies deeply afraid of losing my confidential information outweighs your need to have cheap second hand hardware for hobby purposes. If the morons have to crush entire machines to get it right, go ahead and crush them.

Apparently the buyer met the Federal Reserve price (1)

xmark (177899) | more than 6 years ago | (#24760073)

bada-boom

[ducks]

Sometimes its better to just shut up (0)

Anonymous Coward | more than 6 years ago | (#24760631)

I would have reformatted the drive and kept quiet about it, rather than get myself involved. Of course, I'm an American, and I'm terrified of my own government right now, certain that I'd somehow get tarred and feathered for being the one who spoke up.

Re:Sometimes its better to just shut up (2, Funny)

smashin234 (555465) | more than 6 years ago | (#24760835)

The CIA is already on their way, your tarring and feathering shall commence very soon. It took them only 2 more seconds to find you since you posted as AC.

Put that tin foil hat on ASAP

DBAN (2, Informative)

GodfatherofSoul (174979) | more than 6 years ago | (#24761207)

Learn it, know it [dban.org] . A very simple utility for wiping drives that you can run as a boot disk.

Maxtor refurb with previous owner data (1)

destiny71 (731278) | more than 6 years ago | (#24761211)

When I worked for a computer repair shop many years ago, we had a customer bring in a PC with a dead hard drive. It was a Maxtor, and we didn't sell that brand in store, so all we could do was handle the online RMA in their name.

After getting a 'new' sealed replacement drive, I plugged it into the machine and booted it. I forgot to put in the Windows boot CD to run the install. Upon looking back at the screen, the PC was booting into Win2K!! Letting it continue, and checking around, I found that the harddrive belonged to a Ford dealership. It had all sorts of sales and customer information in it.

I called Maxtor and explained the situation, more upset about receiving a used drive as a replacement. They informed me that it's standard practice to issue refurb drives for warranty replacement. And, it's common to receive 'failed' drives as warranty returns that have nothing wrong with them. They just wipe them, and send them back out as refurb. I got one of those drives. She told me there was nothing they would do, unless I wanted to do another RMA, and pay shipping to return the drive.

Not just computers (1)

SMS_Design (879582) | more than 6 years ago | (#24761709)

I found a stack of customer record printouts with names, numbers, addresses, financial info, and SSNs in a house I bought just this year.

..I also found the former owner's hidden pot grow equipment.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?