HSBC: Data Loss of a Server

June 29, 2008 — 585

In May 2008 HSBC “lost” a server, an entire server, from the Kwun Tong office in Hong Kong. There are 159,000 customer records on the server. HSBC insisted that the chances of the data being misused were small as there were numerous “security” arrangements to prevent access, however all of these security controls are based on somebody trying to log on to the server. If somebody wants to access the data directly from the disks, normally the security becomes completely redundant.

This incident follows on from the an incident in June 2006 when HSBC  staff from an Indian call center stole data and used it to commit fraud. Later In 2008 HSBC lost CDs with 37,000 customer details on. In 2005 180,000 HSBC customers credit card details were exposed, and some of their accounts accessed.

Article

Posted in Data Loss. Tags: . No Comments »

Councils Warned over RIPA Powers

June 28, 2008 — 585

Following the numerous instances of Councils in the UK using their RIPA powers to put people under surveillance for petty offenses everything from dog fouling to school attendance, the councils have finally been warned over their behaviour.

Local Government Association chairman Sir Simon Milton has written to councils warning overzealous use of the powers could alienate the public.

He stated that:

“Parliament clearly intended that councils should use the new powers, and generally they are being used to respond to residents’ complaints about fly tippers, rogue traders and those defrauding the council tax or housing benefit system”

He warned that councils over using their powers could alienate themselves from the public.

Posted in RIPA, UK Law. Tags: . No Comments »

Data Loss: MoD

June 28, 2008 — 585

In January 2008 the Ministry of Defence admitted that a laptop had been stolen.

The laptop, which like so many other cases of data loss was not encrypted, contained the personal records of over 600,000 defence staff.

Following an investigation into this data loss the MoD found that two other laptops had been stolen, neither of which were encrypted. As a result the head of the Civil Service has told Whitehall staff not to remove laptops with sensitive data from their offices. If there is no need to remove laptops from the office, and they contain sensative information, why is the data even on laptops? Why are these staff issues laptops that are not supposed to be taken out of the building? why not issue the staff with desktops which are secured to the desk/floor, in a secure MoD building? Even better, why is encryption not used as standard?

This data loss followed on from numerous other instances of data loss, including the NHS data loss and the now infamous case of the HMRC losing data (the HMRC data loss, which was subsequently slated in numerous reports). All of these data breaches were avoidable by basic common sense, despite this the MoD theft of a laptop still occurred and the government have still not learnt their lesson and there have been two more cases of data loss, due to a lack of encryption. The first is the loss of a “terror file“, the second is the loss of another laptop.

In June 2008 a report into the MoD Laptop theft by Sir Edmund found that the loss was due to variety of issues, but mainly failures within the MoD. The report blamed the “”rapid and often uninhibited exchange of information”, and the fact that the MoD has lost its “cold war” mentality towards security. The full MoD Report by Sir Edmund Burton is avaible for download.

Articles:

ZDNet

BBC

Posted in Data Loss. Tags: . No Comments »

Citi Bank: Data Theft

June 28, 2008 — 585

In 2005 Indian Call Center staff were involved in a fraud, through the misuse and theft of personal data.

The call center staff  at MphasiS in Bangalore, India, used the details of customers from CitiBank to access their accounts and steal money. The fraud was used to steal over $400,00 (U.S), though $20,000 was used to recover the information later on.

In 2008 HSBC customers suffered a similar loss from data misuse from staff in another Indian call center

Article:

Technews World

Posted in Data Loss, Data Misuse. Tags: , . No Comments »

HSBC: Data Misuse

June 28, 2008 — 585

In 2006 HSBC suffered data theft from Indian call center.

Staff in the one of the HSBC Indian call centers were involved in stealing clients details and then accessing the accounts to take over £230,000.

The HSBC office in Bangalore, HSBC Electronic Data Processing India, HDPI reported the misuse of data to the Bangalore Cyber Crime Police on Tuesday 24th June 2006. Following an investigation it was discovered that Mr Nadeem Kashmiri had accessed customers’ accounts and changed the personal information, security information and debit card information. Once this information had been changed one of his accomplices called the HSBC and impersonated the customers. The accomplice was able to clear the security questions with the new information, then once the security questions were clear the accomplice was able to conduct a fraudulent transaction.

The fraud was only noticed when 20-odd customers complained to the bank that monies from their account were transferred without their knowledge between March and May 2006.

Mr Nadeem Kashmiri broke the Indian laws under sections 66 and 72 of the I-T Act and 408, 468 and 420 of the IPC.

Articles include Hindu Business Line and the iT Wire

Later, in 2008, HSBC suffered a data loss when they lost customer data in the post, also in 2008 they lost an entire server. In 2005 180,000 HSBC customers credit card details were exposed, and some of their accounts accessed.

Previously on this site the questions  “would and could the data guardians misuse the data they handle?” have been asked. This incident provides a perfect example of the problems:

There is a large amount of personal data that can be accessed by people on low pay with little or no career prospects, therefore there will be temptation, motive and opportunity, because there are no effective systems to stop this occurring. Access to banking details is one thing, but access to DNA, medical records, CCTV footage, and national tracking systems is something else entirely, and there is less security on the latter than the former.

Other instances of misuse of data include police officers who have misused their access to data to for a variety of reasons including: Harass a woman, stalk another man, and a police officer who used data within a family matter.

Posted in Data Loss, Data Misuse. Tags: , . No Comments »

MoJ Data Loss – Four CDs

June 27, 2008 — 585

In January 2008 it was reported that the Ministry of Justice lost 4 CDs containing court records, witness and case details, and a variety of other sensitive information.

Like many other cases this was data, that was unencrypted, and sent in the post.

Article

Posted in Data Loss. Tags: . No Comments »

HSBC Data Loss 37,000 Records

June 27, 2008 — 585

In April 2008 HSBC reported it has lost data on it that contain the records of 37,000 customers. In this case the records did not contain financial information, rather information relating to insurance, e.g does a person smoke or not. The data was password protected, but not actually encrypted, which means that the data could have been accessed relatively easily.

The fact that HSBC has policies that allow the use of an ineffective security program is staggering. Why would HSBC invest in a CD security tool that does not actually encrypt? Surely the costs would be a few pence more to get an encryption tool that actually works? No critical data was lost on this occasion, but it appears to be more luck than judgment.

This problem is compounded by the fact it is not the first HSBC has had data issues. In 2006 HSBC had staff at their Indian call center access client details to steal data, and in May 2008 they lost an entire server. In 2005 180,000 HSBC customers credit card details were exposed, and some of their accounts accessed.

Full Article

Posted in Data Loss. Tags: . No Comments »

Report into Disc Loss

June 26, 2008 — 585

A report into the loss of 25 million records on CDs by the HMRC, by Kieran Poynter, has been published. While the report does not blame individual people who are at fault, it does highlight “serious institutional deficiencies” and states that there losses were “entirely avoidable”

Kieran Poynter’s Report blames the loss of the two discs on poor communication between management and junior staff, and low morale at the HMRC’s offices in Washington, Tyne and Wear. Apparently senior officials were not even aware that data was being removed until after the incident.

If the loss was “reckless” then this would be an offence under Section 55 of the Data Protection Act, which since May 2008 has had increased sentacing powers.

he Independent Police Complaints Comission, IPCC. also conducted an investigation into the disk loss. Their findings were similar to those of the Poynter and found failings in HMRC. However the staff at the HMRC were granted immunity prior to the investigation starting.

The IPCC Report states that:

When the IPCC investigation began it was clear that a number of written and signed immunities had been agreed by the Acting Chairman of HMRC, Dave Hartnett CB, and the Director of Public Prosecutions.

Articles on BBC The Register, Out-Law

Posted in Data Loss, Data Misuse, Data Protection Act. Tags: , , . No Comments »

Defence Against Data Theft

June 26, 2008 — 585

The Criminal Justic and Immigration Act 2008 creates a new defence against data breaches/data theft, which is an offence under Section 55 of the Data Protection Act 1998.

The law allows for a defence to be put forward by a journalist, or similar, on the grounds that the reasons for disclosing information were in the public interest

Section 78 CJI: New defence for purposes of journalism and other special purposes

In section 55(2) of the Data Protection Act 1998 (c. 29) (defences against offence of unlawfully obtaining etc. personal data) after “it,” at the end of paragraph (c) insert—

(ca) that he acted—

(i) for the special purposes,

(ii) with a view to the publication by any person of any journalistic, literary or artistic material, and

(iii) in the reasonable belief that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest,.

Posted in Data Loss, Data Misuse, Data Protection Act, UK Law. Tags: , , , , . No Comments »

Increase in sentance for data theft

June 26, 2008 — 585

Under the Criminal Justice and Immigration Act 2008 there are new powers to increase the sentance for anyone found guilty of “data theft”, as defined by Section 55 of the Data Protection Act 1998. To further increase the sentance the Home Secretary (Secretary of State) must consult with the ICO, who have been pushing for this and have welcomed this new law.

The same act also creates a defence, for journalism, for breaches of data privacy/data theft

77 Power to alter penalty for unlawfully obtaining etc. personal data

(1) The Secretary of State may by order provide for a person who is guilty of an offence under section 55 of the Data Protection Act 1998 (c. 29) (unlawful obtaining etc. of personal data) to be liable—

(a) on summary conviction, to imprisonment for a term not exceeding the specified period or to a fine not exceeding the statutory maximum or to both,

(b) on conviction on indictment, to imprisonment for a term not exceeding the specified period or to a fine or to both.

(2) In subsection (1)(a) and (b) “specified period” means a period provided for by the order but the period must not exceed—

(a) in the case of summary conviction, 12 months (or, in Northern Ireland, 6 months), and

(b) in the case of conviction on indictment, two years.

(3) The Secretary of State must ensure that any specified period for England and Wales which, in the case of summary conviction, exceeds 6 months is to be read as a reference to 6 months so far as it relates to an offence committed before the commencement of section 282(1) of the Criminal Justice Act 2003 (c. 44) (increase in sentencing powers of magistrates’ courts from 6 to 12 months for certain offences triable either way).

(4) Before making an order under this section, the Secretary of State must consult—

(a) the Information Commissioner,

(b) such media organisations as the Secretary of State considers appropriate, and

(c) such other persons as the Secretary of State considers appropriate.

(5) An order under this section may, in particular, amend the Data Protection Act 1998.

Posted in Data Loss, Data Misuse, Data Protection Act. Tags: , , , , . No Comments »
« Older posts