I’ve been doing a lot of work with data retention and disposal policies and procedures lately, remembering the silly things I have read about with regard to organizations getting rid of their computers, such as selling their computers on eBay when they no longer need them…without removing the information! This is certainly not a phenomenon that is confined to the U.S.
Lo and behold, another situation has happened where an organization sold their old computer on eBay…for a bargain at £77 ($141), and it contained a a huge amount of personally identifiable information (PII), including credit card applications, on what is reported to be as many as over 1 million customers. Here are a few excerpts from the report in Forbes…
“The Royal Bank of Scotland acknowledged that a machine belonging to archiving company Graphic Data and sold “inappropriately to a third party” had information on credit card applications from some RBS customers and data from other banks. The computer contained account numbers, passwords, mobile telephone numbers and signatures.”
“A former employee from Graphic Data sold a computer server used by the company on eBay without wiping the internal hard drive, said Nicole Morgan, a spokeswoman for MailSource UK, which now owns Graphic Data.
.
.
.
The buyer, Andrew Chapman, said he found the data when he looked at the machine’s hard disk. “I was appalled when I found the bank account information. That sort of thing shouldn’t have been listed on there,” he said. “It would have been possibly quite easy to find if you know something about computers.”
.
.
.
The security breach became known when Chapman found the information and contacted authorities.”
.
.
.
“The IT equipment that appeared on eBay was neither planned nor instructed by the company to be disposed” she said. “This incident is extremely regrettable and we’re taking every possible step to retrieve the data and ensure this is an isolated incident.”
There are so many things that appear could be wrong, missing and vulnerable in this situation. Just a few of the possibilities…
- The insider threat; an employee (ex now) taking it upon his or herself to sell an old laptop
- Possibly no policies for data disposal, laptop security, PII controls, computer retirement, and so many other possibilities
- The lack of controls within a vendor/contractor; looks as though the Royal Bank of Scotland (RBS) outsourced work to Graphic Data, who caused the incident
- Lack of data inventory and data tracking; RBS and Graphic Data would never have known the data was on the sold computer unless the buyer had contacted them! Just think of all the malicious things the buyer could have done with the PII of over 1 million people!
Tags: awareness and training, data disposal, Information Security, insider threat, IT compliance, IT training, laptop incident, outsourcing risks, PII, policies and procedures, privacy incident, privacy training, risk management, security training, vendor risks