My predicition: The Data Protection Commissoner will “investigate” and do sweet fanny adams. Which apparently is their job really. The same Data Protection Commissioner that did nothing when Talk Talk harassed people for weeks. They said they did wrong but it was the first time so they let them off. The same Data Protection Commissioner who said there was no data loss when the Blood Transfusion Service lost 170,000 records. See the records were encrypted so that’s fine. Not like encryption can be broken. If it really was encrypted.
So now we have 10,000 records that contain financial details, medical records, names, addresses. Gold for someone that wants to assume your identity and siphon money from your accounts. Hell, depending on your medical history, they could blackmail you too. But Bank of Ireland says nothing was accessed and nobody was conned, so move along here. Uhm. You only told the public yesterday, how do you know the data wasn’t used for another con?
The spokesman said there was no evidence of any fraudulent or suspicious activity relating to any of the 10,000 customers’ accounts since their records were stolen.
Actually, the DPC were informed but BOI says they’re just wanting to hear how things go, wow, proactive:
The spokesman denied reports that the data protection commissioner and the financial regulator were investigating the bank’s loss of customers’ records.
However, he said that both regulators had asked to be kept informed of the bank’s investigation into the matter.
Update: Seems the DPC is investigating now.
Remember when Clarkson got scammed?
It’s time for Data Breach Notification laws here. We can’t let banks and comapnies decide whether to tell us or not about these breaches.
[…] Bank of Ireland: Do we look bovered at your data loss?, Damien Mulley Written by Dave, on April 22, 2008 at 10:43 am; Tagged as Privacy __(and tagged) Bank of Ireland, Data privacy, Privacy. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL. « links for 2008-04-15 […]
We should call for a resignation, like our counterparts in the UK. This is gross negligence on the part of the management at BOI.
Counts:
1. Failure to secure personal data;
2. Failure to have adequate asset tracking in place;
3. Failure to disclose losses in timely fashion to customers;
4. Failure to apply correct corporate governance standards in the organisation; and
5. Failure to display and escalation or management process to highlight what can only be described as a cataclismic screw up and media nightmare on the part of one of Ireland’s larges financial institutions.
If they claim no case to answer after the Soden episode, then the nation deserves a skin at the highest level.
Encryption is a quick win. Seems they were skirting on costs again.
Tom
The Clarkson scam is very relevant here – he was a victim of his own cockiness, not realising the damage that people can do when they obtain some of your details. Bank of Ireland are doing the exact same – they say the lost details are not being used for anything illegal; how could they possibly know this? All they can be confident about is that none of the 10,000 BoI accounts have been illegally accessed. Are the security/fraud guys at BoI seriously unable to predict some of the potential illegal scams that could result from this data breach, aside from just withdrawing money from the BoI account? The breach in itself is shocking enough, but BoI’s lackadaisical and irresponsible reaction adds insult to injury.
I blogged about this on taint.org: http://taint.org/2008/04/22/103400a.html
as I noted there, using stolen identity info is part of Petty Theft 101 nowadays. criminals know how to turn names, addresses, RSI numbers, account info, etc. into credit cards, loans, and what have you — all without any notification to BoI.
For the bank to assume that they would be able to tell if a customer was victim to identity theft — either bullshit or ignorance.
I also love the way they raised the installation of “security” products on the laptops, as if a copy of Norton would do any good whatsoever…
Agreed that we need breach notification in this country.