Bank of Ireland admit to another 21,500 stolen account details

RATM

Just on the 6 o'clock news now. They said it was 10,000 last week, now they've admitted its 31,500, will probably be double that by the end of the week.
Im closing my account down tomorrow, after years of pissing me off Im finally going to get up off my lazy ass and shut it down

Sherifu

AIB customer \o/

Abi

RATM wrote: »

Im closing my account down tomorrow, after years of pissing me off Im finally going to get up off my lazy ass and shut it down

I've already set up camp elsewhere, just need to pay off the last of my over-giraffe and then Im dust.


Farce of a bank. Wtf is it with sh.it goin missing lately?

Wasnt the social welfare hit recently too? Fuggin joke.

kerash

How do they manage to lose all their laptops and sh1t, thats what i wanna know, they shoud be shot.

Rb

Sherifu wrote: »

AIB customer \o/

*high five*


Love how BOI are trying to downplay the whole thing though, firstly admitting that thousands of peoples "sensitive data" (their words, not mine) was stolen and then saying the risk of fraud is minute. Yeah fcking right.

It's a pity because they're a pretty good bank and this is going to do an enormous amount of damage to them.

boardsie08

The data that was stolen - did that only pertain to BOI customers in Dublin, or was it a nationwide thing whereby ALL BOI customers could potentially be affected??

Rb

boardsie08 wrote: »

The data that was stolen - did that only pertain to BOI customers in Dublin, or was it a nationwide thing whereby ALL BOI customers could potentially be affected??

Didn't see it specified on the news, you should ring and ask if you're worried. If they say it'll only affect Dublin customers make sure to get it in writing.

Thrill

I'm thanking my lucky stars that I don't bank with them either. I can see their phones ringing off the hook for the next few days with angry and concerned costumers wanting to know if they were one of those whose details are out there in the hands of God knows who.

jgalvin

boardsie08 wrote: »

The data that was stolen - did that only pertain to BOI customers in Dublin, or was it a nationwide thing whereby ALL BOI customers could potentially be affected??

According to BOI, initially it affected some customers who obtained a quote or took out a life assurance policy at one of these branches:

• Drogheda
• Dunleer
• Bagnelstown
• Court Place Carlow
• Stephens Green
• Tallaght
• Montrose

Now they have admitted that 29 branches have been affected - from RTE:

The new branches identified are Bray, Ardee, Arva, Ashbourne, Athboy, Cavan, Bailieborough, Cootehill, Kingscourt Ballybay, Dunboyne, Carrickmacross and Ballyjamesduff,

Other branches are Oldcastle, Kells, Navan, Trim, Kill O' The Grange, Blackrock, Dún Laoghaire, Talbot Street and Greystones.

It could be much worse, we don't know. And I don't think the AIB guys should be so smug - without no mandatory disclosure laws in Ireland, banks and other institutions are not required by law to publicise breaches like these. Wouldn't surprise me if somebody has a collection of AIB laptops with our details too.

Wertz

boardsie08 wrote: »

The data that was stolen - did that only pertain to BOI customers in Dublin, or was it a nationwide thing whereby ALL BOI customers could potentially be affected??

Well in the initial release of 10,000 account holders, they were spread out round the country and it was apparentl,y only customers of BoI's life assurance products...being a BoI customer for years, I'm weighing up my options about keeping my account with them. I'm paranoid to the point of obsession about ID theft...so when the bank I lodge thousand sto each year can't be arsed to take the precautionary measures that I take as an individual, it doesn't instill confidence.

I'd like to know why they didn't come out with this back when it happened, if not to the customer then at least to the regulators....chances are high that the laptop thefts were petty thieves taking an opportunity and that the data got formatted off the drives....but honestly, who really knows? Where the hell are all these laptops being stolen from, and why are people's details on there in a readable format? I mean you can encrypt things pretty easily these days....but that's not the point. WHY are sensitive deatils even requuired to be on individual employee's laptops, when they could just be stored on a server and accessed as required??

Rb

Wertz wrote: »

WHY are sensitive deatils even requuired to be on individual employee's laptops, when they could just be stored on a server and accessed as required??

Laziness.

Wertz

I'd have to agree. That and possible ineptitude...so much easier to just get someone from IT to put all your homework on the lappy, rather than messing about with VPNs and log ins, in the evening...

I don't like the locations released in the 2nd wave of branches...an awful lot of them around my neck of the woods. Wouldn't be any surprise if Dundalk popped up in that list

Dord

AIB ftw!!

stepbar

rb_ie wrote: »

Laziness.

+1. Costcutting, laziness whatever you want to call it.

I was told that the reason why such information is downloaded the laptops is because "sometimes" the lads from BOI Life have to visit customer's homes and need to access information. I nearly choked with horror. Mobile broadband :rolleyes: Amateurish stuff TBH.

The only plus out of this is that BOI have said that all people affected will be refunded if they're the victim of fraud. And...... I'd hope people involved are compensated as well....

In all the PR exercise has worked a treat LOL As Dunphy said once - "A shambles, an utter shambles".

Toto Wolfcastle

There was some guy on Drivetime on Radio 1 today who, as well as mumbling a whole lot of nothing, said that they did not tell the public initially because they did not want the people who have the information to realise just how sensitive it is.

stepbar

janeybabe wrote: »

There was some guy on Drivetime on Radio 1 today who, as well as mumbling a whole lot of nothing, said that they did not tell the public initially because they did not want the people who have the information to realise just how sensitive it is.

He meant to say that they thought they would get away with it...... Typical :rolleyes:

Toto Wolfcastle

stepbar wrote: »

He meant to say that they thought they would get away with it...... Typical :rolleyes:

Probably! The excuse on Drivetime was woeful though. Did they not think someone would find out at some stage and that they'd look bad for hiding it? Did they not think that the people who have the laptops might be able to figure it out for themselves if they really wanted to do anything with the information?

And most importantly, why the hell do people keep losing laptops or leaving them unattended where they can be stolen? It's a freaking laptop with sensitive information on it. My laptop has no sensitive information on it and you can be damn sure that I keep an eye on the thing.

Wertz

It could be just through house burglary or theft from cars, it's only four laptops...once it's just random theft for the hardware and wasn't targetted at specific bank employees for the data.

Toto Wolfcastle

Wertz wrote: »

It could be just through house burglary or theft from cars, it's only four laptops...once it's just random theft for the hardware and wasn't targetted at specific bank employees for the data.

Of course, but it has been happening all too often lately. Perhaps it's time for people to realise that sending sensitive information out into the world on a laptop, which is something that is targetted by burglers, is not a good idea.

Donald-Duck

stepbar wrote: »

+1. Costcutting, laziness whatever you want to call it.

I was told that the reason why such information is downloaded the laptops is because "sometimes" the lads from BOI Life have to visit customer's homes and need to access information. I nearly choked with horror. Mobile broadband :rolleyes: Amateurish stuff TBH.

Because wireless broadband is so secure. The odds are it was stolen for being a laptop, in that case, whoever stole it, won't know how to get any of the data off it.

Sherifu

We need self destructing laptops.

Wertz

I agree 100%....who knows what kind of stuff is out there on portable devices that are the target of thieves, which is why it should be either centrally and securely stored for read access, or properly encrypted/locked. I'd like to think that the 4 laptops in question were at least password protected and when the stuff couldn't be accessed they just installed an OS or sold it someone who did...

the_syco

RATM wrote: »

Just on the 6 o'clock news now. They said it was 10,000 last week, now they've admitted its 31,500, will probably be double that by the end of the week.

You talking about the laptop that went missing LAST MONTH but which they told no-one about, till someone copped on about it?

stepbar

Donald-Duck wrote: »

Because wireless broadband is so secure. The odds are it was stolen for being a laptop, in that case, whoever stole it, won't know how to get any of the data off it.

If you read my msg you would have seen that they download customer information to the laptops because they need to be able to access it whilst out and about. The information should have been kept centrally and mobile broadband / vpn's used to access it. TBH it's a damm sight more secure than carrying round the entire BOI life database on a laptop.

Toto Wolfcastle

Wertz wrote: »

I agree 100%....who knows what kind of stuff is out there on portable devices that are the target of thieves, which is why it should be either centrally and securely stored for read access, or properly encrypted/locked. I'd like to think that the 4 laptops in question were at least password protected and when the stuff couldn't be accessed they just installed an OS or sold it someone who did...

Couldn't have said it better myself!

stepbar

Wertz wrote: »

I agree 100%....who knows what kind of stuff is out there on portable devices that are the target of thieves, which is why it should be either centrally and securely stored for read access, or properly encrypted/locked. I'd like to think that the 4 laptops in question were at least password protected and when the stuff couldn't be accessed they just installed an OS or sold it someone who did...

I'd say there's a good chance that the laptops are sitting pretty in someone's living room now. I don't think the laptop's were stole to order but that being said one was stolen from a branch..... The rest were stolen from cars. I'd say the chances that the laptops fell into wrong hands are slim but none the less it doesn't make it one less bit serious.

Donald-Duck

Wertz wrote: »

I agree 100%....who knows what kind of stuff is out there on portable devices that are the target of thieves, which is why it should be either centrally and securely stored for read access, or properly encrypted/locked. I'd like to think that the 4 laptops in question were at least password protected and when the stuff couldn't be accessed they just installed an OS or sold it someone who did...

It would be encryped. Wouldn't be even able to boot the laptop with that hard drive in it without a password.

star-pants

It's a bit mental how all this info is being 'stolen' - social service stuff in England wasn't it? And AIB breach, and BOI laptops etc..
And AIB isn't any better than BOI - sure didn't last year they send out thousands of statements to all the wrong houses? (IIRC)

But I assume there has to be a lot of encryption on the laptops no?

Wertz

I would already have assumed so since it's nearly at the level of consumer technology....but why then all the fuss?
Apart from the obvious bit about not coming forward with news of the thefts, if the data is safe (depending on level of encyrption) then it doesn't matter about the thieves knowing what they have or not, so why not come forward and admit what happened? Trying to hide it just alarms people more and makes it look worse...

star-pants

That's the thing - wasn't some of this stuff missing since last year? why wait till now? Is it they'd hoped to find it and not have to alarm people? but then after a certain amount of time they're told they have to tell the customers/public?

stepbar

star-pants wrote: »

That's the thing - wasn't some of this stuff missing since last year? why wait till now? Is it they'd hoped to find it and not have to alarm people? but then after a certain amount of time they're told they have to tell the customers/public?

I'd say it was more like someone leaving a nice parting present to the bank.....

aidan_walsh

Donald-Duck wrote: »

It would be encryped. Wouldn't be even able to boot the laptop with that hard drive in it without a password.

Are you in a position to be able to say that with any authority, or making assumptions?

DetectivFoxtrot

star-pants wrote: »

That's the thing - wasn't some of this stuff missing since last year? why wait till now? Is it they'd hoped to find it and not have to alarm people? but then after a certain amount of time they're told they have to tell the customers/public?

I'd say they didn't tell anyone because of how valuable the data is. Even if it was just some knacker that stole them if they got wind of the contents they would have sold them on to fraudsters. I work in a bank and one of the biggest fraud issues at the moment is identity theft. The risk is so high that the data protection commission are review sending out any sort of sensitive data directly to customer (e.g. a letter detailing new bank account number and sort code) because of the risk that it presents....

The fact that the laptops were only password protected and not encrypted is scandalous... I sense a hefty fine coming BOIs way.....

Javan

Without doubt this is a combination of imcompetence, negligence and arrogance on the part of BOI, but let's not overstate the problem (or the solution).

If a laptop is nicked out the back of a car it is most likely going to be sold straight away to feed whatever habit the toe-rag is slave to. It will be sold at a car boot sale to someone who won't recognise the data, or won't know how to exploit it, or (just maybe) is honest enough not to want to exploit it.
The real risk to customers of BOI is small, unless the machine is bought by someone who:
a) recognises the data
b) knows how to sell it AND
c) is crook enough to want to sell it.

As to the solutions: Most people are talking about encryption. Encryption on a laptop is of very limited value. By the nature of the technology the decryption key is going to be on the laptop along with the data. That's like leaving the key to the front door under the flower pot. Laptops are very often left in hibernate mode, so you don't get the full protection of a cold start.
So encryption adds a little complexity, but not that much.

The better solution would be to not have the data on the laptop in the first place. Have the reps plan their appointment schedule, and copy the data for just those customers they plan to meet, and delete that data off the machine at the end of the day. (and have the data encrypted).
If, as a hypothetical crook, I found a file with 10,000 encrypted customer records it mught be worth trying to find the key. If the file had just 10 records in it, it would hardly be worth the effort.

For the record, I am a BOI customer, I am not (and was never) BOI staff. I think the bank has shown incompetence to allow this policy, negligence to allow it tp continue, and arrogant fools who thought they could cover it up.
I just hate to see the dangers of data theft, or benefits of technology like encryption, over-stated.

Donald-Duck

aidan_walsh wrote: »

Are you in a position to be able to say that with any authority, or making assumptions?

I worked in a bank and every single laptop allowed on the network had to be.

aidan_walsh

Donald-Duck wrote: »

I worked in a bank and every single laptop allowed on the network had to be.

Thats fair enough, I'll take your word for it. The old "a guy on the internet said..." thing kicked in for a minute

Donald-Duck

Maybe thats why they wanted to keep it quiet. Now that a big deal has been made about it, it lets people know there is a stolen laptop with bank records on it.

Edit: The quote didnt appear, meant to be directed at Javan.

Jesus Wept

Sherifu wrote: »

AIB customer \o/

rb_ie wrote: »

*high five*


Love how BOI are trying to downplay the whole thing though, firstly admitting that thousands of peoples "sensitive data" (their words, not mine) was stolen and then saying the risk of fraud is minute. Yeah fcking right.

It's a pity because they're a pretty good bank and this is going to do an enormous amount of damage to them.

Joe Robot wrote: »

AIB ftw!!

Short memories

All the banks are a shower.

stepbar

Donald-Duck wrote: »

I worked in a bank and every single laptop allowed on the network had to be.

And for what bank because every bank ain't the same.

stepbar

Javan wrote: »

For the record, I am a BOI customer, I am not (and was never) BOI staff. I think the bank has shown incompetence to allow this policy, negligence to allow it tp continue, and arrogant fools who thought they could cover it up.
I just hate to see the dangers of data theft, or benefits of technology like encryption, over-stated.

Guess what? The bank's now rushing to implement encryption. The irony of it all.

Javan

Donald-Duck wrote: »

Maybe thats why they wanted to keep it quiet. Now that a big deal has been made about it, it lets people know there is a stolen laptop with bank records on it.

Edit: The quote didnt appear, meant to be directed at Javan.

Maybe so Donald, though I'm never a fan of that sort of thinking. To my mind it just confirms their incompetence, arrogance and foolishness.

Especially since it looks like the policies weren't changed for many months after the first incident.

Donald-Duck

stepbar wrote: »

And for what bank because every bank ain't the same.

Irish Life. Every bank isn't the same, but there is a general standard in the industry. You'd be hard pressed to find anywhere that doesn;t encrypt valuable information.

stepbar

Donald-Duck wrote: »

Irish Life. Every bank isn't the same, but there is a general standard in the industry. You'd be hard pressed to find anywhere that doesn;t encrypt valuable information.

The BOI have clearly stated that they didn't. Isn't that what the whole issue is all about, the lack of encryption.

parsi

I wonder how many more revelations are waiting to be made.

It wouldn't do for any bank to get too smug at this time.

Wertz

I noticed a lengthy AIB ad on during the 9pm news...strike while the iron's hot eh?

As regards overstating things, most people are coming at this from a layman's perspective...they hear all these news stories, get pop ups on their online banking warning of fraud, phishing etc...the businesses involved place responsibility on their customers WRT ID theft but then see fit to play loose at their own end.
I'm no expert on encryption so I'll take what Javan says about it not being all it's cracked up to be...it was my understanding that a key would be kept on a separate USB stick or memory card (which probably get's left in the machine anyhow :rolleyes: ). But even if it isn't infalible, at least it lessens the likelihood of the data being compromised...