Bank of Ireland admit to another 21,500 stolen account details

aidan_walsh

Donald-Duck wrote: »

It would be encryped. Wouldn't be even able to boot the laptop with that hard drive in it without a password.

Are you in a position to be able to say that with any authority, or making assumptions?

DetectivFoxtrot

star-pants wrote: »

That's the thing - wasn't some of this stuff missing since last year? why wait till now? Is it they'd hoped to find it and not have to alarm people? but then after a certain amount of time they're told they have to tell the customers/public?

I'd say they didn't tell anyone because of how valuable the data is. Even if it was just some knacker that stole them if they got wind of the contents they would have sold them on to fraudsters. I work in a bank and one of the biggest fraud issues at the moment is identity theft. The risk is so high that the data protection commission are review sending out any sort of sensitive data directly to customer (e.g. a letter detailing new bank account number and sort code) because of the risk that it presents....

The fact that the laptops were only password protected and not encrypted is scandalous... I sense a hefty fine coming BOIs way.....

Javan

Without doubt this is a combination of imcompetence, negligence and arrogance on the part of BOI, but let's not overstate the problem (or the solution).

If a laptop is nicked out the back of a car it is most likely going to be sold straight away to feed whatever habit the toe-rag is slave to. It will be sold at a car boot sale to someone who won't recognise the data, or won't know how to exploit it, or (just maybe) is honest enough not to want to exploit it.
The real risk to customers of BOI is small, unless the machine is bought by someone who:
a) recognises the data
b) knows how to sell it AND
c) is crook enough to want to sell it.

As to the solutions: Most people are talking about encryption. Encryption on a laptop is of very limited value. By the nature of the technology the decryption key is going to be on the laptop along with the data. That's like leaving the key to the front door under the flower pot. Laptops are very often left in hibernate mode, so you don't get the full protection of a cold start.
So encryption adds a little complexity, but not that much.

The better solution would be to not have the data on the laptop in the first place. Have the reps plan their appointment schedule, and copy the data for just those customers they plan to meet, and delete that data off the machine at the end of the day. (and have the data encrypted).
If, as a hypothetical crook, I found a file with 10,000 encrypted customer records it mught be worth trying to find the key. If the file had just 10 records in it, it would hardly be worth the effort.

For the record, I am a BOI customer, I am not (and was never) BOI staff. I think the bank has shown incompetence to allow this policy, negligence to allow it tp continue, and arrogant fools who thought they could cover it up.
I just hate to see the dangers of data theft, or benefits of technology like encryption, over-stated.

Donald-Duck

aidan_walsh wrote: »

Are you in a position to be able to say that with any authority, or making assumptions?

I worked in a bank and every single laptop allowed on the network had to be.

aidan_walsh

Donald-Duck wrote: »

I worked in a bank and every single laptop allowed on the network had to be.

Thats fair enough, I'll take your word for it. The old "a guy on the internet said..." thing kicked in for a minute

Donald-Duck

Maybe thats why they wanted to keep it quiet. Now that a big deal has been made about it, it lets people know there is a stolen laptop with bank records on it.

Edit: The quote didnt appear, meant to be directed at Javan.

Jesus Wept

Sherifu wrote: »

AIB customer \o/

rb_ie wrote: »

*high five*


Love how BOI are trying to downplay the whole thing though, firstly admitting that thousands of peoples "sensitive data" (their words, not mine) was stolen and then saying the risk of fraud is minute. Yeah fcking right.

It's a pity because they're a pretty good bank and this is going to do an enormous amount of damage to them.

Joe Robot wrote: »

AIB ftw!!

Short memories

All the banks are a shower.

stepbar

Donald-Duck wrote: »

I worked in a bank and every single laptop allowed on the network had to be.

And for what bank because every bank ain't the same.

stepbar

Javan wrote: »

For the record, I am a BOI customer, I am not (and was never) BOI staff. I think the bank has shown incompetence to allow this policy, negligence to allow it tp continue, and arrogant fools who thought they could cover it up.
I just hate to see the dangers of data theft, or benefits of technology like encryption, over-stated.

Guess what? The bank's now rushing to implement encryption. The irony of it all.

Javan

Donald-Duck wrote: »

Maybe thats why they wanted to keep it quiet. Now that a big deal has been made about it, it lets people know there is a stolen laptop with bank records on it.

Edit: The quote didnt appear, meant to be directed at Javan.

Maybe so Donald, though I'm never a fan of that sort of thinking. To my mind it just confirms their incompetence, arrogance and foolishness.

Especially since it looks like the policies weren't changed for many months after the first incident.

Donald-Duck

stepbar wrote: »

And for what bank because every bank ain't the same.

Irish Life. Every bank isn't the same, but there is a general standard in the industry. You'd be hard pressed to find anywhere that doesn;t encrypt valuable information.

stepbar

Donald-Duck wrote: »

Irish Life. Every bank isn't the same, but there is a general standard in the industry. You'd be hard pressed to find anywhere that doesn;t encrypt valuable information.

The BOI have clearly stated that they didn't. Isn't that what the whole issue is all about, the lack of encryption.

parsi

I wonder how many more revelations are waiting to be made.

It wouldn't do for any bank to get too smug at this time.

Wertz

I noticed a lengthy AIB ad on during the 9pm news...strike while the iron's hot eh?

As regards overstating things, most people are coming at this from a layman's perspective...they hear all these news stories, get pop ups on their online banking warning of fraud, phishing etc...the businesses involved place responsibility on their customers WRT ID theft but then see fit to play loose at their own end.
I'm no expert on encryption so I'll take what Javan says about it not being all it's cracked up to be...it was my understanding that a key would be kept on a separate USB stick or memory card (which probably get's left in the machine anyhow :rolleyes: ). But even if it isn't infalible, at least it lessens the likelihood of the data being compromised...