'Error' sends bank files to eBay

Toronto Star ^ | Sep. 15, 2003. 11:59 AM | TYLER HAMILTON

[NotQuiteCricket]

Two Bank of Montreal computers containing hundreds, potentially thousands, of sensitive customer files narrowly escaped being sold on eBay.com late last week, calling into question the process by which financial institutions dispose of old computer equipment.

Information in one of the computers included the names, addresses and phone numbers of several hundred bank clients, along with their bank account information, including account type and number, balances and, in some cases, balances on GICs, RRSPs, lines of credit, credit cards and insurance.

Many of the files were dated as recently as late 2002, while some went back to 2000. The computers appeared to originate from the bank's head office on St. Jacques St. in Montreal, but customers, many of them also bank employees, had addresses ranging from Victoria, B.C., to St. John's, Nfld.

In the wrong hands, the data could be used to steal someone else's identity for the purposes of fraud, a fast-growing crime known as identity theft.

"Our number one priority as an organization is the protection of customer information," said Dina Palozzi, chief privacy officer for the bank, which swiftly seized the computers' hard drives on Saturday afternoon within 24 hours of learning their whereabouts. "This kind of issue we take very, very seriously."

Geoff Ellis, a 26-year-old masters student living in North York, purchased the computers last week from Ecosys Canada Inc., a computer asset-management firm in Mississauga. He paid $400 each for two powerful IBM Netfinity servers that would have cost about $5,000 new.

Ellis buys, fixes up and then resells used computer equipment on eBay.com. He had posted the two machines on the popular online auction site for six hours before he noticed, after turning one of them on, that it contained an operating system that let him access file folders from the bank without needing a password.

He immediately removed the items from the Web site, he said.

"My first response was shock," said Ellis, who contacted the Star soon after discovering the information. "There's no way a server should get out of a bank's hands with a full operating system and whatever data that's in the hard drive."

[NotQuiteCricket]

Physical security is just as important as network security.

[Izzy Dunne]

"This kind of issue we take very, very seriously."

Apparently not seriously enough...

[Izzy Dunne]

An official with the bank said Rider Computer Services Ltd., which manages the computer assets for Bank of Montreal and many of Canada's big financial institutions, was contractually responsible for ensuring the hard drives were properly erased.

See buck.
See buck passed.

Colin Taves, vice-president at Rider, said Ecosys is a sub-contractor for the bank's Montreal head office and should have made sure the computers were wiped.

See buck.
See buck passed.

"It was really an operational breakdown," said Taves, explaining that the computers were taken from the wrong warehouse skid and it was assumed they had been erased. "It was a warehouse location issue more than anything else."

See buck.
See buck passed.

Bruce Hartley, a vice-president at Ecosys, agreed. " It's an operational error and we've contained it in the shortest amount of time that we could.

You got it handed to you on a silver platter, you mean...

[MD_Willington_1976]

...darn you mean they didnt loose the documentation to my wifes student loan...well guess I'm stuck paying for it...

Special message to Banque de Montreal..
"Hé les employés de Banque de Montreal, recevoir vos têtes de vous ânes! "

[Mears]

very good,Izzy---they sure trying to cover their as***!!!

[NotQuiteCricket]

My favorite parts from the article:

"Garigue said the bank's executives and computer security staff, along with representatives from Rider, will hold meetings all week to discuss how to improve procedures and processes that let these computers slip through the cracks."

First response of any good corporation - have a lot of meetings (nothing gets done, but we will all feel better)

"Taves said his company has processed over a million computer components for the banks and this is the first time such an issue has emerged. "In my mind, everybody reacted accordingly.""

There you go - this is the first time that SOMEONE GAVE THE HDD BACK. There isn't any real way to know that they haven't done this before and the person receiving the data either went ahead and got rid of it (erased it) or the person sold it.

[Indrid Cold]

I understand Best Buy is the subject of a class-action lawsuit due to a similar "whoopsie!"

[Oatka]

Back in the 60s the Marine Corps Exchange at Camp Pendleton got a System 32 from a rancher in Wyoming via IBM. Besides a few wisps of hay and dust (sturdy machine), the hard drive contained the ranch's General Ledger and other sensitive data. We just tsk-tsked and reformatted the drive. (Hope the guy had back up.)

Fast forward to today when people take their machines in for an upgrade. If you leave financial data, let alone personal stuff on the hard drive, there is no guarantee the help won't "take a peek". It's even worse if you donate a machine.

A good point by NotQuiteCricket re: this is the first time the hard drive was returned. Those bankers live in a fool's paradise.