UK Banks Dump Credentials in Bin Bags

Plutonite writes "BBC news is reporting that several UK banks face 'unlimited fines' for careless handling of sensitive client information. This apparently came after investigators found account details while rummaging through the trash outside the banks involved. In this age of online banking and related security problems, and in light of this scandal, where can we expect to find the greatest threat of ID theft?"

my identity was stolen!

[Anonymous Coward]

I am the real Anonymous Coward. Any other posts by Anonymous Coward in this topic have been made by an ID thief!!

Re:

[GNious]

No, you all just need lives.... real ones!

Re:

[todd10k]

No, I'M SPARTACUS!

Family Guy said it best:

[Majik Sheff]

Frank: Gentlemen, I propose we send a message to tobacco companies by fining the El Dorado Cigarette Company infinity billion dollars!
Congressman: That's the spirit, Frank! But I think a real number might be more effective.

Re:

[From A Far Away Land]

I don't blame the banks for doing this. Paper shredders jam, especially when you try to put angry customers through them.

Re:

[rootEToTheIPi]

Me: That's the spirit, Congressman! But I think a rational number rounded to two decimal places might be more effective.

Re:

[Anonymous Coward]

I think a complex number may be more vexing.

Re:Laws

[James_Duncan8181]

Actually the Data Protection Act is UK law, and makes these fines possible. We have all the protections that USians on /. frequently wish for. From the relevant Act:

2.1 Regarding the release of personal data to third parties without specific consent (or publication with the same effect), the assumption is that this is not permitted, except where specific exemptions apply. These exemptions now include:

- where required by law or statutory instrument;

- where required to prevent or detect crime;

- where required to assess or collect tax or duty;

- release to a third party who is sub-contracted to process the data in a way that meets DPA rules.

2.2 With regard to subject access rights, the data subject is presumed to be entitled to access all personal data held about her/himself that falls under the scope of the new Act, with the following main exemptions (i.e. cases where the controller of the data may decline to release certain data, but must justify doing so):

- where disclosure unavoidably identifies a third party;

- where the data was supplied in confidence e.g. references and similar judgements (but please note that examiners' marks and/or comments cannot be assumed to be exempt from disclosure.)

What else could you want? The Act allows for both civil and criminal penalties, so the banks may well be in for quite the can of whoopass.

Re:

[Gandalf_the_Beardy]

What I would love is for people to be able to bring private prosecutions under the Act. Currently the only person who can prosecute is the Information Commissioner IIRC and they seem reluctant to do so. If the average Joe could instigate actions then the banks would have no way of controlling this, save from cleaning their act up and not actually screwing up. Me since I bank with two of the offenders will be making my displeasure with them felt Monday lunchtime, and I won't be taking their offer to discus

Re:

[Anonymous Brave Guy]

I suspect you're being a little harsh on Richard Thomas and his team. If you look at the position statements on the ICO's web site, they're generally very reasonable, and the office does take action against organisations that don't respect data protection and freedom of information rules. However, he has stated that to do the job properly, he would need 3x the team he's been given, and unlike most government empire-builders, I'm actually prepared to give him credit for being realistic there.

Re:

[Gandalf_the_Beardy]

I don't doubt that they are understaffed and overworked but the simple fact is that there are plenty of cases for abuse of personal information where they simply don't care. They essentially said recently that they will just go after the big guys/cases and the little ones will be left by the wayside due to the staffig problems. They've ignored it would seem proven cases of information being sold from both overseas and UK call centres as well which to me is more worrisome than accidentally leaving informatio

Re:

[Anonymous Brave Guy]

I don't doubt that they are understaffed and overworked but the simple fact is that there are plenty of cases for abuse of personal information where they simply don't care. They essentially said recently that they will just go after the big guys/cases and the little ones will be left by the wayside due to the staffig problems.

What would you do in their position? Not going after cases affecting a few people because you only have the resources to pursue cases affecting many people is probably the least o

Re:

[Gandalf_the_Beardy]

As you say, the other obvious alternative is to allow the public to initiate direct legal action against those breaching the data protection or freedom of information legislation. I'm not sure I agree with going down the regulatory route instead -- any law where a breaker cannot be taken directly to court by a damaged party has questionable value -- but on the other hand, I can see some sensible reasons for it as well. For example, while organisations should be required to meet reasonable data protection ob

Re:

[GIL_Dude]

So I take it that the garbage company is not certified under DPA rules? If they were, then release to them would be OK, right?

Re:

[h2g2bob]

In principle, the law is simple: you can only use personal information about people if they are a) dead or b) give you permission to do so. You then have a duty of care to make sure the data is not stolen, etc; and you have to say to the Data Protection Registrar that you are holding personal data.

Actually the law is not that simple really, because of the definition of "personal data", and a whole load of exceptions. Plus theres some other stuff about direct marketing and stuff.

Wikipedia:
http://en.wikipedia [wikipedia.org]

Re:Laws and regulators

[pbhj]

>>> ... so the banks may well be in for quite the can of whoopass.

Or not. Just look at what the water regulators have done to the water companies that allow their pipes to leak so much that they have to impose hosepipe bans and standpipes in some places ... fined them a tiny percentage of their profits.

A reasonable sum to hurt a bank and make them be careful is going to be about 10% of their profits : 25 million or so for Barclays highstreet banking I gather (http://news.independent.co.uk/business/

Re:

[siriuskase]

Actually the Data Protection Act is UK law, and makes these fines possible. We have all the protections that USians on /. frequently wish for. From the relevant Act:

I don't need to be able to quote law to notice that the only buisinesses in my neighborhood that don't have outdoor trash collection are the banks. Anyone with common sense would avoid a bank that had dumpsters. This isn't a new thing, I'm almst 50, and I've never seen a bank that set its trash outside. Of course, the secure trash truck, I'm

Re:

[Tim C]

The first line of the summary says that they "face 'unlimited fines'" - doesn't that imply to you that there are laws dealing with this in the UK?

Not in corporate offices

[truthsearch]

Most corporate Windows machines are behind firewalls. They're not perfect, but they're pretty good. Windows servers are almost always set up behind even more strict firewalls. Ideally servers exposed to the internet are on a different network segment than the internal servers containing even more data.

The greatest threat to ID theft has always been humans. The vast majority of security breaches are from social engineering.

Re:

[zlogic]

Oh these Microsoft bastards!
If they never existed people would never throw away printed plain-text passwords, never stick access codes on post-it notes to their monitor, and everyone would be immune to social engineering.

Re:

[Kokuyo]

Okay, why does this get an Interesting-Rating?

As if it was Microsoft's fault that managers came up with the idea that passwords were the culprit in our security problems. Sure, some users have quite weak passwords. That's sub-optimal. But when you make them use like 8 digit passwords with letters, special characters and at least one capital letter they will immediately start writing them down. Especially when they have to change it every month.

Happened in my company. Why? Because there's data from the itali

Re:

[SillyNickName4me]

But when you make them use like 8 digit passwords with letters, special characters and at least one capital letter they will immediately start writing them down.

Requiring special characters, capital letters and such just makes the keyspace smaller and makes it easier to do a brute-force attack on a password. The only somewhat sensible requirement in there is a minimum length.

Re:

[RobertLTux]

so you are assuming a A+B=C thing

A: roll 60 on a d100 (no save)
B: roll 90 on a d100 (no save) hmm grabbing my pda and doing 5 sets

27 and 50
72 and 17
39 and 62
84 and 29
51 and 74

looks like somebody needs some class bonuses or something

This is why I keep my cash ...

[Anonymous Coward]

I don't use banks, I hide all my cash underneath my cat's litter box in my parents basement.
Nobody steals my identity!
I wish they would... I'm sooooo lonely down here...

Guess what. You are still banking

[CranberryKing]

Sorry but the conspiracy goes much deeper than that. Your (USD) cash is a fEDERAL rESERVE nOTE; which is what?.. A private bank. USD only has worth because the fED says so. It's a private bank designed to rob you of your real income.

So you will have to convert that stash under the litter box to gold if you want to be free from the talons of corrupt banking institutions.

Believe it.

Re:

[ResidntGeek]

Gold is rare. That's why it's valuable.

Re:

[ResidntGeek]

That's true. I was trying to point out that gold would become no rarer, and thus no less valuable, if the US economy collapsed. But your point is also important to keep in mind.

Re:

[CranberryKing]

"The price of anything is set by supply & demand."

Not really. That's what they teach people in university. A fun theory. Prices (currency) today are set by Central Banks. They are large corrupt private banks. Gold's value will not completely collapse unless you discover how to make it from sea water. Currency's collapse when the central banks decide it's time to kill it. I've been to the Fed in NYC and touched the gold bars. Most of it isn't ours anyway. US holds about 2% of dollar issued backed in gold

Re:

[account_deleted]

Comment removed based on user account deletion

Not uncommon in the US

[truthsearch]

Many financial institutions' IT departments in the US have no policies for paper shredding. I was always mindful to shred account information, but many of my coworkers were not. No rules were published and I've never heard it brought up as an issue by management.

You might be wondering why IT staff would have account information on paper. There are a variety of reasons. Periodic statements still go to most customers by paper, and the IT departments are responsible for their automation. A large percentage of people on the business side still like to see reports on paper and often the IT department is responsible for generating them. We are very far from having paperless companies. And in my experience paper disposal policies are largely missing or ignored.

Re:

[MaxiumMahem]

I happen to work for a major national bank in the US and I can tell you we have VERY strict policies concurning shreading of customers confidental account information. Anything that has as much as a customers name or address (much less account information) is either shreaded immideatly or placed in bins which are then kept under lock and key (often in the actual bank vault) untill an appropriate certified and bonded professional comes on sight to dispose of it all in bulk. We (at least in my region) are v

it aint ever been safe

[eneville]

time to store all my money under the mattress now.

its not really easy to get money out the banks though. they open after i start work, close before i finish, they're difficult during the lunch hour. hell, they only people they're accessible to is bank robbers.

Re:

[cerberusss]

You forgot to add that in recent years, they make you enter your own bank transfers into their systems, then happily charge you for the convenience.

I love banks.

Bank Data sent from US to UK Unencrypted

[hughk]

Its ok, I saw a whole load of fun data (like copies of client passports, proofs of Name and address) being sent from the US to the UK for processing using that well known data protection technique of a FedEx envelope for a the CDRs. The Information Security people hit the roof when they heard and insisted on proper encryption. The point is that neither the business nor the IT people concerned had the foggiest idea that there was a duty of care involved.

Re:

[vidarh]

I've seen almost as bad stuff.

One of the largest payment processors in the US routinely sends chargeback info as normal mail in large envelopers prominently stamped with their company name (very obvious it's a credit card processor) and some slogan about their payment processing business.

Inside the envelope you will not only find the basis for the chargeback and the customer name, but you will also find fun things like copies of their statements with the charged back payments highlighted, etc (instead o

Re:

[Anonymous Coward]

Your post hits the nail on the head when it says "The information security people hit the roof...". I am currently working at a UK financial institution dealing with live data provided by various third parties. Their governance rules are clear and the infosec team available and helpful, but dispite this, when I took over the role, customer data was being sent unencrypted on CDR from site to site. The point is that the teams involved had never been told what their responsibilities were. It may seem obvious t

Re:

[benicillin]

duty of care, huh? you sound like my torts professor

Re:

[hughk]

I started off as a nice clean IT person but I've spent far too long on regulatory issues. The "duty of care" may be challengeable in a US bank but the parent is EU based. In any case, there is always reputational risk should there be a compromise.

Greatest threat of information theft....

[cbiltcliffe]

As long as we have stupid people who fail to understand that the information stored on the computer is much more valuable than the computer itself, we'll continue to have people throw away stuff like this, store information on unpatched machines, etc.etc.etc.

Therefore, don't deal with a company that employs, or outsources to companies who employ stupid people.

Of course....this is much easier said than done......

/usr/bin?

[dotslashdot]

They should not have dumped the files in /usr/bin, but in /dev/null.

Oh the punnage!

[h2g2bob]

If only I had mod points :(

Sounds like airport security

[MECC]

Maybe they got the idea from the airline industry, who in turn might have gotten it from the USA Dept of homerland security.

Re:Sounds like airport security

[MrShaggy]

Of course.

If you are digging around in the banks garbage, you must be a terrorist

Re:

[StikyPad]

Either that, or a very confused homeless guy.

"This restaurant sure throws away a lot of paper, and hardly any food!"

Re:

[StikyPad]

USA Dept of homerland security

Homerland? Is that Fox's version of Disneyworld? And why do they get their own federal department? It must be a return favor for Fox News.

My father's story...

[IcebergSlim]

5 or 6 years ago my father came down with cancer, and his wife (now ex) took over the regular task of managing the finances of the household, etc. (This was in Wisconsin.) She also took it upon herself to fraudulently clean out his "Federally Protected" IRA, all of his *non-joint* accounts, filed false tax returns, and then ran up tens of thousands of dollars in debt in his name (hiding the statements and records to keep the game going as long as possible). She even bought a $20,000 diamond ring and a Mercedes for herself -- all while my Father was going through radiation treatment and surgery, etc. Finally, the house of cards came tumbling down, the police were notified, and she admitted everything.

The result, 5 years later: We found out that the bank had known this fraud was taking place on his accounts (we have one of their internal documents explicitly stating this), yet they covered this up during the discovery process and only gave it to us years later. She's never been arrested nor paid any restitution for what she did, the "Federally Protected" IRA was never reinstated, and a judge in Wisconsin had my father put in jail for refusing to give her his car, which the judge had mistakenly awarded to both of them during the divorce trial. My father sued the bank and has recovered nothing to date.

Your money is not safe, and no one cares.

Re:

[IcebergSlim]

Please read my response to Plutonite's post below. Or, you're welcome to contact me via my photo website listed below my Slashdot username (http://www.pbase.com/artyler) and I'll happily email you a copies of the complaints, affidavits, etc.

We're not rubes; it's the system, and if you ever find yourself mired in a legal nightmare like this, you'll discover very quickly why people talk about the difficulties of sueing someone with deeper pockets than you.

Re:

[Plutonite]

You and your father need better legal advice. If you can prove this with documentation as you say, and you can prove it was going on during the time he was undergoing treatment, you have a good chance of raking an insane amount of money in from this thing. Remember: you are suing a bank. Your father needs to file against both her(although I understand this is a personal issue) and the people involved inside the bank, and you should not be afraid to spend money on this.

It is for cases such as these that "inf

Re:

[IcebergSlim]

Thanks for your comments; in a normal world justice would prevail and he'd at least get his IRA funds restored. Our justice system is insane, though, and banks with deep pockets are very good at frustrating efforts to hold them to account for their actions. Example: during the trial my father and his counsel were barred from any mention whatsoever of the fact that he had had cancer. In the end, their law firm was better than my father's law firm, and having more resources to commit to a case like that m

Re:

[Tim C]

Meanwhile, here in the UK, I've had transactions on my credit card blocked temporarily as the activity was out of the ordinary. I had to 'phone the provider and confirm that it was indeed legitimate. I also had my card skimmed when I used it at an ATM in France, and was notified of the fact by my bank when they discovered that the machine had been tampered with.

You've been screwed, and need to seek (better!) legal advice. However, while it's generally true that large corporations don't particularly care abo

Talinkg Points

[Jack Pallance]

1. I know this sounds a little extreme, but maybe the banks are borderline crminial organizations. Thirty-five dollars for a bounced check? Thirty Nine percent interest for a credit card? Some banks are just thieves.

2. I treat my personal data like it's already on billboards. Obviously the banks don't care about our privacy, so I try to use services where my personal information isn't needed. Using prepaid credit cards instead of a credit line at the bank, or money orders instead of a checking acou

Re:Talking Points

[Pop69]

Interesting someone should mention that, there's a site that explains why bank charges in the UK are most likely illegal penalty charges and classed as unfair contract terms

http://www.bankcharges.info/ [bankcharges.info]

I'm sure UK readers will really enjoy reading the site and sending off those letters to their banks.

Re:

[benicillin]

its only a crime if you dont agree to it...

Re:

[pjt33]

I'm not aware of prepaid "credit" cards being available in the UK yet. I wish they were, because it would allow me to shop online.

Re:

[Rekolitus]

You do know you can get debit cards on the VISA network, right?

I don't know about prepaid, but that's what my bank gave me, and I've never had a situation where it's been rejected online for being a debit card rather than a credit card.

Re:

[Gandalf_the_Beardy]

You do know you can get debit cards on the VISA network, right? I don't know about prepaid, but that's what my bank gave me, and I've never had a situation where it's been rejected online for being a debit card rather than a credit card.

That's even worse as they can then clean out all your money from your main account. A credit card is preferable as then the credit company is jointly liable with the merchant if it is not delivered and if there is fraud for which you are not liable then the card compan

Re:

[gurps_npc]

Debit cards have an unfortunately bad reputation for NOT resturning stolen money. As you already 'paid' the bank, they tend to think anything that happens to it is now fine.

I once had a total MORON tell me that "No, you don't need to know who we sent this $50 from your account, because we have a signed agreement from you that lets us take money from your account and send it one specific person."

The fool seemed to to think that if I gave authorization for one transfer, it meant I authorized everyone to ta

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[isorox]

Conspiracy theory: the government told them to do it in order to increase identity theft, thus hoping that the public will become more accepting of the national identity register, and more willing to carry biometric ID cards.

Which would imply the govenment shows
1) Joined up thinking
2) Competence

That's some whacko theory you've got there

Re:

[jb.hl.com]

Now now, the UK Government is competent at some things.

Those things being failure, recklessness and brazen stupidity.

... greatest threat of ID theft? People!

[fuego451]

People that don't care about or don't know how to secure their personal data, institutions run by people with shoddy security practices or that just don't give a damn and all levels of government run by people that seem to refuse to use readily available, inexpensive and reliable security techniques and technology.

Bin Bags

[eclectro]

Oh, they mean trash bags. Those crazy Brits. They should've used Hefty! Hefty! Hefty! instead of wimpy wimpy wimpy.

Re:

[RobertLTux]

no what the should have done is mulched the paper first and heat sealed the bags

hard to say how they do it

[v1]

A former manager of mine used to be the IT director at a bank. There, when they upgraded computers, they went out to the dump and had a 'hard drive party". They removed the hard drives from the computers before tossing them in, disassembled them, and beat the platters throughly with hammers, then frisbee'd them into the hole and watched them be coverd up by the dozer.

I was under the impression that banks always were anal about destruction of customer records.

The US Navy has an interesting method also. They have these three level shredders. First level does strips. Second level does squares. Thrid level can best be described as "paper dust", it's the consistency of fine sawdust. Then they flush that out below decks directly into the water. Good luck getting that back.

Sounds Like...

[Nom du Keyboard]

Sounds like an excellent argument for the Paperless Office. Yeah, that's not a perfect solution, but it could sure put an end to dumpster diving.

The British Bankers' Association Explains...

[namgge]

The Chief Executive of the British Bankers' Association was interviewed on the BBC's (RAM) [bbc.co.uk] flagship radio news programme this morning. He claimed that the problem was either: (a) it was a very small number of rogue employees, or most likely (b) the customers' fault! The journalist doing the interview was rendered close to speechless by this anwer. The BBA was upholding a long-established UK tradition whereby banks claim that their systems are infallible, and accuse customers who have the cheek to complain

Duh....

[ShyGuy91284]

When I worked at the processing center of a bank, there was one big rule: cash slips (internal documents with no personal info on them that only represent money put into or taken out of vaults) can go in trash, everything else in shred box..... Stupid banks.....

Banks dump sensitive data

[Jezter!*+$nothername]

I wish the sods would dump some of mine, maybe then I'd stop getting the vast number of unsolicited invitations to take out loans, credit cards and various insurance/assurance deals that I do now. One look at my balances and they'd run for the hills!