Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

UK Banks Dump Credentials in Bin Bags 87

Plutonite writes "BBC news is reporting that several UK banks face 'unlimited fines' for careless handling of sensitive client information. This apparently came after investigators found account details while rummaging through the trash outside the banks involved. In this age of online banking and related security problems, and in light of this scandal, where can we expect to find the greatest threat of ID theft?"
This discussion has been archived. No new comments can be posted.

UK Banks Dump Credentials in Bin Bags

Comments Filter:
  • by Anonymous Coward
    I am the real Anonymous Coward. Any other posts by Anonymous Coward in this topic have been made by an ID thief!!
  • by Majik Sheff ( 930627 ) on Saturday October 28, 2006 @01:00PM (#16623224) Journal
    Frank: Gentlemen, I propose we send a message to tobacco companies by fining the El Dorado Cigarette Company infinity billion dollars!
    Congressman: That's the spirit, Frank! But I think a real number might be more effective.
    • I don't blame the banks for doing this. Paper shredders jam, especially when you try to put angry customers through them.
    • Me: That's the spirit, Congressman! But I think a rational number rounded to two decimal places might be more effective.
      • Re: (Score:1, Funny)

        by Anonymous Coward
        I think a complex number may be more vexing.
  • by Anonymous Coward
    I don't use banks, I hide all my cash underneath my cat's litter box in my parents basement.
    Nobody steals my identity!
    I wish they would... I'm sooooo lonely down here...
    • Sorry but the conspiracy goes much deeper than that. Your (USD) cash is a fEDERAL rESERVE nOTE; which is what?.. A private bank. USD only has worth because the fED says so. It's a private bank designed to rob you of your real income.

      So you will have to convert that stash under the litter box to gold if you want to be free from the talons of corrupt banking institutions.

      Believe it.
  • by truthsearch ( 249536 ) on Saturday October 28, 2006 @01:14PM (#16623360) Homepage Journal
    Many financial institutions' IT departments in the US have no policies for paper shredding. I was always mindful to shred account information, but many of my coworkers were not. No rules were published and I've never heard it brought up as an issue by management.

    You might be wondering why IT staff would have account information on paper. There are a variety of reasons. Periodic statements still go to most customers by paper, and the IT departments are responsible for their automation. A large percentage of people on the business side still like to see reports on paper and often the IT department is responsible for generating them. We are very far from having paperless companies. And in my experience paper disposal policies are largely missing or ignored.
    • I happen to work for a major national bank in the US and I can tell you we have VERY strict policies concurning shreading of customers confidental account information. Anything that has as much as a customers name or address (much less account information) is either shreaded immideatly or placed in bins which are then kept under lock and key (often in the actual bank vault) untill an appropriate certified and bonded professional comes on sight to dispose of it all in bulk. We (at least in my region) are v
  • by eneville ( 745111 ) on Saturday October 28, 2006 @01:18PM (#16623382) Homepage
    time to store all my money under the mattress now.

    its not really easy to get money out the banks though. they open after i start work, close before i finish, they're difficult during the lunch hour. hell, they only people they're accessible to is bank robbers.
    • You forgot to add that in recent years, they make you enter your own bank transfers into their systems, then happily charge you for the convenience.

      I love banks.
  • Its ok, I saw a whole load of fun data (like copies of client passports, proofs of Name and address) being sent from the US to the UK for processing using that well known data protection technique of a FedEx envelope for a the CDRs. The Information Security people hit the roof when they heard and insisted on proper encryption. The point is that neither the business nor the IT people concerned had the foggiest idea that there was a duty of care involved.
    • by vidarh ( 309115 )
      I've seen almost as bad stuff.

      One of the largest payment processors in the US routinely sends chargeback info as normal mail in large envelopers prominently stamped with their company name (very obvious it's a credit card processor) and some slogan about their payment processing business.

      Inside the envelope you will not only find the basis for the chargeback and the customer name, but you will also find fun things like copies of their statements with the charged back payments highlighted, etc (instead o

    • Re: (Score:1, Interesting)

      by Anonymous Coward
      Your post hits the nail on the head when it says "The information security people hit the roof...". I am currently working at a UK financial institution dealing with live data provided by various third parties. Their governance rules are clear and the infosec team available and helpful, but dispite this, when I took over the role, customer data was being sent unencrypted on CDR from site to site. The point is that the teams involved had never been told what their responsibilities were. It may seem obvious t
    • duty of care, huh? you sound like my torts professor
      • by hughk ( 248126 )
        I started off as a nice clean IT person but I've spent far too long on regulatory issues. The "duty of care" may be challengeable in a US bank but the parent is EU based. In any case, there is always reputational risk should there be a compromise.
  • As long as we have stupid people who fail to understand that the information stored on the computer is much more valuable than the computer itself, we'll continue to have people throw away stuff like this, store information on unpatched machines, etc.etc.etc.

    Therefore, don't deal with a company that employs, or outsources to companies who employ stupid people.

    Of course....this is much easier said than done......

  • /usr/bin? (Score:3, Funny)

    by dotslashdot ( 694478 ) on Saturday October 28, 2006 @01:25PM (#16623428)
    They should not have dumped the files in /usr/bin, but in /dev/null.
  • Maybe they got the idea from the airline industry, who in turn might have gotten it from the USA Dept of homerland security.
  • My father's story... (Score:5, Interesting)

    by IcebergSlim ( 450399 ) on Saturday October 28, 2006 @01:49PM (#16623616)
    5 or 6 years ago my father came down with cancer, and his wife (now ex) took over the regular task of managing the finances of the household, etc. (This was in Wisconsin.) She also took it upon herself to fraudulently clean out his "Federally Protected" IRA, all of his *non-joint* accounts, filed false tax returns, and then ran up tens of thousands of dollars in debt in his name (hiding the statements and records to keep the game going as long as possible). She even bought a $20,000 diamond ring and a Mercedes for herself -- all while my Father was going through radiation treatment and surgery, etc. Finally, the house of cards came tumbling down, the police were notified, and she admitted everything.

    The result, 5 years later: We found out that the bank had known this fraud was taking place on his accounts (we have one of their internal documents explicitly stating this), yet they covered this up during the discovery process and only gave it to us years later. She's never been arrested nor paid any restitution for what she did, the "Federally Protected" IRA was never reinstated, and a judge in Wisconsin had my father put in jail for refusing to give her his car, which the judge had mistakenly awarded to both of them during the divorce trial. My father sued the bank and has recovered nothing to date.

    Your money is not safe, and no one cares.
    • You and your father need better legal advice. If you can prove this with documentation as you say, and you can prove it was going on during the time he was undergoing treatment, you have a good chance of raking an insane amount of money in from this thing. Remember: you are suing a bank. Your father needs to file against both her(although I understand this is a personal issue) and the people involved inside the bank, and you should not be afraid to spend money on this.

      It is for cases such as these that "inf
      • Thanks for your comments; in a normal world justice would prevail and he'd at least get his IRA funds restored. Our justice system is insane, though, and banks with deep pockets are very good at frustrating efforts to hold them to account for their actions. Example: during the trial my father and his counsel were barred from any mention whatsoever of the fact that he had had cancer. In the end, their law firm was better than my father's law firm, and having more resources to commit to a case like that m
    • by Tim C ( 15259 )
      Meanwhile, here in the UK, I've had transactions on my credit card blocked temporarily as the activity was out of the ordinary. I had to 'phone the provider and confirm that it was indeed legitimate. I also had my card skimmed when I used it at an ATM in France, and was notified of the fact by my bank when they discovered that the machine had been tampered with.

      You've been screwed, and need to seek (better!) legal advice. However, while it's generally true that large corporations don't particularly care abo
  • Talinkg Points (Score:2, Insightful)

    1. I know this sounds a little extreme, but maybe the banks are borderline crminial organizations. Thirty-five dollars for a bounced check? Thirty Nine percent interest for a credit card? Some banks are just thieves.

    2. I treat my personal data like it's already on billboards. Obviously the banks don't care about our privacy, so I try to use services where my personal information isn't needed. Using prepaid credit cards instead of a credit line at the bank, or money orders instead of a checking acou

    • Interesting someone should mention that, there's a site that explains why bank charges in the UK are most likely illegal penalty charges and classed as unfair contract terms []

      I'm sure UK readers will really enjoy reading the site and sending off those letters to their banks.
    • its only a crime if you dont agree to it...
    • by pjt33 ( 739471 )
      I'm not aware of prepaid "credit" cards being available in the UK yet. I wish they were, because it would allow me to shop online.
      • Re: (Score:3, Informative)

        by Rekolitus ( 899752 ) *

        You do know you can get debit cards on the VISA network, right?

        I don't know about prepaid, but that's what my bank gave me, and I've never had a situation where it's been rejected online for being a debit card rather than a credit card.

        • You do know you can get debit cards on the VISA network, right? I don't know about prepaid, but that's what my bank gave me, and I've never had a situation where it's been rejected online for being a debit card rather than a credit card.

          That's even worse as they can then clean out all your money from your main account. A credit card is preferable as then the credit company is jointly liable with the merchant if it is not delivered and if there is fraud for which you are not liable then the card compan

        • Debit cards have an unfortunately bad reputation for NOT resturning stolen money. As you already 'paid' the bank, they tend to think anything that happens to it is now fine.

          I once had a total MORON tell me that "No, you don't need to know who we sent this $50 from your account, because we have a signed agreement from you that lets us take money from your account and send it one specific person."

          The fool seemed to to think that if I gave authorization for one transfer, it meant I authorized everyone to ta

  • *dons tinfoil hat* (Score:3, Interesting)

    by Stephen Williams ( 23750 ) on Saturday October 28, 2006 @01:50PM (#16623630) Journal
    Conspiracy theory: the government told them to do it in order to increase identity theft, thus hoping that the public will become more accepting of the national identity register, and more willing to carry biometric ID cards.

    • Re: (Score:2, Funny)

      by isorox ( 205688 )
      Conspiracy theory: the government told them to do it in order to increase identity theft, thus hoping that the public will become more accepting of the national identity register, and more willing to carry biometric ID cards.

      Which would imply the govenment shows
      1) Joined up thinking
      2) Competence

      That's some whacko theory you've got there
      • Now now, the UK Government is competent at some things.

        Those things being failure, recklessness and brazen stupidity.
  • People that don't care about or don't know how to secure their personal data, institutions run by people with shoddy security practices or that just don't give a damn and all levels of government run by people that seem to refuse to use readily available, inexpensive and reliable security techniques and technology.
  • Bin Bags (Score:1, Troll)

    by eclectro ( 227083 )
    Oh, they mean trash bags. Those crazy Brits. They should've used Hefty! Hefty! Hefty! instead of wimpy wimpy wimpy.
  • by v1 ( 525388 ) on Saturday October 28, 2006 @04:29PM (#16624678) Homepage Journal
    A former manager of mine used to be the IT director at a bank. There, when they upgraded computers, they went out to the dump and had a 'hard drive party". They removed the hard drives from the computers before tossing them in, disassembled them, and beat the platters throughly with hammers, then frisbee'd them into the hole and watched them be coverd up by the dozer.

    I was under the impression that banks always were anal about destruction of customer records.

    The US Navy has an interesting method also. They have these three level shredders. First level does strips. Second level does squares. Thrid level can best be described as "paper dust", it's the consistency of fine sawdust. Then they flush that out below decks directly into the water. Good luck getting that back.
  • Sounds like an excellent argument for the Paperless Office. Yeah, that's not a perfect solution, but it could sure put an end to dumpster diving.
  • The Chief Executive of the British Bankers' Association was interviewed on the BBC's (RAM) [] flagship radio news programme this morning. He claimed that the problem was either: (a) it was a very small number of rogue employees, or most likely (b) the customers' fault! The journalist doing the interview was rendered close to speechless by this anwer. The BBA was upholding a long-established UK tradition whereby banks claim that their systems are infallible, and accuse customers who have the cheek to complain
  • When I worked at the processing center of a bank, there was one big rule: cash slips (internal documents with no personal info on them that only represent money put into or taken out of vaults) can go in trash, everything else in shred box..... Stupid banks.....
  • I wish the sods would dump some of mine, maybe then I'd stop getting the vast number of unsolicited invitations to take out loans, credit cards and various insurance/assurance deals that I do now. One look at my balances and they'd run for the hills!

"I prefer the blunted cudgels of the followers of the Serpent God." -- Sean Doran the Younger