Meet the new loss, same as the old loss

Another day, another data loss, and another struggle for an original headline. However, the RBS / NatWest / Amex loss of 1m sets of personal information isn’t as straightforward as it might at first look.

So what happened? Well, it would appear that an eBay buyer discovered that a PC he bought contained approximately 1m credit card application records, including signatures and mother’s maiden name details. The machine was sold by an ‘ex-employee’ of a data archive company that was under contract to the banks. There are apparently other machines unaccounted for. Upon discovering the data, the buyer did the decent thing and called Thames Valley Police The Mail on Sunday.

That means that the incident is less a ‘data loss’ and more a ‘data found’. The Mail on Sunday picture shows the buyer holding a server, so my guess on the chain of events is as follows:

  • bank scans card applications for electronic storage in order to reduce costs and simplify compliance;
  • after a period of time, the server used for this purpose is upgraded or replaced with a NAS. The bank orders the data to be destroyed and the archiving firm is left with the server;
  • at this point it’s quite possible that someone attempted to delete the data but failed to take into account the RAID array, so the data survived the deletion process;
  • the server was then either given to, or stolen by, the employee. It seems unlikely that the archiving company sold it, since it would have very little value to them at this point.

Frankly it’s irrelevant whether the other machines have fallen into the hands of organised criminals: in these days of declarative living, we have to assume that most data about us is in the public domain, since we can’t trust third parties to keep it secret.

Why do UK financial institutions still rely on publicly available data such as mother’s maiden names and signatures to authenticate people? Look around the world at the banks issuing smartcards and readers for the same job (to be fair, a small number of UK institutions have started to adopt this approach). Customers can’t change their mother’s maiden name or their signature, so once these have been disclosed there’s no way to revoke or modify these credentials.

Recent changes to banking codes have placed a greater responsibility on customers to protect their credentials, and to keep their computers free of viruses and trojans. I think it’s time for the FSA and HM Treasury to intervene and rule that any institution that does not provide two- or three-factor authentication for use of online or telephone services to accept responsibility for all disputed transactions on those accounts. It’s a policy that would regenerate consumer confidence in online services, force the banks to get with the 21st century, and would not be expensive in the grand scheme of things, particularly if they were to join forces to offer tokens in a shared service infrastructure. But please, please, don’t link it to the National Identity Scheme.