OMEN
11-21-2007, 09:39 AM
UK data-loss scandal could force banks to close accounts
U.K. banks could be forced to close the accounts of all child benefit claimants affected by an HMRC "operational failure" that resulted in the loss of 25 million records stored on discs, a Gartner analyst has warned. Its loss, moreover, proves to at least one fraud expert that that the British government can't be trusted with biometric information, and that the U.K. national ID scheme is untenable.
Chancellor of the Exchequer Alistair Darling admitted that discs containing the records of up to 25 million child benefit claimants were lost in transit to the government watchdogs at the National Audit Office. The lost discs were password-protected but not encrypted, and included bank details and national identity numbers.
Fraud expert and world renowned former con artist Frank Abagnale isn't buying the idea that the data just fell of a truck, so to speak.
"It was not just a mistake. I truly believe that someone paid for information to be stolen. It's what happens all the time, that someone acted in collusion with somebody else to steal this data," said Abagnale, author of Catch Me If You Can and a fraud expert who has worked extensively for the FBI over the past 32 years.
Whatever the source of the breach, it could prove costly. If the banks were forced to close those accounts because the data fell into criminal hands, it could cost as much as $615 million to the U.K. banking system.
Don't worry about the criminal element...
Avivah Litan, a Gartner distinguished analyst, said the data loss is especially serious because it includes bank account details, and the security and fraud detection systems for bank accounts are much less advanced than those for credit cards.
"The data lost -- bank account numbers, names and addresses -- represents a goldmine for the thieves and is much more valuable to them than credit card numbers or taxpayer ID numbers," said Litan.
"Even the possibility of such a move will throw the U.K. banks into emergency response mode, and they will need to closely monitor all fund transfers out of potentially affected accounts."
Litan said the issue was especially problematic as the U.K. is shortly due to implement its Faster Payments initiative, which will usher in nearly immediate funds transfer.
Litan said the banks would be on high alert looking for suspicious activity related to the accounts and "at the first sign of any activity would shut down accounts."
But Litan said the likelihood that the data has fallen into criminal hands was extremely low.
"History shows that a citizen with sensitive account data contained on lost media has a less than 1% chance of falling victim to identity theft," she said.
...on second thought, worry now and avoid the rush
But don't feel good about those numbers just yet. Governments, corporations and local authorities do a "horrible job of protecting data," said Abagnale.
"Don't send sensitive records by courier or through the mail. It's just common sense, and good business practice that someone should not have done that. The U.K. government needs to do a much better job of protecting the information of it citizens," he said.
"The government would not ship gold bullion via an unsecured courier or [similar] method, and in today's environment, one needs to understand that sensitive personal data is worth just as much as gold bullion."
He added: "This is what scares me about the concept of U.K. ID card. Taking all of this information, including biometrics information, and putting into one place is dangerous. It is allowing one weak link in the chain -- for instance, a criminal -- to approach someone to steal information," said Abagnale.
While biometrics is excellent for providing access to entering and leaving buildings, people shouldn't trust the government with their DNA, he says: "I would never able to ... wouldn't trust them with that information."
"[Governments and corporations] won't spend the money to make as secure as it could be. They will cheat out on it. Those are my concerns," he added. "The technology is there. There are hundreds of off the shelf identity management software products out there that can do a good job of controlling the data and controlling who sees the data."
ID thieves will often obtain records and hold them for years after the theft before embarking on fraudulent activity, said Abagnale, who urged the U.K. government to provide stringent long-term monitoring service for those affected. "The government needs to be more specific about what it is going to do to protect its citizens if their information is out there. They need to provide monitoring service to monitor credit records for at least three years, because this activity might not surface for a year."
If the data was stolen, then it is likely the thief will "sit on" this information for a number of years before harvesting identities. "Because the records are for younger people, many may not have a credit record yet. Once they reach adult age, they could find their identity had been sold before they've even started on life."
The recent incident of large scale data loss highlights the difference between data breach notification laws in the U.S. and the U.K. around. The U.K. government waited more than 10 days to notify parliament and the public of the breach. In the U.S., under current laws, the government would have had to notify immediately.
[I]Out of control?
Philip Wicks, a consultant for business and technology consultancy Morse, said: "Organizations should put in place technology controls that prevent sensitive and confidential data being copied to disks or any other devices that can be taken offsite.
"If and when there is a need for data to be taken offsite, a special request should be made and granted only when assurances are given on how the data will be secured."
The lost data appears not have been encrypted, and security specialist McAfee said the data breach was "yet another example of the danger of putting sensitive information on an easy to lose format such as discs and the result of internal policies not being backed up by good security practice."
Computerworld
U.K. banks could be forced to close the accounts of all child benefit claimants affected by an HMRC "operational failure" that resulted in the loss of 25 million records stored on discs, a Gartner analyst has warned. Its loss, moreover, proves to at least one fraud expert that that the British government can't be trusted with biometric information, and that the U.K. national ID scheme is untenable.
Chancellor of the Exchequer Alistair Darling admitted that discs containing the records of up to 25 million child benefit claimants were lost in transit to the government watchdogs at the National Audit Office. The lost discs were password-protected but not encrypted, and included bank details and national identity numbers.
Fraud expert and world renowned former con artist Frank Abagnale isn't buying the idea that the data just fell of a truck, so to speak.
"It was not just a mistake. I truly believe that someone paid for information to be stolen. It's what happens all the time, that someone acted in collusion with somebody else to steal this data," said Abagnale, author of Catch Me If You Can and a fraud expert who has worked extensively for the FBI over the past 32 years.
Whatever the source of the breach, it could prove costly. If the banks were forced to close those accounts because the data fell into criminal hands, it could cost as much as $615 million to the U.K. banking system.
Don't worry about the criminal element...
Avivah Litan, a Gartner distinguished analyst, said the data loss is especially serious because it includes bank account details, and the security and fraud detection systems for bank accounts are much less advanced than those for credit cards.
"The data lost -- bank account numbers, names and addresses -- represents a goldmine for the thieves and is much more valuable to them than credit card numbers or taxpayer ID numbers," said Litan.
"Even the possibility of such a move will throw the U.K. banks into emergency response mode, and they will need to closely monitor all fund transfers out of potentially affected accounts."
Litan said the issue was especially problematic as the U.K. is shortly due to implement its Faster Payments initiative, which will usher in nearly immediate funds transfer.
Litan said the banks would be on high alert looking for suspicious activity related to the accounts and "at the first sign of any activity would shut down accounts."
But Litan said the likelihood that the data has fallen into criminal hands was extremely low.
"History shows that a citizen with sensitive account data contained on lost media has a less than 1% chance of falling victim to identity theft," she said.
...on second thought, worry now and avoid the rush
But don't feel good about those numbers just yet. Governments, corporations and local authorities do a "horrible job of protecting data," said Abagnale.
"Don't send sensitive records by courier or through the mail. It's just common sense, and good business practice that someone should not have done that. The U.K. government needs to do a much better job of protecting the information of it citizens," he said.
"The government would not ship gold bullion via an unsecured courier or [similar] method, and in today's environment, one needs to understand that sensitive personal data is worth just as much as gold bullion."
He added: "This is what scares me about the concept of U.K. ID card. Taking all of this information, including biometrics information, and putting into one place is dangerous. It is allowing one weak link in the chain -- for instance, a criminal -- to approach someone to steal information," said Abagnale.
While biometrics is excellent for providing access to entering and leaving buildings, people shouldn't trust the government with their DNA, he says: "I would never able to ... wouldn't trust them with that information."
"[Governments and corporations] won't spend the money to make as secure as it could be. They will cheat out on it. Those are my concerns," he added. "The technology is there. There are hundreds of off the shelf identity management software products out there that can do a good job of controlling the data and controlling who sees the data."
ID thieves will often obtain records and hold them for years after the theft before embarking on fraudulent activity, said Abagnale, who urged the U.K. government to provide stringent long-term monitoring service for those affected. "The government needs to be more specific about what it is going to do to protect its citizens if their information is out there. They need to provide monitoring service to monitor credit records for at least three years, because this activity might not surface for a year."
If the data was stolen, then it is likely the thief will "sit on" this information for a number of years before harvesting identities. "Because the records are for younger people, many may not have a credit record yet. Once they reach adult age, they could find their identity had been sold before they've even started on life."
The recent incident of large scale data loss highlights the difference between data breach notification laws in the U.S. and the U.K. around. The U.K. government waited more than 10 days to notify parliament and the public of the breach. In the U.S., under current laws, the government would have had to notify immediately.
[I]Out of control?
Philip Wicks, a consultant for business and technology consultancy Morse, said: "Organizations should put in place technology controls that prevent sensitive and confidential data being copied to disks or any other devices that can be taken offsite.
"If and when there is a need for data to be taken offsite, a special request should be made and granted only when assurances are given on how the data will be secured."
The lost data appears not have been encrypted, and security specialist McAfee said the data breach was "yet another example of the danger of putting sensitive information on an easy to lose format such as discs and the result of internal policies not being backed up by good security practice."
Computerworld