When it comes to data breaches, it seems the hits just keep on coming. I ran across this somewhat disturbing story in the UK's Daily Mail in which a computer was sold on eBay containing the personal information on thousands of UK banking customers from NatWest, Royal Bank of Scotland and American Express.An employee of the banks' outsourced data storage vendor, Graphic Data, took the computer and sold it on the online auction site. The Mail article doesn't mention how this employee got his hands on the PC. However, there is no doubt that someone at the firm dropped the ball. I know some companies sometimes sell old computers to employees-with wiped drives, of course. (My own company used to do this, according to my IT go-to guy, but stopped a couple of years ago.)
It was also unclear in the article whether this data was actually used by thieves. Maybe the eBay seller was just a careless employee? It could have been an accident, but don't tell that to the thousands of people whose personal information (including signatures!) was on that hard drive. Luckily, the buyer turned out to be an honest fellow so there's a slim chance that none of the data fell into the wrong hands.
This instance certainly drives home the need for banks to vet technology service providers and to perform thorough due diligence on every one of them on an ongoing basis. In a feature on vendor management I wrote for the August issue, the topic of security and vendors came up. Everyone interviewed for the article basically said the same thing: The vendor/outsourcer must meet the same security standards as your bank because it should be considered an extension of the bank.
When there's a data breach, the customers won't care if it was the fault of the bank's outsourced service provider. The only name they'll see and care about is the bank's name. And the bank is ultimately the one that takes the hit.
Hopefully the Mail story will have a "happy" ending and investigators will find that the data wasn't used at all.