back to article Data watchdogs did not want to see eBay bank server

The man who paid £35 for a server stuffed full of Royal Bank of Scotland and NatWest customer details has been left less than impressed with the reaction of UK data regulators. Andrew Chapman's story hit the news after he bought a server on eBay which contained over a million customer details including full account details, …


This topic is closed for new posts.
  1. N Silver badge

    Data regulators

    Just Another F***ing Quango

    Ooh weve never seen this happen before...

    And neither know what to do or how to do it

  2. Anonymous Coward

    The ICO is a lame duck

    Far from being here to protect Joe Public the so called ICO watchdog seems to be more interested in protecting the interests of big business. Their disgraceful handling of the Phorm Webwise BT illegal data interception of many thousands of BT customers data by a company who has alleged roots in spyware, as an example, is plain for all to see.

    IMHO this case is another typical response by the ICO who seem to care little for the interests of consumers, no matter how bad the privacy has been breeched, when set against the interests of big business.

    The word puppet springs to mind.

  3. Simon

    Asks Natwest for assistance and information, gets this:

    Rang Natwest customer helpline. Asked for an update on whether i should close my account to protect my business interests. Was told "We are advising customers to regularly check their account status to prevent the possibility of fraud" Isnt that what every financial institution does anyway whether or not they have just made public the contents of their databases. hmm Another way, maybe Another bank!

    Spoke to 3 different departments, none knew anymore than the other (big surprise there then).

    Conclusion: The wheel's still spinning but the hamsters dead!


  4. pctechxp

    Contempt for personal info

    Appears that the government's contempt for our personal details is spreading to the organisations whose job it is to protect us.

    Maybe those that want to live 'off the grid' have got the right idea.

    Mine's the light bending one, now you see me....

  5. Anonymous Coward
    Anonymous Coward

    Perhaps Mr Chapman...

    should detail all the names on the computer so we can all make individual complaints to our banks and/or the useless information commissioner (I too found out they are complete and utter waste of space) .

    Please Mr Chapman, give us an email address so we can check if we are on the server, or publish the names alone.


  6. Mark
    Thumb Up

    Can't give it back? Sell it.

    Well someone will want it - put it back on ebay :)

  7. Jon Press

    You can have anyone's details but your own

    Would it be the same ICO, perchance, that sided with the financial institution that refused to disclose my personal data to me on the grounds that disclosing the data would reveal the method used by said institution to collect data on its potential customers and that was a protected trade secret?

  8. Anonymous Coward

    Give over?

    "Sorry, high ranking officials of the type that need to answer this are presently busy working out what to spend their money on (£13 billion bonuses paid) or at the golf course.

    Your call is being handled by a call-handler on minimum UK wage after completing a PhD at a prestigious university.

    Because of the high media coverage attracted by UK financial institutions due to high bonus values at a time of worldwide financial slump (well, western worldwide that is), high data security errors and general Sgt Bilko strategies in place your call handler cannot directly answer this query.

    Can you try to recover your costs on eBay? Failing that if you want to rid yourself of the responsibilities you may wish to leave the device "forgetfully" (wink, wink) on local transport."

    (Oh how I wish the above were fantasy)

  9. Anonymous Coward
    Anonymous Coward

    I'm not too hot on law

    but as natwest customers, couldn't people have some sort of class action suit against them for miss handling their data?

  10. Anonymous Coward
    Anonymous Coward

    Customers be d@mned...

    "We asked the ICO about this and were told that since it knew what information was on the machine, nothing useful could be learnt from it."

    That's it? The content of the drive might have already been copied a gazillion times, but that doesn't excuse the attitude of just letting the drive remain "in the wild".

    Another nail to the coffin in letting the gov handle ever increasing info on its citizen

  11. soaklord

    Hmm... No government entity has an interest...

    I wonder if he put the server on ebay and said exactly what was on the server, how fast would it sell and for how much? And once it sold, how fast would the Bill be on his doorstep? The crux of the problem is that he is trying to do the right thing.

    Perhaps an ebay auction that stated:

    I will sell to the lowest possible bidder if that bidder is a government agency that, as a condition of its purchase, will investigate how this server could possibly have ended up in my hands and take appropriate action. Otherwise, I will sell to the highest bidder. As the government has no interest in this information to date, and I own the server, I should be able to sell at will with no legal ramifications.

  12. Seán

    hello hello hello

    In self defence then one is obliged to give these people false information in order to prevent identity theft. Not that I ever told a bank my real DOB or mothers maiden name but at least now I have a reasonable excuse for my er defensive measures.

  13. Anonymous Coward
    Anonymous Coward

    How much is the information worth?

    He should put the server back up for sale with the information on it. Let's see how valuable the information really is. I'm sure he'd make a profit.

    The interesting thing here is, is he comitting any kind of offence by doing that, and it'd be interesting to see whether any of the banks, or goverment data protection organisations step in to stop him, or make him a larger payment offer?

    If the banks didn't offer to buy the server back off him, I would be very worried indeed - that would suggest they couldn't care less what happens to the information.

  14. Michael

    Sell it to a competitor

    I bet they'd love to have the details of everyone who just lost trust in their bank.

  15. Anonymous Coward
    Anonymous Coward

    Well if they don't want it.

    I am sure others would be interested in seeing it possibly they could put it on line for all of us to get a gander since it isn't of any value any more.

  16. Anonymous Coward
    Anonymous Coward

    earth to information commissioner

    So there's this guy with 10^6 sets of bank details, who's made himself known to teh authoriteez but getting hold of the data isn't, like, important? It's not a blues & twos to recover the machine or anything silly like that?

    I mean, it could get stolen or anything.

    Idle, overpaid and useless.

  17. John Dougald McCallum


    "As the government has no interest in this information to date, and I own the server, I should be able to sell at will with no legal ramifications."From what little that I have heard on the news the person that put this server on fleabay did not have clear title to this item so neither does the person that purchased it,at least as I understand the law

  18. Anonymous Coward
    Anonymous Coward


    You'd be one of the lucky ones if your information was on there. In the future, if you ever had any kind of fraud activity on your account, you could sue NatWest because it was probably their fault.

  19. Will

    OFT, FSA, ICO are all pants

    We run a company helping people get their bank charges back, and for our sin have to deal with these muppets on a weekly basis. We get claim forms sent back because from the Financial Ombudsman's service because we haven't put the customers occupation down...sometimes, other times they don't mind.

    To my mind the OFT and FSA are the worst, the FST's waiver to the banks last year was the biggest slap in the face to the consumer for a very long time. Apparently they put the waiver in place because customers complaints weren't being handled consistently, only about 99% of customers were getting their charges back to the tune of millions of pounds. Of course the best way to protect the consumer was to put a waiver in place to stop anyone claiming. Of course, the banks are still able to charge even though the OFT have concluded a report in to the fairness of bank charges and the high court have declared they have the right to investigate and impose sanctions.

    Of course its not really surprising as most of these regulators are headed up by ex bankers anyway.

    You also have banks ignoring the data protection requests. They have 40 days to respond but often don't bother, the ICO isn't interested.

    My faith in these organisations is non existent.

  20. PJH

    It's not the people listed on this one...

    ... that need to worry; they know where the data is, and is, presumably, safe now.

    It's the people possibly listed on the other computer they've lost that need to worry..

  21. soaklord

    @John Dougald McCallum

    Hmm... McCallum You aren't by any chance a Glaswegian McCallum are you? My family is from that part of the world, same surname.

  22. Anonymous Coward

    Can't get too excited about any of these...

    Oh, look, somebody's cocked up and lost some data - which has been found by a nice man in Oxfordshire. No harm done.

    Umm, what about all the other massive data leaks that DON'T get found by nice men in Oxfordshire...?

  23. Anonymous Coward

    @The ICO is a lame duck et al.

    Seeing as everyone seems to think that the ICO has powers it doesn't use, I think perhaps a little in defence of them is required.

    The ICO does not have the power to intervene unless a complaint is made by someone affected by the breach. In fact, the ICO is hamstrung from the off as it has no powers to start legal proceedings against careless data controllers nor can anyone, yet, be imprisoned for illegal use of personal data. That's because the DPA is a civil matter so fines are the only recourse and, because of the law, pathetically small to the extent that, given the potential profit for the sale of personal data, there is no deterrent. The only time that criminal charges can be brought are if a decision notice from the ICO is ignored as it then becomes contempt of court which is a criminal offence.

    @Class Action - my understanding of the law in the UK is that we don't have the same civil case procedure as the US and although actual damages can be awarded, punitive damages arn't. Personally, I would like it to stay that way. The reason why you get such high profile cases in the US is attorneys know that they won't earn much of a fee from actual damages but as punitive damages are so, that their payday is huge. Should that style come to the UK, we will find ourselves living in a lawsuit society too scared to do anything as we might get sued and that can only be bad.

  24. Andy Worth

    New Natwest advert?

    Exec 1:"Ok, we need to think of a way of combatting the credit crunch and persuade people to spend more money"

    Exec 2:"I know! Let's sell a couple of computers on ebay containing everybody's bank details. That way, the fraudsters can spend it for them...."

    Will:"Why don't we just give the customers what they want, and keep their data secure?"

    Exec 1:"Don't be daft Will......THIS is marketing!"

    Exec 2:"Yeah, Will!......"

  25. Ken Hagan Gold badge

    Selling it

    Since about half of all the responses so far have suggested things to do with the box, it might be worth re-iterating John Dougald McCallum's remark...

    "From what little that I have heard on the news the person that put this

    server on fleabay did not have clear title to this item so neither does

    the person that purchased it,at least as I understand the law."

    ...and referring back to the original article, the ICO's position was basically "return it to Graphic Data". It *is* still their machine, and the bank's data. Given the publicity that (rightly) surrounds this case, Mr Chapman is currently a target for both law enforcement (looking to pin blame on someone if the data starts turning up elsewhere) and organised crime (looking to, er, spread the data elsewhere). If he hasn't already given it back to Graphic Data, he's not much of an IT expert.

  26. James Anderson Silver badge

    Outsourcing, Offshoring etc.

    NatWest obviously outsourced thier archiving to GraphicData who then proceeded to give it away on e-Bay.

    I think the legal liability (such as it is) for this is still with NatWest.

    This is one of the great hidden costs of outsourcing, offshoring etc. You have unloaded the operational expenses to the lowest bidder. But you retain the legal liability for any screw ups, plus all the "reputation risk" -- no will will remember it was Graphic Data who were responsable for the leak.

  27. Wayland Sothcott Bronze badge

    Money is represented as data

    The banks actually deal in data that represents money. Because they still have the data they still have the money. But they don't have the data security and for a bank thats supposed to keep money safe that seems very odd. Then it occured to me, they look after the data that represents their own money but if they loose our data that's only our money.

    Each day we need to get a bit more control over our own lifes and leave less in the hands of big unaccountable companies. If you entrust your money to someone else then it's nolonger your money, at least in practical terms.

  28. Anonymous Coward

    Why are some people so dumb.

    The IOC have done what they can do. They cannot take any action untill anything illigal is done with the data. They won't want the hard drive because... well, would you want it?

    But then hay, this sight is getting filled more and more with thick as shit people who would rather shout and thinkin knee jerk govenment, untill it affects them. Please please please learn SOMTHING.

  29. Brian Miller

    Flaming AC

    Some people are dumb, look in the mirror, and look at your spelling.

  30. b166er


    Exactly how is one supposed to live off the grid?

    Whilst I was born in the UK, free, owing nothing, I have as yet been unsuccessful finding any way of continuing to exist in that manner.

  31. Simon B

    Put it back on ebay!

    Put it back on ebay! See if having the machine with al these personal details being put for auction to any scum makes them get interested. They don't give a fuck about our security, do as we say, we can't be arsed.

  32. The Other Steve

    RE : Why are some people so dumb.

    You tell us, you seem to be in a good position to know.

    ICO may well have done all it can, (e.g. fuck all). Oddly enough this is exactly why people are upset.

    But shrugging their shoulders and saying, in effect, "I dunno, nowt to do with me, guv" is not an acceptable response. Someone from ICO should at the very least be prepared to kick up a stink, and the fact that they don't seem to think this is their job speaks volumes about them.

    A public statement along the lines of "We take these matters very seriously and will investigate to the full extent our powers" wouldn't go amiss, even if in reality they don't have any.

    And I'm not convinced that they can't do anything until someone directly effected complains. Firstly there is a prima facie breach of the duty of care imposed by the DPA* to adequately secure such data. Secondly there is no way for individuals to know weather or not their data is held on the machine. And thirdly, if. as we are to understand, the item in question was indeed sold without title, then the correct place for it is in the hands of inspector knacker, who will need it as evidence in their investigation of a theft that could yet have extremely serious consequences.

    *The seventh principle, laid down in Schedule 1, Part 1 of the Data Protection Act !998, which states that "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data", and the interpretation states that :

    "Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—

    (a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

    (b) take reasonable steps to ensure compliance with those measures. "

    Leaving a server containing a millions people's PII lying around where someone can just half inch it and sell it on eBay without anyone noticing until it's splashed across the news media would seem to fall somewhat short of these (legally enforceable) obligations, would it not ?

    So now, perhaps you've learned 'SOMTHING' about why people ate reacting as they are.

  33. Anonymous Coward
    Anonymous Coward


    I wonder why the Police aren't dealing with this matter? From what I have heard (Radio 4 news) the server has pretty clearly been stolen from a secure(!) holding facility whilst awaiting destruction, before being punted on Ebay. I would expect the Police to be taking the stolen goods into their hands as evidence, or for the server to be returned to graphic data, the rightful owners. I would then expect Ebay to fess up any contact details for the person that sold the stolen server to the Police.

    Furthermore, I wouldn't expect Graphic Data to be in business in 12 months time, their security has broken down so, I'd imagine their customers will flee like rats leaving a sinking ship. I'd also imagine that the RBS/NW contracts stipulate in pretty explicitly clear text the requirements for data security.

  34. Anonymous Coward
    Thumb Up

    The Information Commissioners Office (ID: 460)

    for a bit of fun try this site, they have a listing for

    The Information Commissioners Office (ID: 460)

    click KFO if you think they are useless, and

    click SOS if you think they do a good job.

  35. David

    ICO toothless

    In my experience, the iCO is about as much use as that other well-known body, OFCOM - pretty well nil in my estimation. I have approached both bodies with what I considered to be well-formed, reasoned and legitimate complaints (the details of which I will not bore you with here) and got fobbed off every time. It seems, according to the explanations I have been given, that you could drive a bus through the loopholes in the 1998 Data Protection Act and it`s not worth the parchment it`s written on.

    I`ll get me wig.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021