back to article Laptop-light GoCardless says customers' personal data may have been lifted

London-based payment processing firm GoCardless is warning customers that their personal information might have been exposed following the theft of 19 laptops from its offices last month. The "password protected" (not encrypted) laptops contained a file with customer personal data including email address, passport number, date …

  1. druck Silver badge

    Repitiion

    Why the repetition on the quote in the article?

    1. VinceH

      Re: Repitiion

      Because GoCardless repeated what they said in the email sent out to customers in their reply to El Reg?

      1. druck Silver badge

        Re: Repitiion

        Wall as I told you, there is no need to say it twice to say it twice.

  2. Anonymous Coward
    Anonymous Coward

    Weasly bastards

    "There is a very low risk that this burglary will affect you as none of your financial data was involved, all the laptops were password protected, there is no firm evidence that any of the data was available on any stolen laptop"

    How do they know there is a very low risk, not a very high risk. They don't, weasly bastards.

    Laptops were password protected. Without full disk encryption even an idiot like me can recover files with physical access. Weasly bastards.

    No firm evidence that any of the data was available on any stolen laptop, I guess they just haven't got a fucking clue what was on the laptops. Weasly bastards.

    I'm not sure I could construct a single paragraph with so much crap in it.

    I've never heard of this bunch of cowboys before, but I have now. Thanks El Reg.

    1. Swarthy

      Re: Weasly bastards

      Wow. Okay, breathe.

      What they are saying is that some bastards broke in stole a lot of electronic shiny; so they believe that it was a bunch of scrotes looking for crap to pawn, and not professionals who could retrieve and sell the personal data on the laptops. And because they were password protected, the aforementioned scrotes will likely just wipe the laptops rather than try to get the personal information out of the data files (presumably a proprietary format).

      1. Anonymous Coward
        Anonymous Coward

        Re: Weasly bastards

        Hi Swarthy,

        Do you work for GoCardless?

        Are you even vaguely familiar with data protection regulations?

        I'm guessing yes then no in relation to the above.

        1. Adam 52 Silver badge

          Re: Weasly bastards

          "Are you even vaguely familiar with data protection regulations?"

          I am. And they say nothing that would support your case. Only the precautions must be taken. Physical security is a perfectly reasonable precaution. One that works well for huge numbers of medical professionals dealing with much more sensitive data than this.

          "On average the time before they are recognized, separated and go their own special way is 2-3 minutes. Even binmen"

          You know what, the bin men (and woman) at our local tip are experts in separating all sorts of recyclable materials. It's their job and they are very good at it. Able to tell a LaserJet from an inkjet at 50m. Or a pine wardrobe from a chipboard one. I imagine that they do separate hard drives from metal or other electricals with no malicious intent. They're also quite hot at stopping attempts to steal said hard drives from the tip by locking them away.

          1. Voland's right hand Silver badge

            Re: Weasly bastards

            @ Adam 52

            They're also quite hot at stopping attempts to steal said hard drives from the tip by locking them away.

            Oh, definitely - because they are recycled at a premium. They are resold. This is in violation of electrical recycling regs which actually prohibit the resale of electricals from a domestic refuse site. The food chain which which feeds on the resale usually contains one or more persons which check them for interesting data. This has been tested (not by me, too lazy to dig out the actual FULLD mail from a couple of years ago) by using data containing spamtrap addresses and putting them on the drives.

        2. Swarthy

          Re: Weasly bastards

          No, I do not work for them. Admittedly, as a Yank, I am not entirely up to speed on EU/UK Data Protection Laws.

          I also was not holding GoCardless free of blame, I was translating the "Weasel Words" into non-corporate speech, and adding inferences about why they felt the risk to customers was very small.

          The "Okay, breathe" comment was in regards to the anger at a company that you had no connection with, exemplified by referring to them as "weasly bastards" several times. Had they lost your info and said "suck it up" then your rant would have been justified. As is, dude, take a breath.

      2. Voland's right hand Silver badge
        Thumb Down

        Re: Weasly bastards

        so they believe that it was a bunch of scrotes looking for crap to pawn,

        Try bringing a few enterprise class hard drives to your friendly local skip. Leave them next to the electronics dump, not throw inside. Watch.

        On average the time before they are recognized, separated and go their own special way is 2-3 minutes. Even binmen know what they are dealing with and there is a jolly market going on where they are checked if there is anything interesting on them before they are resold on eBay. The same will most likely happen to the laptops. The people who stole them will not bother recovering the data. The food chain which fences them will do that for sure. 100% guaranteed.

        In any case, not having full disk encryption for a company is criminal. Even my kids laptops are full-disk encrypted (after an incident where junior forgot his HP on a BA flight).

  3. Anonymous Coward
    Anonymous Coward

    Different email

    I got an email this afternoon from gocardless as I am a customer. The subject was 'Gocardless Security Update' - hardly something to grab your attention relating to a security breech. I nearly ignored it.

    Odd thing is the email was totally different, less alarming and didn't mention the free monitoring. As you will see there wasn't much to worry about, but reading the email on the register I would have been worried particularly as today for the first time ever I got a very convincing phishing email with my full name and home postcode used.

    "We wanted to let you know that on the 7 January 2017, our premises were the victim of a burglary which affected our office and another company in the building. Despite CCTV surveillance, locked doors, and a 24/7 security guard, nineteen password protected GoCardless staff laptops were stolen.

    All of our payment processing systems are secure, remain uncompromised and were unaffected by the burglary. There has been no impact on our day to day business and we continue to process payments as normal.

    We have already informed the police, the Financial Conduct Authority and the Information Commissioner's Office of this burglary. We have also conducted an exhaustive internal investigation so that we can communicate to you any potential risks from this burglary.

    Our investigation has concluded that the stolen laptops may contain a file with the name and email address of the person that signed up to GoCardless. No other personal data was in this file.

    There is a very low risk that this burglary will affect you as this data has extremely limited use, there is no firm evidence that any of the data was available on any stolen laptop, and the burglars appear to have been targeting high value electronics rather than our data. However, we believe in transparency and so wanted to inform you of this burglary anyway.

    We apologise for any concern or uncertainty this may cause."

    1. VinceH

      Re: Different email

      "I got an email this afternoon from gocardless as I am a customer.

      [...]

      Odd thing is the email was totally different, less alarming and didn't mention the free monitoring. "

      I got a different version of the email again - even less alarming than yours; the first three paragraphs were the same as yours, then where yours mentions the file, mine says:

      "Our investigation has concluded that none of your data or your customers’ data was affected by this theft. However we believe in transparency and so wanted to inform you of this burglary anyway."

      Then finishes with the same apology, and another sentence offering an email address to get in touch.

      ISTM they've simply sent out a different email to different customers depending on how they're potentially affected; no data relating to me, name and email address for you, shit like passport number etc for whoever received the version in the El Reg article - and that's why that one gets the free monitoring.

  4. adnim
    FAIL

    The data

    shouldn't have been on any laptop.

    OK nothing is perfect... swap space, temp files, hibernation file etc., etc. There are many ways that sensitive data can make its way onto and be recovered from a laptop drive or indeed any PC/tablet/phone etc.

    The point is that if you have hardware that reads sensitive data the file system should be encrypted. And any place where the data could be stored during use should be zeroed/shredded at shut down.

    Yes I am paranoid.

    If they use a laptop as a secured server, then the above is moot.

  5. P. Lee

    re: The data shouldn't have been on any laptop

    Indeed. The fact that it was pretty much excludes the company from the "enterprise" category of people to deal with. But you do need some flexible IT. Give people sandpits so they can put together a linux box to process data if they want to. Just don't do it on laptops.

    It is actually pretty desirable for the employees too. Give them a thin, light laptop with some attached big screens and put the data on another box which is less nickable. Then the full drive encryption on laptops becomes less of a hazard, because there's no important data there anyway. It doesn't have to be perfect, it just has to be too hard to be worthwhile.

  6. Anonymous Coward
    Anonymous Coward

    Nobody told me

    They've shut down the customer website (don't know when) but, if like me you haven't heard a dicky bird from them, their email address is help@gocardless.com

  7. Velv
    Boffin

    Disk Encryption

    This is an example of why you apply disk encryption to not only your laptops but your desktops as well. Burglars will take both, and users do like to dump files locally.

    Servers may also require disk encryption if they're stored in a cupboard like many small businesses.

    Apologies for pointing out the blindingly obvious, but common sense really isn't that common.

  8. CAPS LOCK

    It's hard to understand anybody not using encryption now it's so easy...

    ... I guess they just use the laptops as they arrive from the supplier. My verdict? 'Cowboys'.

  9. innovato
    Alert

    gobsmacking....!

    Gobsmacked at lack of data security and naivety over laptop passwords....

    I'm small user of their service, which I like, so shame they learning this the hard way.....I've asked if they getting hope someone in to overhaul their security. I dare say their blue chip list of clients will be giving them the 3rd degree.....

    Am still able to login so doesn't look like they have suspended site as mentioned elsewhere....

    In their favour, at least they have been very quick to notify users.

    I emailed asking for details of the ID monitoring service as not mentioned in their email yesterday....

    I hope they learn and progress as a good service otherwise.

  10. Zzzzzzz

    Huh

    Read this on here yesterday, got an email from them today, I'm not even a customer, just on their spam list... Idiots....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like