Data regulators
Just Another F***ing Quango
Ooh weve never seen this happen before...
And neither know what to do or how to do it
The man who paid £35 for a server stuffed full of Royal Bank of Scotland and NatWest customer details has been left less than impressed with the reaction of UK data regulators. Andrew Chapman's story hit the news after he bought a server on eBay which contained over a million customer details including full account details, …
Far from being here to protect Joe Public the so called ICO watchdog seems to be more interested in protecting the interests of big business. Their disgraceful handling of the Phorm Webwise BT illegal data interception of many thousands of BT customers data by a company who has alleged roots in spyware, as an example, is plain for all to see.
IMHO this case is another typical response by the ICO who seem to care little for the interests of consumers, no matter how bad the privacy has been breeched, when set against the interests of big business.
The word puppet springs to mind.
Rang Natwest customer helpline. Asked for an update on whether i should close my account to protect my business interests. Was told "We are advising customers to regularly check their account status to prevent the possibility of fraud" Isnt that what every financial institution does anyway whether or not they have just made public the contents of their databases. hmm Another way, maybe Another bank!
Spoke to 3 different departments, none knew anymore than the other (big surprise there then).
Conclusion: The wheel's still spinning but the hamsters dead!
Si.
should detail all the names on the computer so we can all make individual complaints to our banks and/or the useless information commissioner (I too found out they are complete and utter waste of space) .
Please Mr Chapman, give us an email address so we can check if we are on the server, or publish the names alone.
Thanks
Would it be the same ICO, perchance, that sided with the financial institution that refused to disclose my personal data to me on the grounds that disclosing the data would reveal the method used by said institution to collect data on its potential customers and that was a protected trade secret?
"Sorry, high ranking officials of the type that need to answer this are presently busy working out what to spend their money on (£13 billion bonuses paid) or at the golf course.
Your call is being handled by a call-handler on minimum UK wage after completing a PhD at a prestigious university.
Because of the high media coverage attracted by UK financial institutions due to high bonus values at a time of worldwide financial slump (well, western worldwide that is), high data security errors and general Sgt Bilko strategies in place your call handler cannot directly answer this query.
Can you try to recover your costs on eBay? Failing that if you want to rid yourself of the responsibilities you may wish to leave the device "forgetfully" (wink, wink) on local transport."
(Oh how I wish the above were fantasy)
"We asked the ICO about this and were told that since it knew what information was on the machine, nothing useful could be learnt from it."
That's it? The content of the drive might have already been copied a gazillion times, but that doesn't excuse the attitude of just letting the drive remain "in the wild".
Another nail to the coffin in letting the gov handle ever increasing info on its citizen
I wonder if he put the server on ebay and said exactly what was on the server, how fast would it sell and for how much? And once it sold, how fast would the Bill be on his doorstep? The crux of the problem is that he is trying to do the right thing.
Perhaps an ebay auction that stated:
I will sell to the lowest possible bidder if that bidder is a government agency that, as a condition of its purchase, will investigate how this server could possibly have ended up in my hands and take appropriate action. Otherwise, I will sell to the highest bidder. As the government has no interest in this information to date, and I own the server, I should be able to sell at will with no legal ramifications.
He should put the server back up for sale with the information on it. Let's see how valuable the information really is. I'm sure he'd make a profit.
The interesting thing here is, is he comitting any kind of offence by doing that, and it'd be interesting to see whether any of the banks, or goverment data protection organisations step in to stop him, or make him a larger payment offer?
If the banks didn't offer to buy the server back off him, I would be very worried indeed - that would suggest they couldn't care less what happens to the information.
So there's this guy with 10^6 sets of bank details, who's made himself known to teh authoriteez but getting hold of the data isn't, like, important? It's not a blues & twos to recover the machine or anything silly like that?
I mean, it could get stolen or anything.
Idle, overpaid and useless.
"As the government has no interest in this information to date, and I own the server, I should be able to sell at will with no legal ramifications."From what little that I have heard on the news the person that put this server on fleabay did not have clear title to this item so neither does the person that purchased it,at least as I understand the law
We run a company helping people get their bank charges back, and for our sin have to deal with these muppets on a weekly basis. We get claim forms sent back because from the Financial Ombudsman's service because we haven't put the customers occupation down...sometimes, other times they don't mind.
To my mind the OFT and FSA are the worst, the FST's waiver to the banks last year was the biggest slap in the face to the consumer for a very long time. Apparently they put the waiver in place because customers complaints weren't being handled consistently, only about 99% of customers were getting their charges back to the tune of millions of pounds. Of course the best way to protect the consumer was to put a waiver in place to stop anyone claiming. Of course, the banks are still able to charge even though the OFT have concluded a report in to the fairness of bank charges and the high court have declared they have the right to investigate and impose sanctions.
Of course its not really surprising as most of these regulators are headed up by ex bankers anyway.
You also have banks ignoring the data protection requests. They have 40 days to respond but often don't bother, the ICO isn't interested.
My faith in these organisations is non existent.
Seeing as everyone seems to think that the ICO has powers it doesn't use, I think perhaps a little in defence of them is required.
The ICO does not have the power to intervene unless a complaint is made by someone affected by the breach. In fact, the ICO is hamstrung from the off as it has no powers to start legal proceedings against careless data controllers nor can anyone, yet, be imprisoned for illegal use of personal data. That's because the DPA is a civil matter so fines are the only recourse and, because of the law, pathetically small to the extent that, given the potential profit for the sale of personal data, there is no deterrent. The only time that criminal charges can be brought are if a decision notice from the ICO is ignored as it then becomes contempt of court which is a criminal offence.
@Class Action - my understanding of the law in the UK is that we don't have the same civil case procedure as the US and although actual damages can be awarded, punitive damages arn't. Personally, I would like it to stay that way. The reason why you get such high profile cases in the US is attorneys know that they won't earn much of a fee from actual damages but as punitive damages are so, that their payday is huge. Should that style come to the UK, we will find ourselves living in a lawsuit society too scared to do anything as we might get sued and that can only be bad.
Exec 1:"Ok, we need to think of a way of combatting the credit crunch and persuade people to spend more money"
Exec 2:"I know! Let's sell a couple of computers on ebay containing everybody's bank details. That way, the fraudsters can spend it for them...."
Will:"Why don't we just give the customers what they want, and keep their data secure?"
Exec 1:"Don't be daft Will......THIS is marketing!"
Exec 2:"Yeah, Will!......"
Since about half of all the responses so far have suggested things to do with the box, it might be worth re-iterating John Dougald McCallum's remark...
"From what little that I have heard on the news the person that put this
server on fleabay did not have clear title to this item so neither does
the person that purchased it,at least as I understand the law."
...and referring back to the original article, the ICO's position was basically "return it to Graphic Data". It *is* still their machine, and the bank's data. Given the publicity that (rightly) surrounds this case, Mr Chapman is currently a target for both law enforcement (looking to pin blame on someone if the data starts turning up elsewhere) and organised crime (looking to, er, spread the data elsewhere). If he hasn't already given it back to Graphic Data, he's not much of an IT expert.
NatWest obviously outsourced thier archiving to GraphicData who then proceeded to give it away on e-Bay.
I think the legal liability (such as it is) for this is still with NatWest.
This is one of the great hidden costs of outsourcing, offshoring etc. You have unloaded the operational expenses to the lowest bidder. But you retain the legal liability for any screw ups, plus all the "reputation risk" -- no will will remember it was Graphic Data who were responsable for the leak.
The banks actually deal in data that represents money. Because they still have the data they still have the money. But they don't have the data security and for a bank thats supposed to keep money safe that seems very odd. Then it occured to me, they look after the data that represents their own money but if they loose our data that's only our money.
Each day we need to get a bit more control over our own lifes and leave less in the hands of big unaccountable companies. If you entrust your money to someone else then it's nolonger your money, at least in practical terms.
The IOC have done what they can do. They cannot take any action untill anything illigal is done with the data. They won't want the hard drive because... well, would you want it?
But then hay, this sight is getting filled more and more with thick as shit people who would rather shout and thinkin knee jerk govenment, untill it affects them. Please please please learn SOMTHING.
You tell us, you seem to be in a good position to know.
ICO may well have done all it can, (e.g. fuck all). Oddly enough this is exactly why people are upset.
But shrugging their shoulders and saying, in effect, "I dunno, nowt to do with me, guv" is not an acceptable response. Someone from ICO should at the very least be prepared to kick up a stink, and the fact that they don't seem to think this is their job speaks volumes about them.
A public statement along the lines of "We take these matters very seriously and will investigate to the full extent our powers" wouldn't go amiss, even if in reality they don't have any.
And I'm not convinced that they can't do anything until someone directly effected complains. Firstly there is a prima facie breach of the duty of care imposed by the DPA* to adequately secure such data. Secondly there is no way for individuals to know weather or not their data is held on the machine. And thirdly, if. as we are to understand, the item in question was indeed sold without title, then the correct place for it is in the hands of inspector knacker, who will need it as evidence in their investigation of a theft that could yet have extremely serious consequences.
*The seventh principle, laid down in Schedule 1, Part 1 of the Data Protection Act !998, which states that "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data", and the interpretation states that :
"Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—
(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
(b) take reasonable steps to ensure compliance with those measures. "
Leaving a server containing a millions people's PII lying around where someone can just half inch it and sell it on eBay without anyone noticing until it's splashed across the news media would seem to fall somewhat short of these (legally enforceable) obligations, would it not ?
So now, perhaps you've learned 'SOMTHING' about why people ate reacting as they are.
I wonder why the Police aren't dealing with this matter? From what I have heard (Radio 4 news) the server has pretty clearly been stolen from a secure(!) holding facility whilst awaiting destruction, before being punted on Ebay. I would expect the Police to be taking the stolen goods into their hands as evidence, or for the server to be returned to graphic data, the rightful owners. I would then expect Ebay to fess up any contact details for the person that sold the stolen server to the Police.
Furthermore, I wouldn't expect Graphic Data to be in business in 12 months time, their security has broken down so, I'd imagine their customers will flee like rats leaving a sinking ship. I'd also imagine that the RBS/NW contracts stipulate in pretty explicitly clear text the requirements for data security.
for a bit of fun try this site, they have a listing for
The Information Commissioners Office (ID: 460)
http://www.kindlyfoxtrotoscar.com/?action=view_nominee&nID=460
click KFO if you think they are useless, and
click SOS if you think they do a good job.
In my experience, the iCO is about as much use as that other well-known body, OFCOM - pretty well nil in my estimation. I have approached both bodies with what I considered to be well-formed, reasoned and legitimate complaints (the details of which I will not bore you with here) and got fobbed off every time. It seems, according to the explanations I have been given, that you could drive a bus through the loopholes in the 1998 Data Protection Act and it`s not worth the parchment it`s written on.
I`ll get me wig.