Computer Bought On eBay Contains 1M Bank Customer Records


The British press is reporting this morning that a computer purchased for £35 on eBAY contained the personal records of some 1 million customers of Natwest and Royal Bank of Scotland (RBS). The information, according to a story in the London Times, "... is believed to include names, addresses, mobile phone numbers, bank account numbers, sort codes, credit card numbers, mothers' maiden names and even signatures, " as well as " sensitive balance transfer information about American Express credit card customers."

According to a story in the London Guardian, "The computer had belonged to data processing company Mail Source, part of Graphic Data, a firm that holds financial information for organisations, and was originally used at the firm's archive centre in Shoeburyness, Essex."

"The machine had been removed from the company's secure storage facility in Essex and sold on the internet auction site."

"In a statement, Mail Source said it had no idea why the computer was sold on eBay, but added: 'Investigations are still ongoing to find out how this equipment was removed from one of Graphic Data's secure locations.' "

Per SOP, Mail Source expressed its regrets.

In another story today, Best Western Hotels, the largest chain of hotels in the world, is denying a story that appeared over the weekend claiming that 8 million of its customer records had been stolen by an India-based hacker. Sunday's story claimed that the details of every customer who had stayed at the 1,312 European Best Westerns from 2007 through 2008 had been compromised.

Best Western claims that this is nonsense and says that at best, only 13 customers at one hotel had been exposed. It is challenging the Glasgow Sunday Herald which published the story to show proof of its claims.

Next, there was another story today in the Washington Post that says there have been more US data breaches so far in 2008 than in all of 2007. Identity Theft Resource Center of San Diego which keeps track of such things claims that 449 U.S. businesses, government agencies and universities have reported losses so far this year as opposed to 446 all of last year.

However, the 22 million customer records "lost" so far in 2008 is only about 1/6th of last year's.


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City