[ISN] BankRI customer information stolen along with laptop

From: InfoSec News (isn@private)
Date: Mon Dec 22 2003 - 02:27:27 PST

  • Next message: InfoSec News: "[ISN] Next stop, jail"

    Forwarded from: William Knowles <wk@private>
    By Lucas Mearian 
    DECEMBER 19, 2003 
    Bank Rhode Island's CEO said today that her IT department plans to
    install encryption and fraud-detection software on computers after a
    laptop containing the names, addresses and Social Security numbers of
    about 43,000 customers was stolen from its principal data-processing
    provider, Fiserv Inc.
    "We are making certain what limited information is on [the laptops] is
    encrypted. We don't think there's any sensitive information on them.  
    But we're acting in an abundance of caution with respect to those
    laptops," BankRI President and CEO Merrill Sherman said.
    The theft of the laptop from Fiserv also prompted BankRI to install
    fraud-detection software on computers at its Providence, R.I.,
    headquarters and branch offices, Sherman said.
    "This has reinforced heightened scrutiny around security. We're pretty
    comfortable with our policies and procedures," said Sherman, adding
    that she is also comfortable with measures Fiserv is taking to ensure
    that customer data theft doesn't happen again.
    Les Muma, president and CEO of Brookfield, Wis.-based Fiserv, said the
    data on the laptop was password-protected but not encoded. Muma said
    the theft was a result of a single employee not following company
    policy regarding the storage of unencrypted data on laptops. The data
    was being used in a test scenario.
    "Our internal policies are damn tight. It was a terrible mistake, and
    the individual has been reprimanded," Muma said, adding that law
    enforcement authorities investigating the crime are confident that it
    was simply a petty theft and the thief was unaware of the data.
    The FBI, the U.S. Secret Service and local police agencies are all
    involved in the investigation, he said. "We keep hoping the PC will
    turn up, but odds are it's been fenced for money."
    Sherman said that the laptop didn't contain personal identification
    numbers, account passwords, debit or ATM card information, or other
    financial data, and that fewer than 100 of its customers' account
    numbers were on the computer's hard drive.
    BankRI, a wholly owned subsidiary of Bancorp Rhode Island Inc., has
    $800 million in deposits in 13 branches. The bank sent out letters to
    customers who could be affected by the theft, telling them that there
    is no risk to their bank accounts and giving them a hot line number to
    call if they discover any identify theft.
    Jerry Silva, a senior analyst at TowerGroup in Needham, Mass., said he
    wasn't surprised that sensitive customer information was contained on
    a laptop or that it was stolen, because more enterprises are trusting
    mission-critical data to third-party outsourcers and they haven't
    stopped to consider security issues around that decision.
    Silva said banks must begin thinking about data security in the same
    way the semiconductor industry treats cleanliness around the making of
    chips. In that industry, concentric rings of cleanliness become more
    stringent as people come closer to the room where silicone wafers are
    actually turned into chips.
    "Banking and ATM networks are very sensitive production resources.  
    It's not the same as someone attacking your Outlook server," he said.  
    "The bottom line is that we have to stop blaming Microsoft and the
    technology itself. Things are just open out there. Even a high
    schooler can program something at home and have it run on a bank's
    According to TowerGroup, identity theft accounts for more than $1
    billion a year in losses to banks.
    Silva said sensitive data should always be encrypted, whether in
    transit or at rest. Another alterative for banks is to take an
    auditing approach to third-party outsourcers, Silva said. That means
    discovering for themselves just how secure an outsourcer's procedures
    "It's another case where technology has gotten ahead of the mind-set.  
    If nothing else, you don't want the customer of a bank to think their
    information is running around on a laptop," Silva said.
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Dec 22 2003 - 06:01:52 PST