[ISN] Oops! Firm accidentally eBays customer database

From: InfoSec News (isn@private)
Date: Mon Jun 07 2004 - 23:55:55 PDT

  • Next message: InfoSec News: "[ISN] First quantum cryptography network unveiled"

    http://www.theregister.co.uk/2004/06/07/hdd_wipe_shortcomings/
    
    By John Leyden
    7th June 2004 
    
    A customer database and the current access codes to the supposedly
    secure Intranet of one of Europe's largest financial services group
    was left on a hard disk offered for sale on eBay. The disc was
    subsequently purchased for just 5 by mobile security outfit Pointsec
    Mobile Technologies.
    
    According to Pointsec, one of the hard discs contained "highly
    sensitive information from one of Europe's largest financial services
    groups with pension plans, customer databases, financial information,
    payroll records, personnel details, login codes, and admin passwords
    for their secure Intranet site. There were 77 Microsoft Excel
    documents of customers email addresses, dates of birth, their home
    addresses, telephone numbers and other highly confidential
    information, which if exposed publicly could cause irrevocable damage
    to the company." Pointsec isn't prepared to name the careless company.
    
    The incident recalls the episode four years where Sir Paul McCartney's
    banking details were discovered on a second-hand computer discarded by
    merchant bankers Morgan Grenfell Asset Management. The PC was released
    into the second-user market without first being wiped clean of data, a
    precaution that the majority of sellers still fail to take.
    
    Pointsec purchased 100 hard discs over auction site as part of its
    research into the "lifecycle of a lost laptop". Pointsec found that
    they were able to read seven out of 10 hard-drives bought over the
    Internet at auctions such as eBay despite the fact all of had
    "supposedly" been "wiped-clean" or "re-formatted". The company said
    the exercise illustrated how easy it is for identity thieves or
    opportunists to access highly sensitive and valuable company
    information from lost laptops and hard-drives. All the 100 hard drives
    and laptops purchased as part of Pointsec's research will be
    destroyed.
    
    
    Lost in transit
    
    The researchers also wanted to find out how easy it is to purchase and
    access information on laptops that are lost in transit at an airport
    Gatwick or handed into the Police. In all cases they found the laptops
    and all the information residing on them, were put up for auction if
    they were not reclaimed after three months. Pointsec visited one of
    the auctions used by Gatwick airport, near Chertsey and found that
    before even purchasing the laptops, the researchers were able to start
    up the laptops to inspect whether they worked. Using password recovery
    software they were able to access the information on one in three of
    these laptops. The exercise was repeated in Sweden, the US and
    Germany.
    
    In Sweden the first laptop Pointsec purchased at auction, contained
    sensitive information from a large food manufacturer. When the hard
    disc was analysed they found four Microsoft Access databases
    containing company and customer related information and 15 Microsoft
    PowerPoint presentations containing highly sensitive company
    information.
    
    Tony Neate Tactical & Technical Industry Liaison at the UK National
    Hi-Tech Crime Unit said: "Pointsec's research demonstrates just how
    easy it is to access information which is not adequately protected.  
    Encryption and other security measures are vital to ensure that
    security is not compromised - something as simple as a hard disk drive
    password can deter the opportunist."
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Tue Jun 08 2004 - 03:44:28 PDT