Feeds

Oops! Firm accidentally eBays customer database

Financial records? Yours for a fiver

  • alert
  • submit to reddit

High performance access to file storage

A customer database and the current access codes to the supposedly secure Intranet of one of Europe's largest financial services group was left on a hard disk offered for sale on eBay. The disk was subsequently purchased for just £5 by mobile security outfit Pointsec Mobile Technologies.

According to Pointsec, one of the hard disks contained "highly sensitive information from one of Europe's largest financial services groups with pension plans, customer databases, financial information, payroll records, personnel details, login codes, and admin passwords for their secure Intranet site. There were 77 Microsoft Excel documents of customers email addresses, dates of birth, their home addresses, telephone numbers and other highly confidential information, which if exposed publicly could cause irrevocable damage to the company." Pointsec isn't prepared to name the careless company.

In 2000, Sir Paul McCartney's banking details were discovered on a second-hand computer discarded by merchant bankers Morgan Grenfell Asset Management. The PC was released into the second-user market without first being wiped clean of data.

Pointsec purchased 100 hard disks over auction site as part of its research into the "lifecycle of a lost laptop". It was able to read seven out of 10 hard-drives bought over the Internet at auctions such as eBay ,despite the fact all of had "supposedly" been "wiped-clean" or "re-formatted". T

The company said the exercise illustrates how easy it is for identity thieves or opportunists to access highly sensitive and valuable company information from lost laptops and hard-drives. All the 100 hard drives and laptops purchased as part of Pointsec's research will be destroyed.

Lost in transit

The researchers also wanted to find out how easy it is to purchase and access information on laptops that are lost in transit at an airport Gatwick or handed into the Police. In all cases they found the laptops and all the information residing on them, were put up for auction if they were not reclaimed after three months. Pointsec visited one of the auctions used by Gatwick Airport, near Chertsey, and found that before even purchasing the laptops, the researchers were able to start up the laptops to inspect if they worked. Using password recovery software they accessed the information on one in three of these laptops. The exercise was repeated in Sweden, the US and Germany.

In Sweden the first laptop Pointsec purchased at auction contained sensitive information from a large food manufacturer. The info recovered included four Microsoft Access databases containing company and customer- related information and 15 Microsoft PowerPoint presentations containing highly sensitive company information.

Tony Neate, tactical and technical industry liaison at the UK National Hi-Tech Crime Unit, said: "Pointsec's research demonstrates just how easy it is to access information which is not adequately protected. Encryption and other security measures are vital to ensure that security is not compromised - something as simple as a hard disk drive password can deter the opportunist." ®

Related stories

Paul McCartney account details leaked on second user PC
Datawiping works (true)
Datawiping doesn't work
PDA security slackers, the lot of you
62,000 mobiles lost in London's black cabs

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.