14 DAY TRIAL // The Bank of Ireland (BOI) has launched an internal investigation after finding out that a USB stick containing account details was lost. The bank informed the affected customers and placed the accounts under supervision for suspicious activity.
According to the bank, a single employee was responsible for the incident and he was in violation of its security policies when he copied the data on a USB device and removed it from the office. "We would see this as an isolated incident that is in breach of bank policy," BOI's Media Relations Manager, Anne Mathews, revealed for the Irish Independent.
The data contained on the lost memory stick was gathered during a customer study ordered by the bank; unfortunately, it lacked any form of protection like encryption or password. While no detailed financial information was stored, the stick did contain account numbers and their associated names, addresses and even phone numbers in some cases.
Even though this is enough for identity theft attacks, the bank has yet no reason to believe that the data has fallen in the hands of cybercriminals. The affected account-holders have been notified of the incident and they have been assured that the chance of them falling victims to bank fraud is very slim. In addition, the bank decided to monitor the accounts for unauthorized access or other activity that would raise concerns.
The removal of sensitive data on unencrypted USB devices by poorly-trained employees seems to be a recurring theme with a large percentage of data loss incidents. “Sadly it seems the message about the need for greater care over the transport of sensitive data just isn’t getting through to some businesses - or at least that workers cannot be trusted to follow security guidelines and policies,” wrote in connection to this incident Graham Cluley, Senior Technology Consultant at security vendor Sophos. “If you cannot enforce a policy across your workforce then there is the risk that your employees are putting the reputation of your company directly into the firing line,” he added.
No longer than a few days ago, an employee of Atos Origin, the company that manages the UK government's Gateway financial service, wrongfully removed a USB stick containing the source code of the system as well as login credentials of several accounts. Giving that the Gateway system is being used by individuals and companies for tax and VAT returns, child benefits, pension entitlements and other services, this incident put millions of UK's tax payers at risk.