So, if someone got 100 milion live US bank account numbers (and temporary control of a small bank somewhere) they could withdraw $100 from each and the next morning transfer the funds (about ten thousand million) overseas, then move it 10 more times the next day before finally settling into a comfortable hiding place somewhere?

As a professional working in Information Security at a large Fortune 500 Bank, I can say that this article is simply spreading Fear, Uncertainty, and Doubt (FUD). First of all, there is no central "database" that has all of the nation's bank account numbers. That is something that each bank is in possession of. Only the largest banks in the country (Citi, BoA, J.P. Morgan, Wachovia, etc.) could even come close to the number of people that this loss in Britian has revealed. In proportionate numbers, we're talking the loss of approximately 110 million accounts would have to be lost to equal the number in this case. Likely the top four banks in the country would have to lose ALL their customer's bank account information to equal the disaster in Britian.

You had better believe that there are processes already being brought online by all banks, due to law, to enforce greater authentication on bank accounts. Just look up the FFIEC regulations regarding electronic banking: http://www.ffiec.gov/ffiecinfobase/resources/elect_bank/occ-al2001-8_authentication_e-banking_envirt.pdf

Dual authentication is the compensating control to this type of fraud.

Its a fact that data from all types of buiness can easily be lost or sold with ease. The assumption should be that is WILL happen... so the answer is what new steps should be taken to protect our private information that we should assume anyone can get hold of.

Our biggest loss is financial sercurity (bank account being drained, credit cards being used and so on.)

I use to think just a super secure protection like bioscanning devices that one day may be used to proove your who you say you are. Example: A fingerprint scanner as part of a credit card scanner or even at ATM's.

But the scary thing is.....That information has to go into a coputer to get verified, which means your bio data will also be potentially stolen too.

What to do, what to do??????????

Shocking.

The question not answered is: Was the data encrypted? And if not, why not?

-Science_1

The article does not mention whether or not the data was encrypted (it should have been). It doesn't mention how the data was being transported (public post? private carrier? company employee?) and it doesn't mention how it was "lost" (how do you just "loose" something so important and sensitive like that?) I do know I surely would not trust the US Post Office with such sensitive data--they can't even deliver my utility bills dependably. :(

Regardless, clearly there was a lack of proper data-security protocol in place so shame on them for that. I certainly hope the Social Security administration, the IRS, and our banking system in general has a least a little bit better grasp on basic security protocol. In the telephone industry, government CPNI mandates about to go into effect provide penalties for even the slightest breach of an end-user's account information.

So weren't these files encrypted?

It could have been a clendestine operation of an intelligence service of a foreign country.

This is scary. I just followed the suggestion to freeze all of my credit accounts to block identity theft, when I hear this other huge gap in bank security.

Now that the banks scan in virtually every check, they could easily incorporate an electronic comparison of signatures with an authentic signature. Checks with signatures that don't pass could be held up and an automatic phone or email (as desired) could be sent to the account holder, asking if this is an authorized transaction. This would deter people who just got the account number because they would have no idea of the person's signature (though it would do little if the clerk in a store stole the check, since the signature is there to be copied).

So, how did the theft or loss actually happen? Sounds like this wasn't a hacker or software glitch. Sounds like someone physically lost some hard disks. It's time organizations started treating information like the valuable asset that it is and improve their physical security processes instead of just dreaming up on automated fraud detection schemes. Isn't an ounce of prevention worth a pound of cure?

Corrections:

It was a CD, not a "hard drive".
It was sent twice, and lost twice.
The person who sent it has not been fired.

My biggest question is: why did they just "pop it in the mail"??? When I have a personal delivery of real magnitude, I personally hand deliver it OR use a high-security delivery system. If I were a trusted employee tagged to make this delivery, of that magnitude, I would secure it by making a personal hand delivery, even if I had to take a train across country to do it! And, here in the States, I would be well armed (I'm quite skilled in armed security) to ensure protection, and keep a low profile as to what I'm doing. Dang!! send it in the mail??

There is way too much information collected on people and put on computers, it's a disastor waiting to happen here.
There is no need to have all this info by the gov't or private corporations, it does not serve society, only the rich and greedy benefit from all this info.

how does a government just "lose" this type of extremely important imformation?!?

One of the standards in corporate level backups is off site storage of data. This involves the transportation of media from the source to a secured location. Ideally, the media is moved by a carrier whose job is to make sure that it arrives at the right place in a timely basis.

This happens hundreds of thousands, if not millions, of times a day. Unfortunately, a single 'mistake' is enough to affect millions of people. This 'mistake' may be an accident or it may be planned by criminals who realize that the data on a single hard drive may be worth more than any bank or armored car can carry.

I can see things reaching the point where backup media is heavily encrypted and the media itself has some sort of hardware/software lock on it. I suspect that those groups that do off site backups on line are doing heavy encryption and other security measures.

But even then, we are dealing with instances where a single failure endangers a great number of people.

Perhaps there should be more severe punishments for the use of data for identity theft, to go with higher security. If the people involved are taken off the streets, security is improved a little. (I have heard of too many instances of an ID thief being let go after a short sentence and going back into business.)

Dear all

I refer thee all to the questions possed ref the data loss and can clarify some points for you all over there in the USA! (hi to you all!)

The data in question was copied, at the request of one government department to another, onto 2 cd disks and I gather from news reports on this side of the pond that the disks in question where indeed encrypted albeit with some rudimentary encryption system that can easily be broken / de-encrypted by any half intelligent fraudster with a laptop.

The disks where then sent via internal mail system which utilised a 3rd party courier company called TNT(similar to your UPS Courier Company) who subsequently lost the package in transit. It was not being tracked at all or recorded through the system and as such, no trace can be found of said parcel. The chances are the parcel in question has simply been misplaced or fell down the back of some automated processing device for envelopes, small parcels, etc but a shambolic event nonetheless.

As a Data Security Expert, I feel I must disagree with the second poster - the professional working in Information Security at a large Fortune 500 Bank.

Having worked at several different Banks, I know firsthand what kind of secuirty, or lack thereof, is happening. There are "pieces of the puzzle" that are still not encrypted, and those that are encrypted are not sufficiently encrypted to prevent a hacker with very simple tools from stealing and unecrypting account number and social security numbers.

However, the gist of Bob's article was that hard drives had physically been stolen. That, in itself, is a SEVERE breach of data.

At least Banks keep data on servers. Most Banks prevent people logged into their servers from attaching any USB drives, thus preventing at least that avenue of theft.

BUT DO NOT BE fooled!!!! Your personally identifiable information is STILL easy enough to steal!!!!

One other thing that should be pointed out here is that heavy use of checks is only common in the US. Most countries in Europe, including the UK, actually tend to use electronic transfers much more regularly. In order to make an electronic transfer to somebody they give you their bank account numbers. The US is the only country I've lived in where bank account numbers are considered secret. This data didn't contain login information, which is what would be really valuable.
I believe a leak of SSN numbers here would be worse than this leak was in the UK, since the SSN number is supposed to be secret and together with name and address is often enough to access and change account details. An address and bank account number are not.

Had these banks used a form of double authentication, along with my ERFIDS (Extended Radio Frequency ID) tags, this theft could have easily been prevented.

The hard drives, and the PCs would have yhad ERFID tags, the worker would have had an ERFID tag, and the door leading in or out of the office would have my ERFID scanner.

As soon as the PC or hard drive chips got read, the doors would have locked and security would have been called.

My ERFID technology, could not be turned off. Since the ERFIDS talk to each other in a "mesh network", had someone foolishly defeated the ERFID, the doors would have locked and security called because the "right" amount of ERFIDS were not being continually scanned.

The ERFIDS in this instance do not have any sort of data on them, other than the ID if the PC, or the ID of the hard drive to which they are attached.

ERFIDS can be placed ANYWHERE...USB drives, employee ID cards, even food at the store...

The technology exists, let's start USING IT!! :)

It would appear that they got advice from the IRS on how to handle data

How naive (or possibly self-serving) of the "Information Security Professional at a large Fortune 500 bank" to say such a record could not exist. How many people in the US receive their tax refunds from the IRS via direct deposit these days? That requires the IRS possess their bank account numbers in addition to other information which determines whether or not they qualify for the Earned Income Credit for heads of households, etc. Sounds exactly like the type of information lost in the UK, doesn't it? I too am an Information Security Professional with over 30 years in the field and this is the type of stuff that still keeps me awake at night whenever I log into a Web site and have to provide personal/financial information. the unfortunate reality is that the custodians of our information do not take their responsibilities as seriously as they should, rarely implement all the recommendations of their security professionals in the interests of preserving the profit line, and refuse to believe it could ever happen to them no matter how clearly and persistently we detail the threat to them. Until someone makes them pay repeatedly for each and every one of their errors, things like this will continue to happen.

In response to the suggestion from John Doe in Seattle.. electronic signature comparison sounds like a great idea, but simply would not work. I work for a bank and have numerous clients who cannot sign the same way twice! Even inside just 1 branch, we daily see signatures that do not match; when you consider the number of checks processed automatically, the problem becomes enormous.

The socialist government of Gordon Brown is just as much of a failure as the old soviet block; with all its power and might the soviet block failed anyway; and so will Gordon Brown.

John, NYC

Every check you write gives out your account number and the routing number for the account. Calling that the "worst kind of information" is an exaggeration. If they included pin numbers, then I would be concerned.

A few years ago, the State of California lost a "tape" of payroll information. Those receiving hard-copy checks had their first initial, last name, hours worked, pay and deductions compromised. Those with direct deposit also had their bank account numbers stolen. But it's OK. The file was a flat file with fixed-width data fields. No one would be able to interpret THAT kind of data!

Data encryption on storage backup disks or tapes is not a reality yet. The LTO consortium (int'l standards org) just released LTO4 which contains encryption functionality, yet its still very buggy so we likely won't see widespread adoption of data encryption until sometime in mid-to-late '08.

Now as for the person who earlier stated that there exists software that identifies banking fraud... I used to work for the leader in the field and this software (algorithmic or neural network) simply identifies "unusual patterns of activity" - but the potential 'unusual pattern' must first be coded as potential scenario in the software -- in order for the software to detect it. Generally these patterns come from FinCEN [fincen.gov] and are conceptualized after a theft or breach has occured.

Most data warehouses such as this are anonymized when anyone attempts to download it (outside of the backup storage pools - and storage is maintained in highly secure U.S. facilities). My greatest fear is that this software that detects unusual patterns requires real-time human intervention in order to surpress the activity/crime. I know that at least one of the largest retail banks in the U.S. that their fraud and AML monitoring is performed in India, and that this Indian subcontractors have live control of the bank accounts they are monitoring. So rather than be concerned about potential theft occuring on such a widespread scale, the average person SHOULD be concerned about who can access their account from overseas since the laws and recourse differ from the U.S.

Case in point, my brother uses one of the largest U.S. retail banks and transferred $30K into his checking a few days before a real estate closing. The morning of the closing he woke up to find his checking acct entirely drained. The bank said that they would put the money back in immediately if my brother signed a release form that he wouldn't press charges. He went to local law enforcement and they told him he had no choice since the theft came from overseas (Russia). You have to wonder how often this happens and if it occurs in small amounts are there some people who may not even notice if their accounts of being drained?

The tape encryption industry is not mature. Kasten Chase has gone bankrupt, and Neoscale is moments away.

Also, encrypted tapes must be recoverable for at least seven years. Tell me, who has a mature tape encryption solution with centralized key management that will continue to support their product 7 years later?

Nobody.

Let's solve this problem and minimize this sort of breach.

What is the competency level of the current British Government; how about an in-depth follow up?

John Liti

I can't believe the data wasn't encrypted. Isn't that standard protocol for anyone moving around with sensitive information? In this day and age that's not forgivable.

To the person who asked how a government just "loses" this type of information, it can happen easily. If some person isn't paying attention while transporting copied or back-up media, that media (and all the personal info on it) can very easily be lost and remain unrecovered.

Two similar situations involving data breaching, though not on the same scale as the UK situation (and not reported on international news), have occurred in Louisiana. The first one happened when the state was notified of a weakness in a database of students who took the pre-ACT in 2001-2003. According to the letter sent to students who took that test in those years, a "privacy advocate" notified a television station in New Orleans that the database, which included SSNs, had been accessed. This claim of a "privacy advocate" sounds rather dubious to me, but the state notified students (including me and many other people I know) to put a fraud alert on their credit reports, and I did so.

Sometime later, my sister told me about a notice she had received from the state financial aid office that back-up media had been lost in transit on September 19. Of course, the state made efforts to locate the media that day and has continued with those efforts, but no one I knew had heard about this loss until about a month after it occurred. Of course, that time was needed for "investigation". Any guess what was on that media? Bank account numbers related to the state college savings program, information on anyone who has EVER filed the FAFSA federal financial aid form, which is the form the state requires from students who are applying for the state scholarship program (including info on those students' parents, whose SSNs and tax information are necessary to complete the FAFSA), and information on anyone who has EVER applied for or received financial aid in Louisiana. Check this link for complete details: http://www.osfa.state.la.us/Notice.htm
The data loss has affected nearly everyone I know. Most of my friends and I wouldn't have been able to go to college without the scholarship program the state offers. Even my toddler nieces are affected by this - my sister had college savings accounts for them and had to change her bank account numbers. The "lost" back-up media hasn't been found, although the state claims that "sophisticated" computer skills are necessary to access the data, skills that I would bet your local friendly hacker has.

I'm sure at least one person on this message board will spew the usual crap about how this is expected in Louisiana and how Louisiana sucks so much that they can't even get data protection right. A data breach can happen anywhere, at any time. I just moved, and thanks to this fraud alert on my credit report, I've had to answer personal questions for utility companies and even my own apartment complex, all to verify that I indeed am applying for all these services. Dealing with those calls is infinitely better than dealing with identity theft, but thanks, Louisiana, for taking such great care of the personal information of virtually everyone I know.

When companies lose information about us (and most we don't know about or never authorize), they should be made to pay for every cent stolen from us and for the time we waste to rectify our credit as a result of stolen/lost records. You get a company (government or otherwise)pay out a few hundred million because of lax dilligence, I would bet you those losses would stop pronto. What di they offer now? A whole year of credit reports? Wow....I can sure see that stopping identity theft. Nope, make 'em pay back every cent stolen. That'll fix it right up.

"ten thousand million"...would that be equal to 10,000 "million dollar bills"????
Just curious.

I personally think that very few if ANY human beings should ever get to see or handle raw sensitive identifying information (e.g. SS numbers, credit card numbers, etc.) This information should, in my opinion, be encrypted so that if someone needs to see it, they see a different but unique number that they can enter into their specific system, but the actual universally accepted data should not be ferried around in the raw like it seems to be. All it takes is one untrustworthy employee who decides they aren't making as much as they would like. Why give them the opportunity? If all they see is encrypted or otherwise garbled credit card numbers (for example), and as long as they can't decrypt it themselves or sell it in that form (i.e. the buyer can't decrypt it or use it in an encrypted form), then they no longer have the opportunity to use their position for identity theft.

Here's the correct information omitted from the article (from the Washington Post):"A government employee has told investigators that he downloaded the personal information, including bank account numbers, addresses and birth dates, put them on two disks and handed them to the courier service TNT on Oct. 18 for delivery to another government office.

Though the information was password-protected, stronger security measures normally taken for such sensitive information were not applied -- the information was not encrypted, and the package wasn't sent by TNT's registered service. The disks have not been seen since."

Well the average person can help in some ways by taking care of their own accounts. Me I have 2 accounts...a checking and a MMA account. I only keep enough money in my checking account to pay my bills for the month + a 'hedge' amount. I move money between the two accounts. The IRS/SSA only knows my checking account number (checks/ATM transactions cannot be written/accessed on the MMA account). I rarely write checks..do all of my bill paying on-line so even the vendors do not have my account number. I constantly check my CC accounts on-line to make sure every transaction is correct. I never sign the back of my CCs..put 'see photo ID' on that line...that way no one has my signature...should the cards be stolen.
It may not be much but I think I have done everything I can to protect myself (30+ years in Information services taught me something).

I apologize on behalf of Britain.

We will train our employees more appropriately in the future, and take better precautions.

We sell encryption software for the System i (formerly called AS/400 and iSeries) and it amazes me when we speak to organizations who don't seem to care that their backups aren't encrypted when much of the data on there is customer and personal information. Many of them just have a reactive attitude where they don't think anything will happen to their data and don't want to spend the time and money to secure it until something bad happens to them. We run into companies that are still sending payroll files unsecured too. At least the credit card industry is pushing to encrypt credit card numbers and have businesses get PCI Compliant. Don't think personal data is breached very often? Check out this website for numerous examples: http://attrition.org/dataloss/

There are software packages and hardware options to encrypt backups so not having backups and data transfers encrypted is inexcusable.

As I mentioned, we develope encryption software. Our Crypto Complete product encrypts fields on the System i and our Transfer Anywhere product encrypts transfers and backups. In a few weeks we'll be releasing a product called GoAnywhere that will be cross platform so we can encrypt data off the System i too. You can learn more about our products, key management and some encryption terminology here: http://www.linomasoftware.com/products/transferanywhere/Encryption

the glutten is choking on his favorite food

Johns Hopkins University "lost" the personal data including SS#s, home addresses, bank acct#s and more last year on over 40K employees during a delivery of the data to the back up site. Can you believe this?....The outside paid courier claims he stopped at a flower shop to buy flowers and left the backups at the store. The flower shop reported no such items found or left behind. Yeah right! We the employees were told that it would be a good idea to subscribe to a credit watch program...and pay for it ourselves!
We all wanted to know why such data was handled by an outside company with such carelessness. We never heard any more about it.

The issue is not weather a file or a group of files on a data base or R-W data compact disk or disks are encrypted coded or outright secure. The issue is the competency or the individuals whom compile, edit, download and store and restore this crucial data. A Corporation and Government can put as many bells, whistles and flags on compiled crucial information, yet along the lines of a Government data base can any professional data specialist out in webland personally compare the magnitude of a government data base with a corporate data base? My personal conclusion is No, A Government data base can be broken down into multi-faceted interfaces which preform a multitude of functions and programs, and yet can be totally secured from outside idioms that are created by hackers to over ride security on hardware, software and data bases. I bring up the competency question. Why in the world would a major government such as the British Government would allow for such security sensitive data to be lost with providing a duplicate source of information as well as handing this information off to a private contractor such as TNT Europe? I am curious as to why this information wasn't locked in a secured deposit area within the vaults of the Bank of England at their main branch in London and a tape or CD rotation implemented by a staff member of this particular branch of the British Government? Why wasn't this type of information continually rotated on a daily, monthly, quarterly and yearly basis by a staff member?
regardless what the second individual of this group trys our personal, national and monetary information can be accessed by a clever hacker and is being done on a daily basis. You can write secure programs, encode them, place firewalls on hardware what ever, a clever hacker can over ride a system but it is the human factor that is the crucial element that is the core to this major breach of data security not the system.

A solution to this problem is heavy penalties for the criminals and the institutions that let this sort of theft happen. Fine the institutions, pay restitutions to all and every account, for all the cost and defence of the account holder, that has been compromised. Remember as a account holder we signed a contract where they assured us the confidentiality. That will affect their bottomline and that is the only way these large institutions will take note and be serious about breach of confidentiality.

REgarding the suggestion to use ERFID tags: electronic monitoring of employees in the workplace is one more step toward electronic monitoring of every person in the world. Search vchip on google and learn more about efforts to put electornic tags under the skin of every person. Scares me.

Information like this simply should NOT be physically transferred unless absolutely needed. I understand the need for storing back up tapes off site but the physical transportion for information of that kind of value should be given as much care as a truck full of money.

Hahaha an employee just physically downloaded that kind of data on to a CD and mailed it via their "Fed EX." I can't believe their system let him do that. HAHAHAHA. IDIOTS! Someone should be fired for that.

Having someones bank account number in the UK is no big deal, even if you have the routing number (called a sort code) it doesn't help you much. That's because only a bank can issue checks. So for someone to fraudulently use them they would need to contact this issuing bank, convince them that they are the account holder, ask for new check and then have them sent to a different address. In the US it seems anyone with a printing press can issue checks.

The gov't is prime for this data loss. I worked at a contractor that managed medicaid claims for a mess of states,we had people in the claim reconilliation departnent (lots of them) with criminal backgrounds. They were temps who lasted 2-6 months on the job. They went through 20-30 claims a day with full access to folks SSNs, health insurance info, all sorts of crap. It was not unique to that company either. It is a huge issue that folks out of IT just do not really fully comprehend. Unless some laws are changed QUICKLY to hold the orgs that maintain this personal data FULLY liable for losing data, they have no real financial incentive to spend the cash to fix it.

To Sandy in WA
And in sending someone a check, all that keeps them from using those numbers to run ACH transactions on your account is their own honesty. No PIN is required. My son sent a check from his business to a wrong address. The nice folks at the address used the account number and routing number on the check to pay their cellphone bill and buy time on porno websites to the tune of $400. It hours of calls, reams of paper, and 2 weeks before the money was returned to his account. This kind of thing could be a disaster for someone who never has much money in their checking account, as the money taken out by fraudulent ACH transactions is gone and getting it back is not easy. And the nice banks will bounce all of your checks and charge their usual fees for NSF until the mess is cleared up.

So it sounds like this isn't really data "loss", as they still have copies of the data - it's just some copies of it have gone missing, probably stolen and now on the black market. I see at least one person commented on the data not being encrypted (article doesn't say) but data encryption is hardly the magic bullet it once was. Anybody can set up an "open distributed computing project" geared towards decypering a given key and have millions of computers working on it. Or, just hire a trojan network to do it. Whoever has the data has time on their side. The historical data is toast, but there's still time for millions of Brits to change their account numbers!

You asked if something like this could happen here. The anser is YES. In February 2005 the giant Alpharetta, Georgia, data aggregator Choicepoint sold the personal information on 145,000 people to a Los Angeles, CA, based ring of identity thieves. The only reason the debacle went public is because CA has a law that requires these companies to notify CA residents.
As this story from the UK illustrates, such mass data collecting is our enemy. It imperils us, it lays bare the intimate details of our lives to almost anyone, it does not allow us to opt out, and it offers us damned little in return. Sure, Choicepoint paid a multi-million dollar fine, but so what? Multi-billion dollar a year corporations like Choicepoint factor these fines into their annual budgets as a cost of doing business, so it's no deterrent.

In response to the poster who claims "there is no central database that has all of the nation's bank account numbers" due to banks maintaining their own account information, I believe there is a database out there with an insanely large number of bank accounts... residing at the IRS. How many people file their income tax electronically and provide (and update) their account information to the IRS every year?

All they need is your routing number to drain your account. They don't need a signature, a password, a pin, ssn, etc. Automatic withdrawals occur all day with just a routing number. I confronted my bank about this when they paid my mortgage for several months from someone elses account. The poor guy wasn't even aware that it was happening apparently. He didn't report it anyway. Finally go it fixed and they did it again. The banks need to be held accountable for losing data/funds. The government should require accountability as part of their charter. There is no excuse for such irresponsibility.

There's a solution for the lost harddrive, but whatever the reason we're not wanting it.

go take a look @ mipv.com
for the harddrive security answer.

Ultimately, the only way to solve data-loss and identity-theft problems is to pass laws that protect the consumer. In the US this hasn't been done due to: the pro-business orientation of the Republican party that controlled Congress until recently (and still controls the Presidency), the influence of lobbyists who have successfully blocked such laws, and simple inertia.

Only if heavy financial penalties are imposed by law for companies that lose data or compromise consumer identies will the situation improve.

If California hadn't passed mandatory notification of data loss several years ago, no one would even know how widespread the problem is (the federal government resisted passing such a law, due to business interests ).

Of course, all the above doesn't address *government* data loss...

In response to Barb from PA who says that she does not sign the back of her credit cards in the interest of security, I think that it would be worth pointing out the following facts regarding this very common myth (which I used to subscribe to myself). First, signing your credit cards with "See ID" (or "CID" or whatever varient you prefer) actually technically invalidates the card, and I know that there are many merchants who will not even accept a card so signed. Secondly, not signing the card is really not that much of a protection, as any thief who has stolen your credit card could simply sign it themselves (thus absolving them of even having to know what your actual signature looks like), and photo ID is still pretty easily forged at this point in time (at least enough to satisfy the typical merchant anyway).

Apparently, they've never heard of data encryption or SANs (Storage Area Networks). Fiber Optic lines are not subject to EMI (Electromagnetic Interference), RFI (Radio Frequency Interference), or eavesdropping. But then if you can't pay your technicians any better than your janitors, then they probably won't know much more about that kind of thing than the janitors. The ones who know anything go where the money goes, or simply stay home and play WoW, because their not stupid enough to be told how little they are worth. It doesn't really matter how many security measures and blocks you put into a system. You had better hope your techies are better and more honest than the ones after your valuable data. You get what you pay for.

Wow, Britain the birthplace of ITIL. Maybe we should send them some ITIL, ISO, PCI etc..consultants they obviously don't eat their own dogfood.

Banks = legacy systems. Look at Bank Of America ... too many acquisitions in the past. Their "banking system" is comprised of 10s if not 20 different smaller bank systems all independent of one another. Don't let the online system fool you, your login ID determines what system to send you to. Again .. banks = legacy systems. How about some protocols and best practices that work and banks that follow them.

To the poster who said, "The tape encryption industry is not mature... Tell me, who has a mature tape encryption solution with centralized key management that will continue to support their product 7 years later? Nobody. Let's solve this problem and minimize this sort of breach."
In fact, Sun Microsystems does have a mature tape encryption solution that will be supported for years to come. They (via StorageTek) have been developing tape for years and the encryptions solution complies with Federal Information Processing Standard (FIPS) 140-2 certification. FIPS 140-2 compliance is huge from a security standpoint and something no one else can do.
http://www.sun.com/storagetek/tape_storage/tape_drives/crypto_keyms/

There are some pretty simple solutions that banks could open up to individual depositors already available and used by most companies. Positive payment of checks, meaning an individual forwards to the bank the checks numbers and # amounts they have approved for payment and the banks only pay those checks. Many people already bank on-line by using e-checks from their bank, this would just be an extension of that service for checks they have written and sent in the mail themselves from home. I realize it only protects people using on-line services , but better some than none....

Given the level of personal data Stalin Demunists like Hillarovna want to collect on every single citizen in the U.S., not only is it simply a matter of "when" rather than "if", but "when" it happens, it will destroy this country.

MY BANK CANCELLED MY VERSATEL CARD WITHOUT NOTIFYING ME AND I DIDN'T FIND OUT UNTIL I COULDN'T GET A TRANSACTION CLEARED. I WAITED OVER A WEEK FOR ANOTHER CARD. THE SAME THING HAPPENED WITH MY SISTER IN MISSOURI LATER. MY BANK IS ASKING FOR ADDITIONAL INFORMATION IN ON LINE BANKING FOR SECURITY. WILL IT WORK AND THEY NEVER CLEARLY TOLD ME WHAT HAPPENED TO MY ORIGIONAL ACCOUNT. THEY JUST SAID IT WAS COMPROMISED??????????????

This is a horrible situation. Thank goodness I was not effected by it. I truly believe that the United States has no chance in surviving an incident and the government should really prepare for it while taking measures to prevent it.

Decru (Netapp) has a data encryption product mature enough with centralized key management...

Netapp is definately not going under!

And to all those that doubt what an account number and routing number can accomplish - provide your account number and routing number with a last name and I will have money transferred out of your account within 24 hours. And NO, i do not work for a bank, so there is no 'inside' access required.

I read back through this thread and realized that everyone is thinking paper checks! Listen guys, thieves don't have time to waste on writing paper checks!!! Nor do thieves want to get caught writing paper checks.

With the right know how anyone can electronically use your account number and routing number to transfer funds wherever they please and for whatever amount they want! Furthermore these are electronically processed with little to no human review... Many businesses already use ACH processing to handle your checks!!! You write them a check and they key in the account number and the amount and hit the submit button - they never even take your check to the bank.

ACH also exists in UK - so the poster that said this isn't a problem in the UK is incorrect.

How about one more to scare you - suppose I give you a check for $10 and you deposit it in your account - in a couple of days, I will have your account number and can easily defaud you of anything you have. HOW? Most banks allow you to view electronic images of checks you have written and that have been cashed. 90% of banks wind up printing the account number of the account being deposited into on the back of the check - just view it online and there you go!

The point is - don't downplay the power of an account number, people try to protect their credit card number, I refuse to write checks to protect my bank account number. Who cares if someone gets the credit card number, I know the banks will refund every RED cent without a hassle if it is stolen!

interesting but sooon after i submitted my information for a credit report from experian, a credit card with my number was used for about 2000 dollars worth of purchases, thank good ness the bank was on the ball and caught the inappropriate purchease

interesting but sooon after i submitted my information for a credit report from experian, a credit card with my number was used for about 2000 dollars worth of purchases, thank good ness the bank was on the ball and caught the inappropriate purchease

My wife's checking account got cleaned out in October due to someone using her bank tracking numbers. The woman printed up checks and also created a driver's license with my wifes actual D.L. number on it. Thank goodness she used a different name. However, it took 2 weeks to get the money reimbursed, and we're still getting nasty grams from the bank for NSF's on the closed account.

Don't know if you can ever stop using checks, but understand this, when you write one, you're giving someone a business card to your bank account number, driver's license number, and DOB. We now use ONLY cash and credit cards for store/Internet purchases. Our checks ONLY go for our utility bills, mortgage company, and our bank.

Also, for all 50 states, you can now freeze your credit with the three credit bureaus. With a credit freeze, even if a thief had your SSN and mother's maiden name, they couldn't open a new account. It's a great tool to stop this out-of-control crime. Make yourself a hardened target, so the ID theives will move on to an easier mark.

I don't really remember everyone's information being lost before all this technology.

Cash just seems so much more secure these days.

A similar incident has already happened in the U.S. Spring of 2007 the State of Georgia lost disks containing the information of every child that has received state health insurance or medicaid in Georgia in the last four years. The disks were lost in transit, via a third party courier, to the federal government. The package had a tracking number and has not been found. These disks contained social security numbers of the children and their parents, names, addresses, DOB, employment information, etc... There were no bank accounts involved, but everything needed to assume an identity.

I make $8 an hour. I've made about that for years at various jobs. For the last fifteen years, I have been given full access to your medical records, your bank account and credit card information, and your social security number by one job or another. Doesn't it bother you that a low paid, part time employee with no benefits has this kind of information? Aren't you glad I insisted that my current boss buy a shredder and implement a 'shred immediately' policy for all the scrap paper we jot this info down on while you're on the phone with us ordering stuff? For the nine years before I worked there, those scraps were tossed into the nearest trashcan along with fast food wrappers. Don't leave it up to poorly paid individuals like me to protect you. Your mother raised you to be smarter than that.

I have read many a horror story through the comments sent by various individuals nation and Worldwide, I use to be employed in the IT field for ten years during the major tech explosion that occured in the 1980's and 90's, and it seems to me that the standards for a system wide secured server base for customers and clients has basically been thrown out the window along side with the professional expertise in the field whose positions over the years have been sent to far east markets.
I have noticed that in todays IT field there are to many whom have taken the un-ethical course of action rather than use a simple form of professionalism and ethics in their day to day funtions. I especially am very ashamed to hear how various Corporations and Government agencies hire someone on the fact that they are twenty something and in their words young and vibrant and a new course for the future of business, in short young fresh out of college and naive to the office political games, a person whom is willing to except below avaerage salary and work killer hours with little or no regard to their personal lives outside the office. I have worked in the trenches in the financial district in the loop of Chicago and I have seen the advancements in hardware, software and security devices, and I went through the Y2K scare only to witness the world did not form a great big giant crack and swallow Western Civilization whole in one gulp. When I use to work in the field we had a data rotation and provided our own secure area of storing the CD's and 8mm Unix tapes rather than using a second or third party carrier service, I carried this material to our secured location myself and I also performed the data rotation and was resposible for the shipment of data to clients and i always took great care to scrutinize the carrier. My former employer was and currently is very careful whom handled this information and took great cares to check the credentials of the carrier and insured that background checks be performed. I am sadden to see the integrity of a business sector that was suppose to be the new frontier for business turn into the red light district of the ghetto of todays business climate.

Maybe we should just "LOSE" their data.

 
MSNBC/RedTape --

American Consumers need to read a complete a thorough news story about CHECK21 and ACH.

People need to be told the true story about the overall and specfic weakening of consumer banking protections, as they pertain to personal checking accounts, by the handiwork of the Banking Industry with the collusion of Congress.

It is a gross understatement for anyone to say that, "ACH is a disaster waiting to happen."

As for the Banking Industry InfoSec shill, who posted very early on, the issue is not a matter of compromising some "Live Free or Die Hard" centralized database of all US banking accounts. The issue is the devastation that would be caused, to everyday commerce, if a data loss, comparable to the latest one in the UK, were ever to take place involving similarly assembled IRS data.

I am an InfoSec professional, too, and no one can credibly tell me that, "It can't happen here," or that there would not be cascading effects and geometrically serious consequences of such a Silver Platter data loss.

All that would be required would be a sufficiently randomized "criminal" run on the finances of a surprisingly small percentage of all of the potentially exposed targets.

No one would be opening new accounts under false identities. The BadGuys(TM) would be drawing down on real people's already existing cash accounts, in batch-mode. It will be a, "Catch me, if you can scenario."

If purchases are also involved in the process, both consumers and merchants would be the instant victims in Round One. And things would get much worse from there.

We need relentless coverage of these topics now.

The side of this that upsets me is the side that most people don't know about. As an IT Manager for a company with 10 million is sales annually, I spent 4 months bringing our company into compliance with the credit card industries new Data Security Standards (PCI DSS). In the past 2 years my personal credit card account has been hacked twice. I do not store the number anywhere and the card only leaves my wallet when I use it. My online account manager was hacked even though I use a STRONG password as defined in the PCI DSS.Some of the measures I had to take for compliance were ridiculous and it cost us thousands of dollars besides my time. Why do banks, the government and especially the credit card companies not have to live up to the same standards as any company who takes credit cards? Companies who get hacked and lose credit card data are liabel for fines as high as $500,000 plus the cost of replacing the cards whose numbers were stolen. Yet the credit card companies don't have to live up to the same security standards as a mom and pop conveinience store.

For all the people wondering if this could happen in U.S., does anyone else remember the Bank of America incident from March, 2005? http://www.msnbc.msn.com/id/7032779/
Let's see, back-up tapes with social security numbers and account information being transported by plane simply disappear into thin air. Bank won't confirm whether or not data was encrypted. Pretending that this latest incident could only happen in Britain, or is because government employees are less competent than employees of private corporations is fine if it makes you feel better. It really doesn't matter how good a system you have in place, one momentary lapse of judgment or a single act of carelessness by an individual is all it takes for information to be compromised. It's a wonder that things like this don't happen more often than they do.

Data being encrypted is not sdafe either. There are programs that can break encryptions in microseconds, as is evident on many TV shows relating to CSI or cops. Also it would take only a few seconds to trype in a transfer of all maoney in all accounts to a safe account inswitzerland, and those are so secure evenm the banks themselves do not know who has the account. You could end up with an account that has trillions of dollars in it in a couple of minutes, you wuld just highlight all the accounts and transfer ann the money instantl;y, it would be impossible to shut it down or trace it. Someone could end up with all the monety in the world, and it would be unrecoverable. Everyone knows this. Do not let the "bank and security professional" fool you with their line of crap. In additon the government or IRS could doi the same thing to every business and personal account in the US instantly, which is why they have those numbers. They dont have to worry whether we pay taxes or not, they wioll simply take all they need and more. It is comking , people. This is ithe system those in power have been waiting for for hundreds of years, and we have allowed them to do it. Actually they forced it on us. Beware. It WILL happen some day, and sooner than you think.

Data being encrypted is not safe either. There are programs that can break encryptions in microseconds, as is evident on many TV shows relating to CSI or cops. Also it would take only a few seconds to type in a transfer of all money in all accounts to a safe account in Switzerland, and those are so secure even the banks themselves do not know who has the account. You could end up with an account that has trillions of dollars in it in a couple of minutes, you would just highlight all the accounts and transfer all the money instantl;y, it would be impossible to shut it down or trace it. Someone could end up with all the money in the world, and it would be unrecoverable. Everyone knows this. Do not let the "bank and security professionals" fool you with their line of crap. In additon the government or IRS could do the same thing to every business and personal account in the US instantly, which is why they have those numbers. They don't have to worry whether we pay taxes or not, they will simply take all they need and more. It is coming , people. This is the system those in power have been waiting for for hundreds of years, and we have allowed them to do it. Actually they forced it on us. Beware. It WILL happen some day, and sooner than you think.

Isn't it odd? We have heard, again and again, about sensitive data worth hundreds of thousands of dollars being lost on hard drives or lap tops or CDs, but we never hear of a carriers accidentally losing $200k in cash. Why is that?

If the data is worth $200k, shouldn't it be treated as though it were worth 200k, especially if there is no good way to encrypt the media? Why are the CD's not locked in a brief-case handcuffed to the currier?Why are carriers used instead of armored cars? Who would send hundreds of millions in cash by the British equivalent of UPS without any sort of trace or tag? Why do it with critically sensitive data???

It boggles the mind.

-Science_1
"No Silicon Heaven?! PREPOSTEROUS! Where would all of the calculators go??" -Kryten, of Red Dwarf

I had a check credit system, located in Minneapolis, consisting of at least 3 differently-named companies, same phone number and address, send out false information to stores etc. that my checking account was closed, on a weekend, and I had many long-distance calls on it, getting it set right, which nobody reimburses.

They falsely said my bank called them that my account was closed, with account numbers and all, which my bank totally denies.

But it scared me that three groups who hold heavy control over whether my checks pass or not work together, and some are "not open" on weekends, or at night.

Nor can you reach people in the bank 24/7/365.25 either.

I was only shut down for a weekend and a day, but they originally said that I would be kept from using my account for 2 MONTHS, until my bank told them something that made them open the account right back up.

I can get no details, at least not without a lawsuit.

Yeah, there need to be some balances, and those who are falsely accused, or have to change things around to correct for data exposure, need immediate recompense for the inconvenience involved, so that the companies involved check twice! On all these data mis-handlings, whether inadvertant or deliberate.

But what are the odds of such ever happening, under EITHER major party's controls?? It may not bother you now, but if it hits you, remember then that you sat back while others suffered.

Just remember that if you have had to apply for student financial aid since 1974, you had to report your SSN and birthdate to any school you applied to. Most schools never purge this information from their databases, even if you chose to attend a different school or graduated from theirs years ago. This personal information is usually accessible to anyone with basic access to their systems, including currently enrolled students on work study. Just remember that out there right now is some underpaid sophmore working part-time for the college or university of your choice who can look up and use your SSN and birthdate anytime.

I'm one of the many parents who over the last few days has received a letter from good old Gordon Browns Goverment, informing me of their screw up.

To be frank us Brits are so used to it now we remain non pulsed by it all.

I am having to change so many details to protect roughly $10.00 a week, because this is what we get, and look at what this sort of corrupt information is selling for.

How strange. Stranger still is they have all my personal details, and my childs, every-thing, I now have to change even more details just for $10-00 and all during time I should be working, now are we to be compenstated for such a screw up?

NO, It can only happen over here everyone. Only our goverment ca screw up like this, Just amazing!

With the consideration that my bank does not and shall not disclose and of my personal information with a third party I fail to see where any information about me can be a problem. I also do not understand the term "Lost Data?" I don't use plastic money and the banks only see my monthy expences. So wheres the problem.

If you'll believe this garbage you'll believe any thing. This is about as phony as all Bush'e lies.

Obtaining personal information hasn’t been all that difficult in the past. There were many instances of reams of computer printouts with all sorts of personal information including SSN’s and account numbers being thrown out by all sorts of institutions and businesses in dumpsters during the 80’s and early 90’s. Any industrious petty criminal could, and still can, get your information just from your mail box. In fact it’s still legal for businesses and government institutions to send your account number and SSN through the mail in most states today.

A good part of the problem today isn’t just the easy ability to access personal data but the ease in using it, thereby making the information more valuable than it’s ever been. Our modern age now allows people to conduct business and financial transactions anytime and anywhere without any human intervention. A good thing for facilitating the purchase of goods and services with minimal effort, but it comes with a cost that we are poorly prepared to handle. Anonymity is created by technology and a lack of safeguards to ensure the person completing transaction is really the real person.

Hey, remember there’s always cash, a well accepted option fro the last several thousand years. ;)

I'm actually a bit surprised that the U.K. government even HAD such a database to start with, particularly one that would include banking information.

Haven't these folks heard of encryption? Encrypt the tapes & disks and keep the decryption keys separate from the media - then, losing the media is not really a big deal.

There is, naturally, a nominal cost in software and processor time involved with this precaution, but I'll wager it's a lot less than $500 million.

People, People, People. This problem isn't going away anytime soon. But, there is something that you can do about it, and position yourself for a potential financial windfall. Check out my website and watch a short 15 minute movie that will show you the ONLY answer to the crime of the century.

After six years of evangelizing biometric technologies for strong authentication and identity assurance management, the SAFLINK Corporation went out of business mostly due to a lack of adoption from government and big banks.
Personally I find this hard to believe that in today's day and age we are still using ancient methods such as a 4 digit PIN and signatures to protect and access our very digitally funded lifestyles. Somebody printed phony checks, a fake ID with my name on it, and went to a string of US Bank branches in Missouri depositing $5K amounts with half cash back. The banks had no problem at all taking an out of state driver’s license from WA, out of state checks from a “trust account” in CA and doling out the cash! I spent the next 3 months trying to straighten it out with my accounts fluctuating wildly between positive and negative balances. I tell you, if that person had to put their finger on a live scan fingerprint reader OR had to use iris recognition to prove their identity, this would have never happened.
I am heavily PRO for using these types of technology to assure a person's identity. Privacy advocates argue that technologies such as biometrics are invasive and a violation of privacy. I beg to differ, having my identity stolen TWICE is the biggest invasion of my privacy I have ever been through, even worse is trying to GET YOU IDENTITY back. (ACLU please wake up!)
One other discussion I had with a gentleman that works for a prominent online credit card processing company hinged around the mystery of WHY the credit card companies are not doing something such as implementing some form of authentication (smart card, biometric, RSA secure ID, etc.) I always thought that is was because they didn't want to incur the costs involved. My colleague’s opinion is that IF the credit card companies were able to develop a sure fire, full proof system for credit card transactions, they would no longer be able to charge merchants a percentage fee for their processing. Once I heard that, it became clear, these CC companies HAVE NEVER and NEVER WILL care about the consumer.
The bottom line is profitability no matter how much the threat to undermining our very way of life here in the US is the only thing important to these banks. If nothing is done soon, we will all pay a dear price....

This certainly can happen in the United States, I work for GAP inc. and recently 2 laptops containing everyone who currently works for GAP inc. or has worked for the company in a year previous's social security numbers, and other very personal information. Though GAP inc. did offer identity theft counseling, as well as Free Credit Monitoring for a year, it was still a major concern to employees.

With the world so wired to today, why are we copying data to disks for transport anyway. Online data can be encrypted and transported faster than a courier with 2 cd's and the data won't get lost.

How many of our security specialists on this forum would not advocate the electronic transmission of data rather than the copying of data to another medium the transporting it with its inherent risks. I worked for a very large Orange ball Multinational in Los Angeles, we moved data on a T3 and multiple T1's and a separate OC3 to and from redundant Symmetrix units around the country. For the amount of information we are talking about here, it could have been transferred encrypted to its location over a secure network, even a point to point link in minutes not hours or days as happens when data is transferred to a physical medium like a cd.

When will the world wake up, doing it cheap does not pay, it will catch you in the end.

Please help me to understand how this is different from getting the names and addresses from the phone book and taking checking account information directly from a check (we willingly give this information each time we write a check) - I'm not sure I understand how the names, addresses, and bank account numbers can cause harm (e.g., there is no mention of access IDs such as PINS being lost)? (this is not a "comment" - this is sincerely trying to understand)

There was no encryption of the lost tapes.(Costs money
silly).The biggest worry is that it has happened before.

Inside Job

As being one of the estimated 26 million it comes as no surprise to me that this happened.
putting it mildly our country has a bad reputations for losing things,
I wont go into too much details but will say that we have lost a lot of other files whether they were on disk, laptop or through unsecured networks.
This was caused mostly through technological ignorance but at times incompetence that borders on the criminal..

I worked as an independent social worker for many years with eastern European refugees/asylum seekers and can put my hand on my heart to say that in almost every case I came across that serious abuses were being made from which I saw & learned a lot about.
Over the years I noticed things that ordinaraly I would otherwise never have.
I began to ask questions innocent at first while maintaining an air of ignorance.

from 98, The Nigerian racketeers were doing a lot of the postal fraud, using inside workers for intercepting cheques/cheque books even photocopying the originals and trying to get others to call them in for them.
The Russians/eastern Europeans were more clever and somewhat ambitious they would get jobs as couriers on false papers (yes false!)
to do this all they needed was a good computer, scanner, printer and someone with some technical knowledge.
This allowed so many of them open bank accounts with false/altered bills wage receipts even other statements from other banks.
Once with a bank account open they would build up a good credit rating and this could be done on up to four different accounts.

Another thing the EE's were doing was intercepting secured mail by working as couriers it started off by just intercepting credit cards & cheque books like the Nigerians but they realized that data was much more valuable than just plastic, at this time there were and still is certain group of people within that fraternity who have access to an awful lot of information and more understanding to this kind of nature.
They would be the most likely to organize this kind of crime.

Another thing that really startles me is the statistics!
Who in does the Math in this country?
By British assumptions there is an estimated 1,600,000 “Minority” living here in the U.K but anyone who knows Britain would smirk at this as there seems to be more than this in just London alone.
I have nothing against this “Minority” or it’s cultural differences but am very intrigued as to find out why this worrying phenomena is occurring, as now many dangerous groups are & have been entering the U.K with full citizen ships, id's such as drivig licences etc, it's got to such a state that
English people have now become a minority in many of its cities and yet no one is saying anything.

Anyone interested in their country’s future interest should know who runs the infrastructure, the post office’s, the social security departments, the passport office’s,
The records office, even the home office!

Am I surprised?

No I am not, in the past I had written to both the PM’s office, the Home Office & also to the US of this but nothing ever happened and no one ever called but each day the problem grows.

So here is the current modern day version of how a growing segment of the the 'elites' gets even bigger. Since legitimate means of becoming financially secure are ever harder to accomplish, the criminal method is becoming the preferred method and it is relatively easy. And now that people are wanting more wealth than being just financially secure the risks are worth it because with this story's content and some of the commenter's ideas it is obvious that the powers that can prevent this are not much inclined to prevent it.

steve, no. only 3.9876 X 5.4567 X 1000 :DDD

Of course if this happened in the United States no one would be forced to resigh as was the head of Britain's Revenu and Customs office. It would simply be swept under the carpet with a simple "we're trying harder" statement from the administration. THERE IS NO ACCOUNTABILITY IN THIS COUNTRY ANYMORE BY ANYONE FOR ANYTHING!!" Remember New Orleans and 911?

No..the data WAS NOT ENCRYPTED...my wife's and kids' information was on that disk and if there is a problem I will put together a class action suit or whatever it is called here in England to forces the Government to realize the seriousness of there screw-up. Especially as they sent us a letter telling us not to worry about it. It boggles my mind as to how stupid the British Government seems to think people are. They are in major CYA mode right now.

No worries. It was likely found by a Frenchman and is safe because he doesn't know what to do with it.

In germany I have had cash appear and dissappear from my account-obviously a mistake in routing numbers.
the system is WAY too easy to steal from with a few simple encryption tools.
life in the big city is gonna get real tough, when all this tech stuff blows the banks data streams.

Cash and carry.

Perhaps much of a mountain has been made by this mole hill. Now, realistically, whose identifications are really worthwhile enough to steal? Maybe a small percent of people's, but then would someone dig through millions of names and related information to make up a concerted plan to steal that information? Only a small percentage again would resort to that and those people would normally be of the criminal ilk. So, while the loss of such a magnitude may be alarming, it tantamounts to just another whote collar crime and it will not affect people en masse as reactions seem to say but a handful of victims perhaps. Computer systems and related procedures are only as good as the people that program them and maintain them. This fact will remain with us forever.

I say let's forego all this "convenience" and go back to good old paper records. We NEVER had this kind of problem then. Reminds me of when the people who sold us on how much we could trust them with our money didn't even give us a choice in how they would record the transactions we made. They TOLD us they were switching. To more secure and faster ways of dealing with us. And neither of those points have been validated in the 20 to 25 years since that happened. Hmmm, that sounds like breech of contract to me. Just think, had enough of us told our banks sayonara when they made their announcement, we might not now have that ever "popular" oxymoron, identity theft. Knowing who issues credit cards......
My latest adventure has gotten me to thinking, why do the banks keep sending out junk mail when they know what can happen??? This is what I've concluded. You get ripped off, the bank is taking their time resolving your issue, all the while charging interest and late fees. Takes them, oh say, 3 or 4 months to get it right and totally credit your account. Now, multiply that by how many people in the U.S. have accounts in banks that are insured by you, ie the federal gov., you know, F!D!I!C! To add injury to insult, they then have the gall to lower that all important credit rating after THEY allowed your information to become completely insecure. It doesn't matter if you bust you backside to do the right thing anymore.
What I can't figure out is how the mortgage problem is going to work out. How many of those mortgages were sold to companies in other countries?
In conclusion, I have chosen to cancel all my credit cards except the one I haven't activated. After all, they are just for emergencies, and a flat tire or an unneeded whatever doesn't count as that.

Fortunately, the guy who downloaded the data onto CD also printed out a hardcopy. Going in the mail as we speak. Write the password on there too in case the CDs show up later.

Excert from a letter from HM Revenue & Customs...

"I am writing to make a personal apology. A copy of some HM Revenue & customs (HMRC) data about families, including yours, who have received child Benefit has been lost. The copy of the data is likely to still be on goverment property. The police are now conducting a search, and there is no evidence that it is in the possesion of anyone else. This will not effect your Child Benefit payments."

"This data includes you and your children's names".... etc.

"If you are paid through a bank or building society, they are aware of this matter. They are acting on this information, and assure us that they have appropriate safeguards in place to protect you."

"As is usual in these circumstances, if you are the innocent victim of banking fraud you will not have to pay, buy you may want to take some precautionary steps to protect yourself. If you receive bills, invoices or receipts or see entries in your statements for goods or services which you have not ordered you should co ntact you bank or building society immediately.......if your password uses any of your personal data, for example your child's name or date of birth, you may also wish to consider changing any passwords you use."

"The advice of banks is there is no need for customers to ask for a new account or to contact their bank or building society. Your Child Benefit payments will co ntinue to be paid as before and you do not need to contact HMRC. However if you experience any problems"..........'contact details'

"I would like to offer m y personal apologies for any worry or concern this data loss may cause you. And I can assure you that all efforts are being made to ensure that such a loss can never happen again."

Dave Hartnett
Acting Chairman"

I've held back from adding comments as you can probably tell this letter made me feel better not!

To catch a criminal, one must think like a criminal.

I received a charge of $6.95 on my credit card listed as "Electronic Business" phone number (412)927-0410. When I called my credit card company they could only say that it showed as "bookstore." When I called this number a recording stated the mailbox was full. I check my credit card bills every month and I keep my receipts, I had no receipt and no memory of making this purchase. (Even though my memory fails me once in awhile.) Now I read all the messages from people across the US and find there are a lot of us being charged from something we did not purchase. Let's hope sometime soon these crooks get caught!

.
.
http://www.privacyrights.org/ar/ChronDataBreaches.htm
.
.

I think that if such a large scale identity theft happened here the government would be somewhat stuck because something of this scale would be hard to control and prevent. If those disks were stolen, it could've been by someone working in the government itself. Or the disks could have been taken by different means. But to be stolen at all, if it wasn't by a pickpocket with some really good hands, there would had to have been a plan. And usually the people who come up with these plans make sure that every little detail is sealed up. If this theft was made by some highly intelligent criminals, my guess would be that they run an identity theft ring, and that they will try the same stunt again.

Maybe people should start taking time off and leaving their work at work.

There used to be a commercial on TV about a woman who was always named employee of the month because she never took any sick days. This was possible because she took Tylenol Flu Formula. I always thought it was a terrible message. Go to work sick with the Flu. Possibly cause the death of one of your co-workers, just to kiss up to the boss.

It's time to stop taking work home. Leave the laptops, dvds and cds at work. Get rid of the removable media. The costs of these security breaches are enormous.

We will all be better off.

the proffesional people in this rebuttle are missing the point-the disks were intercepted/lost from the government.... so yes the concept of the loss is devastating here.... with 10,000 banks instead of 5 to collaborate and see who's bank accounts are being drained.... no one would know when/where/how the information was stolen to begin with.

I had the same thing happen to me as in a 4.95 charge to my account from an electronic business re, and everytime i called the number (4129270410) it said inbox was full, but my bank pad it back to me and no problem cause i had googled the number and everything and led me to here so i hope whatever is going on stops soon!