News is breaking of a breach at HSBC affecting 24,000 customers with Swiss Bank Accounts. The implications of this breach are global, and the press is speculating that the breach could expose those using the accounts to avoid taxation in their home countries.
French authorities have identified a former IT employee of a Swiss subsidiary as the suspect and allege that the former employee obtained the information between late 2006 and early 2007. Initially, when HSBC discovered the breach, it thought it affected fewer than 10 customers. The reality is that approximately 15 percent of the bank’s customers could have been affected.
From a security standpoint there are a number of things that make this newsworthy: First, the breach was allegedly committed by an insider, and insider theft is among the greatest dangers to financial data. Second, it appears that the suspect was attempting to sell the data, with speculation that he was offering the information to countries to identify tax evaders. Third, there is the numbers question. How could HSBC identify “fewer than 10” affected and then have a breach that in reality numbered in the tens of thousands. Finally, there is the question about sovereignty. France is one country that has access to some of the data. It has promised to turn the data over to Switzerland but the plain fact is there is no clear cut law that would prohibit France from using the data against citizens who were using Switzerland to avoid taxation.
With truly international data breaches, how long will it take to get truly international legislation?
Showing posts with label insider data breach. Show all posts
Showing posts with label insider data breach. Show all posts
Thursday, 11 March 2010
Tuesday, 17 November 2009
The T-Mobile “Defense”
An old English proverb tells us that “There are none so blind as those who choose not to see.” Today T-Mobile are in the news for insiders selling-on customer personal data against U.K. Data Protection Legislation. T-Mobile claim the data was sold "without our knowledge".
The key word in this excuse is "knowledge".
The UK information commissioner Christopher Graham is advocating custodial sentences for this type of abuse of personal data. Until there is sustained public understanding resulting in political pressure I doubt this will ever become a reality in the near term.
Perhaps it is not just T-Mobile who choose not to see – maybe it is us, the people, who let our personal information float freely, without truly understanding how it is used.
The key word in this excuse is "knowledge".
- What did they know about their data and the way it is/was used?
- What did they know about the data leak?
- What do they know that they are not telling us?
- Did they, in fact, have any actual knowledge or did they simply choose not to look?
The UK information commissioner Christopher Graham is advocating custodial sentences for this type of abuse of personal data. Until there is sustained public understanding resulting in political pressure I doubt this will ever become a reality in the near term.
Perhaps it is not just T-Mobile who choose not to see – maybe it is us, the people, who let our personal information float freely, without truly understanding how it is used.
Subscribe to:
Posts (Atom)
