IT Project Failures

Michael Krigsman
Home / News & Blogs / IT Project Failures

Bank of Ireland: data breach repeat offender

By | November 7, 2008, 6:55am PST

Summary: A Bank of Ireland employee lost an unencrypted USB memory stick containing personal information belonging to 894 customers. Stopping this problem requires more stringent government enforcement.

Bank of Ireland: data breach repeat offender

A Bank of Ireland employee lost an unencrypted USB memory stick containing personal information belonging to 894 customers. Stopping this problem requires more stringent government enforcement.

Finextra reports:

The personal information, including account numbers, phone numbers and addresses, was copied onto the USB device in contravention of the bank’s policies and procedures.

The Bank for Ireland has a history of allowing private customer information to escape. Earlier this year, the bank lost data on 10,000 customers when four laptops were stolen. Perhaps unsurprisingly, that data was also not encrypted:

The computers - which contained data on customers who had obtained a quote or purchased a life assurance policy from seven BoI branches in the Republic of Ireland - were stolen between June and October last year….

THE PROJECT FAILURES ANALYSIS

Many organizations, including Bank of Ireland, do not handle confidential customer data with a sufficient level of care. The problem continues because practical IT reality makes formal security policies difficult to enforce.

For example, consider this likely scenario: an IT worker intends a quick data transfer from one computer to another using a standard USB flash drive. Along the way, he buys coffee and unintentionally leaves the unencrypted memory stick on the counter, creating a data breach and violating numerous corporate policies and government regulations.

I asked Ken Citarella, Principal of Internal Corporate Security Solutions, a private investigations firm based in White Plains, NY, for his thoughts. Ken is a retired prosecutor with 27 years experience fighting white collar and computer crime:

No written policy can overcome human error unless people are vigilant about their ordinary behavior. Employees will not follow security procedures unless management enforces those policies rigorously. On-going training, communication, and management commitment are critical to preventing data breaches. Failing these steps, data losses will continue.

My take. This problem won’t be solved without stringent government regulation, including stiff penalties and jail time for severe offenders. Here’s a simple way for large organizations to reduce the problem: immediately terminate employees who violate data protection policies. If you think that’s overly Draconian, speak with an identity theft victim.

[Via Dennis Howlett. USB teddy bear photo, illustrating my impression of the Bank of Ireland, from necromanc.]

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “IT Project Failures”

Topics

Bank Of Ireland, Memory, Flash Memory, Semiconductors, Hardware, Components, Michael Krigsman, Bank For Ireland, Ken, Identity Theft, Disaster Recovery, Productivity, Financial Services, Security, Data Management

Michael Krigsman is a recognized authority on the causes and prevention of IT failures.

Disclosure

Michael Krigsman

Michael Krigsman writes and speaks about technology in a manner that most observers consider to be fair and balanced. Michael believes that writing about IT failures, which often have complex causes, creates a unique obligation to be reasonable and accurate in both reporting and analysis.

Michael maintains active personal and professional relationships with enterprise technology buyers, vendors, analyst firms (or individual analysts), consultants, and system integrators. As CEO of Asuret, Michael sells and delivers paid services to members of these same groups.

Vendors regularly reimburse Michael's out-of-pocket travel expenses to attend industry conferences and events. Conference organizers frequently waive entry fees when Michael attends industry events. Michael often speaks at industry conferences and events.

He is a member of the Enterprise Irregulars, a loose association of consultants, investors, industry representatives, analysts, and users of enterprise software.

For daily updates on Michael's activities, follow him on Twitter.

Biography

Michael Krigsman

Michael Krigsman is CEO of Asuret, Inc., a consulting company dedicated to reducing technology implementation failures. Asuret's suite of software tools improve the success rate of enterprise software deployments by quantifying and measuring governance issues that cause most project failures. Michael led the research effort underlying Asuret's model of collective intelligence and its practical application to reducing IT failures in consulting environments. He is a recognized authority on the causes and prevention of IT failures and is frequently quoted in the press on IT project and related CIO issues. He is considered an enterprise software industry "influencer" and provides advice to technology buyers, vendors, and services firms.

Previously, Michael served as CEO of Cambridge Publications, which develops tools and processes for software implementations and related business practice automation projects. Michael has been involved with hundreds of software development projects, for companies ranging from small startups to Fortune 500 organizations. Michael graduated with an M.B.A. from Boston University and a B.A. from Bard College. He is a Board member of the America's Cup Hall of Fame and the Herreshoff Marine Museum in Bristol, RI.

Talkback Most Recent of 2 Talkback(s)

  • There is actually a solution...
    I agree that training and internal policies are important. However, you can not just rely on the human factor, you need to adopt technology. Secure USB flash drives with strong encryption like the SanDisk Enterprise Cruzer and a data management platform could do the work. There are also other solutions, even open source which can provide reasonable protection, although not always enterprise-grade.
    ZDNet Gravatar
    Rasdrawer
    8th Nov 2008

  • ZDNet Blogger

    Technology is not the answer
    How do you actually force folks to follow the procedures? They don't follow policy now, so they issue becomes how to encourage them to do so in the future.

    Thanks for commenting.
    ZDNet Gravatar
    mkrigsman@...
    10th Nov 2008

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources