This Is Guernsey

By Tom Edwards

ISLANDERS are probably not at risk after a computer containing bank customers’ personal details was sold on Ebay, a Guernsey IT security expert has said. Carl Ceillam, pictured, from Ernst & Young, said there was no obvious link to the Channel Islands and the data was likely to be out of date anyway.

The computer had belonged to a third-party archiving firm called Graphic Data to store the details of more than one million RBS, NatWest and American Express customers.

It contained names, addresses, mobile phone numbers, bank account numbers, sort codes, credit card numbers, mothers’ maiden names and even signatures and was sold for just £35.

‘It’s impossible to say what effect this latest breach will have on people in Guernsey, as we don’t know how old the data is,’ said Mr Ceillam.

‘From what we understand, it involves some form of third-party archiving provider and it could be years out of date.’

Mr Ceillam said security breaches were becoming more sophisticated and the business community needed to get a better understanding of data-protection rules.

‘It’s not just about being compliant: companies need to look at what other firms are doing and get assistance if they need to. There’s no shortage of security breaches and over the last couple of years we’ve seen cybercrime go from geeky hackers showing off to their mates to organised gangs making a lot of money from attacks.’

Despite this, firms were still failing to take data protection seriously, he added.

‘They’re leaving it to chance and hoping that their existing measures are sufficient, but are not checking and testing their systems.

‘When things go wrong, you realise that most of the time there weren’t adequate controls in the first place. Businesses need to wake up and be more proactive rather than just waiting until the wheels fall off.’

In the case of the computer sold on Ebay, it highlighted the need to ensure third parties also followed data-protection standards, said Mr Ceillam.

‘If you’re outsourcing large amounts of information, you don’t also transfer responsibility for security. It’s still up to you to make sure that adequate data-protection measures are in place.’

Destruction of data was also just as important an issue as well, he added.

‘I don’t know why they were selling the computer in the first place, but if you’re getting rid off stuff, you must do it properly.

‘More people are destroying hard disks these days as they have no resale value anyway. There’s no point risking it for the sake of £35 on Ebay.’

Article posted on 1st September, 2008 - 2.30pm