Northern Ireland Electricity (NIE) has lot a backup tape that contained the bills 12,799 homes. Billing information and names and addresses were included, but nothing that would be considered sensitive under the DPA--meaning, in some ways, that data protection software like data encryption from AlertBoot was not necessary.
The backup information on the tape is further backed up onto microfiche files, and the tape was lost en route to the microfiche-copying facilities. The actual information on the data tape included account names, addresses, customer numbers, billing amount, previous payments, and account balances for August 10, 2009. (This was a single day's billing information.) All in all, I'd agree that this is not sensitive, personal information. However, there are two things I don't like about this case.
The backup information on the tape is further backed up onto microfiche files, and the tape was lost en route to the microfiche-copying facilities.
The actual information on the data tape included account names, addresses, customer numbers, billing amount, previous payments, and account balances for August 10, 2009. (This was a single day's billing information.)
All in all, I'd agree that this is not sensitive, personal information. However, there are two things I don't like about this case.
"...while we have not been able to locate this tape, there is absolutely no evidence to suggest that it has fallen into the wrong hands." These are the words spoken by the NIE Energy managing director, Mr. McCully. And while I'm sure that there's a very low probability of something coming out of this data tape loss, the fact is that there is also absolutely no evidence to suggest that it has not fallen into the wrong hands. I don't know where I read it, but as I understand it, most crimes go unresolved. Why do they go unresolved? Because there's no evidence. The fact that there is "absolutely no evidence" of a crime, but that it may be an accidental loss, is meaningless, if you consider that in most cases there is no evidence, period. It'd be more accurate to say, "we don't know what happened." Of course, no self-respecting company is going to go around releasing such announcements.
"...while we have not been able to locate this tape, there is absolutely no evidence to suggest that it has fallen into the wrong hands."
These are the words spoken by the NIE Energy managing director, Mr. McCully. And while I'm sure that there's a very low probability of something coming out of this data tape loss, the fact is that there is also absolutely no evidence to suggest that it has not fallen into the wrong hands.
I don't know where I read it, but as I understand it, most crimes go unresolved. Why do they go unresolved? Because there's no evidence. The fact that there is "absolutely no evidence" of a crime, but that it may be an accidental loss, is meaningless, if you consider that in most cases there is no evidence, period. It'd be more accurate to say, "we don't know what happened."
Of course, no self-respecting company is going to go around releasing such announcements.
While the information lost on the tape is not sensitive, it's only one step removed from gaining sensitive information. Consider the following scenario: an enterprising hacker or hackers steal the tape, not really knowing what to find in it. They access the data--as far as I know, encryption software was not used to secure the information--and see information that pertains to NIE and NIE alone. The information in its present state is useless. However, they see the glimmers of possibility. Could it not be possible to concoct some kind of story where the 12,000-plus people are promised a reduction in their energy bills by following a link that's printed on a NIE letter (using counterfeit letterhead, of course)? Perhaps based on their account balance as of August 2009, or whatever: there's certainly enough information to give the letter some "authoritative" context. And, when people type in the URL, malicious code is automatically downloaded and installed on the unwitting customer to steal passwords to on-line banking and whatnot. The above is one of the ways that phishing campaigns are carried out, although it's more work than usual: most phishers carry out their attacks via e-mail, not regular mail. But, criminals are not really a fussy bunch, and will use whatever methods they can. Instead of the empty arguments of "no evidence" of criminals behind the situation, I would have preferred, and been comforted by, the use of encryption if I were one of the 12,000.
While the information lost on the tape is not sensitive, it's only one step removed from gaining sensitive information.
Consider the following scenario: an enterprising hacker or hackers steal the tape, not really knowing what to find in it. They access the data--as far as I know, encryption software was not used to secure the information--and see information that pertains to NIE and NIE alone.
The information in its present state is useless. However, they see the glimmers of possibility.
Could it not be possible to concoct some kind of story where the 12,000-plus people are promised a reduction in their energy bills by following a link that's printed on a NIE letter (using counterfeit letterhead, of course)?
Perhaps based on their account balance as of August 2009, or whatever: there's certainly enough information to give the letter some "authoritative" context.
And, when people type in the URL, malicious code is automatically downloaded and installed on the unwitting customer to steal passwords to on-line banking and whatnot.
The above is one of the ways that phishing campaigns are carried out, although it's more work than usual: most phishers carry out their attacks via e-mail, not regular mail. But, criminals are not really a fussy bunch, and will use whatever methods they can.
Instead of the empty arguments of "no evidence" of criminals behind the situation, I would have preferred, and been comforted by, the use of encryption if I were one of the 12,000.
Related Articles and Sites:http://www.wexfordpeople.ie/breaking-news/national-news/data-tape-with-bill-details-lost-2022377.htmlhttp://www.belfasttelegraph.co.uk/news/local-national/nie-data-tape-with-13000-bill-details-lost-14641958.html