Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Management Strategies

01:50 PM
Connect Directly
RSS
E-Mail
50%
50%

KYV--Know Your Vendors

When it comes to data breaches, it seems the hits just keep on coming. I ran across this somewhat disturbing story in the UK's Daily Mail in which a computer was sold on eBay containing the personal information on thousands of UK banking customers from NatWest, Royal Bank of Scotland and American Express.

When it comes to data breaches, it seems the hits just keep on coming. I ran across this somewhat disturbing story in the UK's Daily Mail in which a computer was sold on eBay containing the personal information on thousands of UK banking customers from NatWest, Royal Bank of Scotland and American Express.An employee of the banks' outsourced data storage vendor, Graphic Data, took the computer and sold it on the online auction site. The Mail article doesn't mention how this employee got his hands on the PC. However, there is no doubt that someone at the firm dropped the ball. I know some companies sometimes sell old computers to employees-with wiped drives, of course. (My own company used to do this, according to my IT go-to guy, but stopped a couple of years ago.)

It was also unclear in the article whether this data was actually used by thieves. Maybe the eBay seller was just a careless employee? It could have been an accident, but don't tell that to the thousands of people whose personal information (including signatures!) was on that hard drive. Luckily, the buyer turned out to be an honest fellow so there's a slim chance that none of the data fell into the wrong hands.

This instance certainly drives home the need for banks to vet technology service providers and to perform thorough due diligence on every one of them on an ongoing basis. In a feature on vendor management I wrote for the August issue, the topic of security and vendors came up. Everyone interviewed for the article basically said the same thing: The vendor/outsourcer must meet the same security standards as your bank because it should be considered an extension of the bank.

When there's a data breach, the customers won't care if it was the fault of the bank's outsourced service provider. The only name they'll see and care about is the bank's name. And the bank is ultimately the one that takes the hit.

Hopefully the Mail story will have a "happy" ending and investigators will find that the data wasn't used at all.

Register for Bank Systems & Technology Newsletters
Slideshows
Video
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.