TORONTO (09/18/2003) - The BMO (Bank of Montreal) Financial Group found some silver linings in a dark cloud after "human error" allowed two servers with confidential customer data to be momentarily offered on eBay last week.
According to the bank, two BMO servers were shipped to Toronto resident Geoff Ellis. In an apparent case of mistaken identity, an employee of Ecosys Canada Inc. (a subcontractor of Mississauga, Ontario-based Rider Computer Services Ltd., an outsourcing partner of BMO which deals with the bank's outdated computer equipment) sent the wrong servers to Ellis. Instead of receiving machines wiped clean of all customer data, Ellis received two servers which had not yet been sanitized. Ellis, who resells computer equipment on eBay, subsequently offered the machines for sale on the Web site.
Robert Garigue, the bank's chief information security officer, said there were two silver linings to the story. The first was that Ellis checked the machines just after he put them up for sale and noticed the drives contained data. He then quickly pulled them off the site and contacted the bank. No BMO data was compromised because of Ellis' actions.
The other silver lining is the attention this situation brings to corporate data disposal policies, whether done internally or through outsourcing contracts.
"It is a painful lesson, but if you don't learn you will be forced to repeat it again," Garigue said.
"It is an opportunity to share in understanding how (this) occurred and fold that knowledge back into our processes...and in fact our education and awareness," he continued. "That is one of the beneficial side effects of having gone through this."
Many corporate executives think this event is unlikely to occur at their business and agree with the bank's assessment that it was a fluke occurrence.
But one security expert at a large Canadian financial institution scoffed at the idea this was a unique incident. The expert, who wished to remain an annoymous, said these data disposal concerns commonly occur and can be blamed on improper outsourced work. He said BMO is certainly not alone in dealing with the difficulties of corporate data disposal.
On more than one occasion the security expert purchased seemingly new hard drives only to find them full of data from other companies.
"The problem is that it takes time and resources to erase drives," he said, adding that third-party vendors take short cuts. "In our group here, we wipe our own drives."
"In a large part (companies) are unknowingly taking risk," said Jim Hurley, vice president of Aberdeen Group's security, privacy and operations risk management practice in Boston, referring to the blind trust companies in place outsourced work.
But for BMO it is not about placing blame it is about improving procedures.
"As part of our (business) there are lots of assets that get moved around the organization and certainly we are reviewing the processes about how to do that the most effectively," Garigue said.
Though the outsourcers were immediately to blame, as erasing the drives was their responsibility, Garigue did not shirk from BMO's responsibility. BMO "has the accountability and the moral responsibility of ensuring that (customer) information is managed appropriately," he said.
In response to this incident "BMO has initiated a complete review of its processes and those of its third-party providers to identify how the current process can be improved," said an e-mail to IT World Canada.
Hurley said one potential fallout from the BMO story is that companies may revisit outsourcing corporate data. The more rules, regulations and players added to the equation (different levels of disk sanitation for different business units and multiple outsourcers) the greater the likelihood of a problem like this occurring, he said.