A hard lesson learned

The BMO Financial Group found some silver linings in a dark cloud after “human error” allowed two servers with confidential customer data to be momentarily offered on eBay last month.

According to the bank, two BMO servers were shipped to Toronto resident Geoff Ellis. In an apparent case of mistaken identity, an employee of Ecosys Canada Inc., (a subcontractor of Mississauga, Ont.-based Rider Computer Services Ltd., an outsourcing partner of BMO that handles the bank’s outdated computer equipment) sent the wrong servers to Ellis. Instead of receiving machines wiped clean of all customer data, Ellis received two servers that had not yet been sanitized. Ellis, who resells computer equipment on eBay, offered the machines for sale on the Web site.

Robert Garigue, the bank’s Toronto-based chief information security officer, said there were two silver linings to the story. The first, and arguably the most important, was that Ellis checked the machines just after he put them up for sale and noticed the drives contained data. He quickly pulled them off the site and contacted the bank. Because of Ellis’s actions no BMO data was compromised.

The other silver lining, and one Canadian companies can learn from, is the chance to have all employees revisit corporate policies and procedures devoted to the disposal of data, whether it is done in-house or through outsourcing contracts.

“It is a painful lesson, but if you don’t learn you will be forced to repeat it again,” Garigue said.

“It is an opportunity to share in understanding how [this] occurred and fold that knowledge back into our processes.”

Many corporate executives think such and event is unlikely to occur at their company. But one security expert at a large Canadian financial institution scoffed at the idea this was a unique incident. He said this crops up far more than is ever reported and can often be blamed on improper due diligence surrounding outsourced work. He also said BMO is not alone in dealing with the difficulties of corporate data disposal.

On more than one occasion the security expert purchased seemingly new hard drives only to find them full of data from other companies. “The problem is that it takes time and resources to erase drives,” he said. Occasionally third-party vendors take short cuts, he said. “In our group here, we wipe our own drives.”

“In a large part [companies] are unknowingly taking risk,” said Jim Hurley, vice-president of Aberdeen Group’s security, privacy and operations risk management practice in Boston, referring to the often blind trust companies seem to have that outsourcers are always doing exactly what they are contracted to do.

But for BMO, it is not about placing blame – it’s about improving procedures. “As part of our [business] there are lots of assets that get moved around the organization and certainly we are reviewing the processes about how to do that the most effectively,” Garigue said.

Though the outsourcers were immediately to blame, since erasing the drives was their responsibility, Garigue did not shirk from BMO’s responsibility. BMO “has the accountability and the moral responsibility of insuring that [customer] information is managed appropriately,” he said.

In response to this incident “BMO has initiated a complete review of its processes and those of its third-party providers to identify how the current process can be improved,” said an e-mail sent to ComputerWorld Canada.

Hurley said one potential fallout from the BMO story is that companies may revisit outsourcing as much corporate data as they do. The more rules and regulations, and players added to the equation (different levels of disk sanitation for different business units and multiple outsourcers), the greater the likelihood of a problem, he said.

Though BMO will address all of its concerns with Ecosys and Rider, Garigue does not imagine the bank will abandon their relationship. “They are as mortified as we are about this situation,” he said. Regardless, the event was deemed serious enough to get BMO CEO Tony Comper involved, Garigue said, so there have been some late nights.



Related Download
IDC White Paper: Flash Accelerated and Cloud Ready: New Storage Requirements for Enterprise Apps Sponsor: NetApp
IDC White Paper: Flash Accelerated and Cloud Ready: New Storage Requirements for Enterprise Apps
Check out the current virtualization market statistics and find out why flash is essential for virtual computing.
Register Now