The BMO Financial Group found some silver linings in a dark cloud after “human error” allowed two servers with confidential customer data to be momentarily offered on eBay last week.
According to the bank, two BMO servers were shipped to Toronto resident Geoff Ellis. In an apparent case of mistaken identity, an employee of Ecosys Canada Inc. (a subcontractor of Mississauga, Ont.-based Rider Computer Services Ltd., an outsourcing partner of BMO which deals with the bank’s outdated computer equipment) sent the wrong servers to Ellis. Instead of receiving machines wiped clean of all customer data, Ellis received two servers which had not yet been sanitized. Ellis, who resells computer equipment on eBay, subsequently offered the machines for sale on the Web site.
Robert Garigue, the bank’s chief information security officer, said there were two silver linings to the story. The first, and arguably the most important, was that Ellis checked the machines just after he put them up for sale and noticed the drives contained data. He quickly pulled them off the site and contacted the bank. Because of Ellis’s actions no BMO data was compromised.
The other silver lining, and one all Canadian companies can learn from, is the need to constantly revisit policies and procedures devoted the disposal of corporate data, whether it is done internally or through outsourcing contracts.
“It is a painful lesson, but if you don’t learn you will be forced to repeat it again,” Garigue said.
“It is an opportunity to share in understanding how [this] occurred and fold that knowledge back into our processes…and in fact our education and awareness,” he continued. “That is one of the beneficial side effects of having gone through this.”
Many corporate executives think this event is unlikely to occur at their business and agree with the bank’s assessment that it was a one-in-a-million occurrence.
But one security expert at a large Canadian financial institution scoffed at the idea this was a unique incident. The expert said this sort of thing crops up far more than is ever reported and can often be blamed on improper due diligence surrounding outsourced work. He said BMO is certainly not alone in dealing with the difficulties of corporate data disposal.
On more than one occasion the security expert purchased seemingly new hard drives only to find them full of data from other companies.
“The problem is that is takes time and resources to erase drives,” he said, adding that third-party vendors take short cuts on occasion. “In our group here, we wipe our own drives.”
“In a large part [companies] are unknowingly taking risk,” said Jim Hurley, vice-president of Aberdeen Group’s security, privacy and operations risk management practice in Boston, referring to the often blind trust companies seem to have that outsourcers are always doing exactly what they are contracted to do.
But for BMO it is not about placing blame – it is about improving procedures.
“As part of our [business] there are lots of assets that get moved around the organization and certainly we are reviewing the processes about how to do that the most effectively,” Garigue said.
Though the outsourcers were immediately to blame, as erasing the drives was their responsibility, Garigue did not shirk from BMO’s responsibility. BMO “has the accountability and the moral responsibility of ensuring that [customer] information is managed appropriately,” he said.
In response to this incident “BMO has initiated a complete review of its processes and those of its third-party providers to identify how the current process can be improved,” said an e-mail to IT World Canada.
Hurley said one potential fallout from the BMO story is that companies may revisit outsourcing as much corporate data as they do. The more rules, regulations and players added to the equation (different levels of disk sanitation for different business units and multiple outsourcers) the greater the likelihood of a problem like this occurring, he said.
Though BMO will address all of its concerns with Ecosys and Rider, Garigue does not imagine the bank will abandon the relationship.
“They are as mortified as we are about this situation,” he said. Regardless, the event was deemed serious enough to get BMO CEO Tony Comper involved, Garigue said, so there have been some late nights.
Thankfully, in light of all Garigue has gone through, he has managed to keep some levity. “Today I got a hundred per cent more (sleep) – I got two hours,” he said.