The BMO Financial Group found some silver linings in a dark cloud after “human error” recently allowed two servers with confidential customer data to be briefly offered on eBay.
According to the bank, two BMO servers were shipped to Toronto resident Geoff Ellis. In an apparent case of mistaken identity, an employee of Ecosys Canada Inc. (a subcontractor of Rider Computer Services Ltd., an outsourcing partner of BMO which deals with the bank’s outdated computer equipment) sent the wrong servers to Ellis. Instead of receiving machines wiped clean of all customer data, Ellis received two servers which had not yet been sanitized. Ellis, who resells computer equipment on eBay, subsequently offered the machines for sale on the Web site.
Robert Garigue, the bank’s chief information security officer, said there were two silver linings to the story. The first, and arguably the most important, was that Ellis checked the machines just after he put them up for sale and noticed the drives contained data. He quickly pulled them off the site and contacted the bank. Because of Ellis’s actions no BMO data was compromised.
The other silver lining, and one all Canadian companies can learn from, is the important reminder of the need to constantly revisit policies and procedures devoted to the disposal of corporate data, whether it is done internally or through outsourcing contracts.
“It is a painful lesson, but if you don’t learn you will be forced to repeat it again,” Garigue said. “It is an opportunity to share in understanding how [this] occurred and fold that knowledge back into our processes…and in fact our education and awareness. That is one of the beneficial side effects of having gone through this.”