Software Solutions for the Human Capital Industry

The theft of four Bank of Ireland laptops containing customers’ names and addresses, medical backgrounds, life assurance details and bank account details is big news at the moment.

The details of 10,000 customers stored unencrypted on a number of laptops that were stolen - one from a BoI branch, and three from cars on separate occasions. I won’t even think about the laptop that is stolen from a branch - if somebody can walk into a bank and steal a laptop then obviously there is a much bigger issue here. But I’m stunned by the theft of laptops from cars - were these sitting on the passenger seat while some guy went in to Spar for his breakfast roll? Many companies train their employees on how to avoid getting their laptop stolen. Some high-tech approaches include putting the laptop into the boot of the car before leaving the office. But when you’re dealing with something as sensitive as we have here, is it even necessary for the information to leave the relative saftey of BoI HQ? Why were employees of the bank carrying such sensitive information around in their car? Why was it not encrypted? The fact that this was allowed to happen in the first place shows a lack of security awareness in the bank, and an inadequate security policy in place.

It gets worse. Justin Mason points out that the breach did not come from the bank at all - it was the DPC who first raised the issue. As we mentioned in relation to the jobs.ie hack, there are currently no laws for mandatory disclosure in Ireland. So if the bank does not take responsibility and inform its victims of the theft (out of good will or otherwise), how can we know that this has not happened before? They have admitted that this is not a once-off; these four laptops were stolen on separate occasions.

So what now for the 10,000 people who now have their medical details compromised? RTE references a statement by Mr Burrows from Bank of Ireland:

Mr Burrows, who was speaking in Belfast at the launch of new bank notes, admitted that the theft had been deeply embarrassing for the bank. But he said the bank is confident that none of the information stored on the computers has been illegally used.

How can the bank be confident that none of the information has been used illegally? They are monitoring the BoI accounts of those 10,000 victims, but do you think the only potential scam is to withdraw money? These thieves are resourceful enough to rob a bank, could we not assume that they’re capable of taking some medical records and personal details and selling them to professional scammers who are far more experienced in matters of fraud than anyone who works at BoI?

The issue here is an underlying lack of responsibility from BoI from start to finish. They were irresponsible when it came to protecting your data. They were irresponsible when they opted not to disclose the breaches initially. And now they’re being irresponsible as they play down the potential impact, moving to dismiss legitimate concerns that victims might have.

BBC’s The Real Hustle is a TV show focusing on how easy it is to be scammed and conned in every day life. This week, the team posed as recruitment consultants, highlighting the trust that job seekers are willing to impart during their job search.

The clip is an eye-opener - “identity theft on a grand scale”. In this episode, the girl gives her passport number and bank statements, which allow the hustlers to apply for mortgages, credit cards, duplicate passports, and birth certificates all in her name. She is not alone, as the other job seekers give their details without question, assuming that the recruitment agency is on their side. The staffing industry is very fragmented with the majority of recruitment companies doing less than $2 million in revenue. With so many small, owner-operated agencies, it is difficult to know who you can trust.

What The Real Hustle describes as “a steady stream of job seekers all willing to divulge their personal details” exists on the internet on a scale a million times larger. Due to the lower barrier to entry for online recruitment sites, without the need to rent an office or put on a suit, the online jobs market is even more fragmented and inherently less trustworthy. Even the most “legit” job sites have shown that, even if they do have your best interests in mind, they do not always take the steps necessary to protect your identity.

People often underestimate the value of information, but even something as inconspicuous as a maiden name is sometimes used as a password for banking. In this video, the girl is asked to choose a 4-digit pin number as part of her application, and she uses the same one as on her bank card. This is often the case with the passwords people choose online. Bad practices, such as storing plain-text passwords, are always going to exist; improving awareness is the key for now.

In light of recent security breaches leading to the theft of thousands of resumes, we are interested in hearing from anyone job seekers who have suffered as a result of one of these privacy breaches. Whether you found yourself added to some spam mailing lists, received fraudulent job offers or phone calls, or became a victim of identity theft, leave a comment or contact us, we would like to hear your story.

The reality is that the job board industry ($14B+) didn’t even exist 10 years ago and was not designed with the individual’s privacy in mind. Resumes are copyrighted material containing personal information that get bought and sold daily often without the owner’s consent. Many job seekers have noticed that their resume has been distributed without consent, modified by recruiters, or stored for long periods of time without adequate concern for the security or privacy of the individual.

In addition to the breach of copyright law, The Federal Bureau of Investigation in the US has pointed out regularly that posting your resume makes it much easier for criminals to find you. The FBI is currently investigating all sorts of cases involving online job scams. The agency actually issued a number of warnings and guidelines to people posting their resumes online. They point you to the internet crime complaint center if you think you have been defrauded online.

Many of the major job boards have procedures in place to prevent fraudsters’ “bots” downloading thousands of CV’s at a time. Monster and Careerbuilder will cap the number of page views and also monitor excessive usage but, in all reality, the damage is often done by the time the warning bell goes off. The simple truth is that anyone with a log in (purchased legally or hacked illegally) can access the information. Resume theft from job boards has been happening all the time and only now is getting any attention from the resume owners. This job board industry is new, has a low barrier to entry, is experiencing tremendous growth, and is generating enormous profits from the corporations who run them. The bottom line is that this industry was never designed to take an individual’s privacy and copyright protection into account.

This issue is the heart of our efforts at Glandore Systems and we want to hear from you. We are working not only to highlight the issue but to present technological solutions and promote strong privacy practices.