A NAS device containing private bank account and credit card information on more than one million people was sold on eBay for £35. This shameful event should serve as a warning to all IT leaders. Physical security comes first!


When Andrew Chapman, an IT manager in the UK, bought a used Snap! box on eBay for £35, he got a lot more than he expected. Unbeknown to Chapman, the machine contained personal bank account and credit card information on over one million American Express, Royal Bank of Scotland (RBS), and NatWest customers. Chapman told TechRepublic sister site ZDNet UK on Tuesday “that the server, a network attached storage (NAS) box, contained unencrypted backups of CDs.” Graphic Data, a data-archiving firm, had used the machine to store information for RBS, of which NatWest is a subsidiary. Customer information included names, addresses, bank account numbers, telephone numbers and customer signatures.

According to ZDNet UK:

“The IT equipment that appeared on eBay was not planned to be disposed [of] by the company and investigations are still ongoing to find out how this equipment was removed from one of Graphic Data’s secure locations,” the company said in the statement. “We take customer privacy and data security very seriously. This incident is extremely regrettable and we’re taking every possible step to retrieve the data and ensure this is an isolated incident.”

According to the Daily Mail, “a spokesman for Mail Source, which owns Graphic Data, put the situation down to an ‘honest mistake’.” We all make mistakes and even the best IT departments mess up now and again. But, Graphic Data’s allowing, either through act or omission, an employee to sell hard drives that held, or even once held, sensitive data is shameful. Shameful not just because the data was lost, but because this failure was easily preventable. Graphic Data lost control of the data because either adequate physical security policies weren’t in place, weren’t followed, or weren’t enforced.

Lessen for IT Leaders: Physical security comes first!

The best network and data security measures mean nothing if you don’t adequately control physical access to your hardware. In his TechRepublic article, “Protect corporate data with these physical security precautions,” Mike Mullins suggests the following guidelines for restricting personal access to your facilities:

  • Initiate a badge program that includes an employee picture, and color-code specific areas of access.
  • Make it a policy to question anyone who doesn’t have a visible ID badge.
  • Escort, observe, and supervise guests for their entire visit.
  • Don’t allow anyone — including vendors, salespeople, etc. — to connect personal laptops (or any other computing device) to your network.
  • Don’t allow anyone to add hardware or software to computers without proper authorization.
  • Watch out for “tailgaters.” These people wait for someone with access to enter a controlled area (such as one with a locked door) and then follow the authorized person through the door. Tailgaters enter without using their own key, card key, or lock combination.

Mullins recommends these guidelines for protecting information and equipment access:

  • Place monitors and printers away from windows and areas where unauthorized persons could easily observe them.
  • Shred or otherwise destroy all sensitive information and media when it’s no longer necessary.
  • Don’t leave documents unattended at fax machines or printers.
  • Require all users to log off or power down workstations at the end of the working day.
  • Lock up portable equipment (e.g., laptops, PDAs, media, memory sticks) out of sight in a safe storage place overnight.
  • Don’t allow the removal of computers or storage media from the work area or facility without ensuring that the person removing it has authorization and a valid reason.
  • Provide locks or cables to prevent theft, and lock computer cases.

I hope Graphic Data’s experience reminds IT leaders that physical security comes first.