BMO scours runaway servers for possible data leaks

A pair of servers belonging to the Bank of Montreal that wound up in the public domain through a recycling program contained databases holding employee and possibly customer information, the bank confirmed Monday.

The Bank of Montreal

was still working with the company that manages its hardware assets, Rider Computer Services Ltd., to learn exactly what is on the databases at press time. The recovery process was hindered by the fact that the servers ran on an older operating system, a BMO spokesman said, but some employee information has already turned up.

“”If it’s all employee information, then we have a very effective system of informing all our employees directly,”” said Ian Blair. “”If it’s customer information we’ll be looking at the most practical and most efficient way to inform them as well. But at this stage — and we’re quite confident in this now — no information was compromised and no accounts were compromised.””

News of the security breach came to light after the reseller who bought the IBM Netfinity servers from Rider subsidiary Ecosys Canada posted them for auction on eBay. After turning one of the servers on, the reseller told the Toronto Star he was able to access hundreds of BMO customer records without using a password. The servers, whose hard drives should have been scrubbed before they were resold, have since been returned to the bank. Rider told the Star the computers were simply taken from the wrong skid in the warehouse.

Blair said BMO had been working with Rider and Ecosys for more than five years, and that it had processed more than one million pieces of hardware in that time without incident.

“”We’re a large organization, and when we look for outsourcers and sub-contractors we basically only go to the reputable, high-end ones,”” he said, adding that the bank had done a complete review of Ecosys’s recycling procedures about six months ago. “”They passed with flying colours.””

Rider vice-president Colin Taves said the company will be trying to rid as much human intervention in the Ecosys warehouse as possible by creating a cordoned-off area that will not be accessible to some pickers. It will also be installing software to ensure outbound hardware is equipped with the right verification code.

“”At that time, when that occurred it was assumed that that skid had been released and had gone through the process,”” he said. “”Now having learned from that we’re putting in another triple check at the back end out the door so it verifies with the system whether or not it was scrubbed.””

Asset management and hardware disposal has become a major issue for corporate enterprises. IBM and HP, among others, have started offering services to take over the recycling and disposal process, while other companies, like Noranda, built facilities in Canada dedicated to handling electronics waste.

In May, a non-for-profit organization was created by members of Canada’s IT industry called Electronics Product Stewardship Canada to create a national policy for recycling computer products. David Betts, the organization’s president, said the BMO’s predicament is not that uncommon.

“”We’ve seen a number of examples of similar kinds of arrangements where you have to sign certifications that the material has been taken off and so forth,”” he said. “”Some companies refuse to even allow you to sell it to a third party.””

At CDI Computer Dealers Inc., which also offers a recycling service, hardware is first cleaned for dust before moving to a technician’s bench, where software is used to erase the hard drive, according to vice-president of sales Saar Pikar. From there it goes to a second technician who gives it a second check. All equipment is then give a tag number in the warehouse so that it can’t be removed without verification.

“”We don’t think it’s ever a good thing that something went wrong, but it’s good for business for us because it takes away business from people who aren’t very reliable,”” he said.

Blair said BMO was satisfied with the way Rider had handled the situation.

“”This was a very isolated incident, it was unusual, we took immediate action. We’re finding that resonates with people,”” he said.

Comment: info@itbusiness.ca

Share on LinkedIn Share with Google+