Bank of Ireland: “we don’t understand fraud”

Check out this logic from the Bank of Ireland, spotted by waider in today’s news:

Last week, the bank said that medical records, bank account details, names, addresses and dates of birth of 10,000 customers were on the laptops. […]

Bank of Ireland said an assessment had concluded that the risk of fraud arising from the thefts was ‘very low’, as the data on the laptops did not include bank account passwords, PINs or copies of signatures.

So a fraudster would have medical records, bank account details, names, addresses and dates of birth of 10,000 customers, but the risk of fraud is ‘very low’? Incredible.

Update: make that 30,000 customers.

Update 2: 31,500 customers, and a sample letter.

This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.

6 Comments

  1. Kevin
    Posted April 28, 2008 at 16:59 | Permalink

    I assume that’s because BOI’s exposure to fraud is limited to that on accounts held with them. They’re not held legally responsible for identity theft perpetrated elsewhere using that info. (Even if they should be.)

    On that note, what do you all think is the most egregious type of fraud that’s enabled by the type of information stolen?

  2. Posted April 28, 2008 at 17:15 | Permalink

    I’d say the most egregious would be use of the card along these lines — card details stolen, used to buy flights, high-end resaleable consumer goods, or other high-value things that can be bought online without a PIN or signature. This would be the stuff the BoI might have noticed.

    In the US, it’s common for stolen name/address/SSN/date of birth info to be used to acquire new credit cards in your name, which are even more exploitable. This would be unnoticeable to the BoI, since there’s no connection to their existing accounts. I don’t know how viable that kind of fraud is in Ireland, however.

  3. Posted April 28, 2008 at 17:26 | Permalink

    btw, note that they’re not quoted as saying that the risk of fraud against their accounts is ‘very low’; they’re quoted as saying the risk of fraud, in general, arising from the leak is ‘very low’.

  4. Kevin
    Posted April 28, 2008 at 19:38 | Permalink

    That’s true. And going against Hanlon’s Razor* I’d bet the explanation is that they just don’t care about external fraud – they’re only looking inside their walls – and so the risk is “very low”. I’d hate to think that they’re actually that ignorant / naive! (But they probably believe the majority of their customers are.)

    (* “Never attribute to malice that which can be adequately explained by stupidity.”)

  5. Edward Lansink
    Posted April 30, 2008 at 10:52 | Permalink

    “I’d hate to think that they’re actually that ignorant / naive! (But they probably believe the majority of their customers are.)”

    I’d say it’s a PR exercise for damage control… and one which I hope will backfire. They do probably believe the majority of their customers are naive, and the worst thing is the majority of their customers could be gullible enough not to take any action.

  6. DannyH
    Posted March 3, 2009 at 09:16 | Permalink

    Manhattan hedge fund manager and part-time Palm Beach resident James Nicholson is under house arrest today, accused of securities fraud and bank fraud by federal prosecutors and the FBI. Westgate Capital is the next company to try and pull a Madoff. Nicholson allegedly took investment monies, intended for investing in a hedge fund, and then he and his partners essentially took all of it. They even went so far as to put up a Westgate Capital branded investments division complete with virtual address and a phone number that only went to an answering service. Prosecuting attorneys requested he be held without bail, which might be a good idea because I imagine he could go along way with the missing $800 million that was given to Westgate Capital.