Bank of Ireland: “we don’t understand fraud”
Check out this logic from the Bank of Ireland, spotted by waider in today’s news:
Last week, the bank said that medical records, bank account details, names, addresses and dates of birth of 10,000 customers were on the laptops. [...]
Bank of Ireland said an assessment had concluded that the risk of fraud arising from the thefts was ‘very low’, as the data on the laptops did not include bank account passwords, PINs or copies of signatures.
So a fraudster would have medical records, bank account details, names, addresses and dates of birth of 10,000 customers, but the risk of fraud is ‘very low’? Incredible.
Update: make that 30,000 customers.
Update 2: 31,500 customers, and a sample letter.
Tags: bank-of-ireland, clueless, fraud, identity-theft, pr
Kevin said,
April 28, 2008 @ 4:59 pm
I assume that’s because BOI’s exposure to fraud is limited to that on accounts held with them. They’re not held legally responsible for identity theft perpetrated elsewhere using that info. (Even if they should be.)
On that note, what do you all think is the most egregious type of fraud that’s enabled by the type of information stolen?
Justin said,
April 28, 2008 @ 5:15 pm
I’d say the most egregious would be use of the card along these lines — card details stolen, used to buy flights, high-end resaleable consumer goods, or other high-value things that can be bought online without a PIN or signature. This would be the stuff the BoI might have noticed.
In the US, it’s common for stolen name/address/SSN/date of birth info to be used to acquire new credit cards in your name, which are even more exploitable. This would be unnoticeable to the BoI, since there’s no connection to their existing accounts. I don’t know how viable that kind of fraud is in Ireland, however.
Justin said,
April 28, 2008 @ 5:26 pm
btw, note that they’re not quoted as saying that the risk of fraud against their accounts is ‘very low’; they’re quoted as saying the risk of fraud, in general, arising from the leak is ‘very low’.
Kevin said,
April 28, 2008 @ 7:38 pm
That’s true. And going against Hanlon’s Razor* I’d bet the explanation is that they just don’t care about external fraud - they’re only looking inside their walls - and so the risk is “very low”. I’d hate to think that they’re actually that ignorant / naive! (But they probably believe the majority of their customers are.)
(* “Never attribute to malice that which can be adequately explained by stupidity.”)
Edward Lansink said,
April 30, 2008 @ 10:52 am
“I’d hate to think that they’re actually that ignorant / naive! (But they probably believe the majority of their customers are.)”
I’d say it’s a PR exercise for damage control… and one which I hope will backfire. They do probably believe the majority of their customers are naive, and the worst thing is the majority of their customers could be gullible enough not to take any action.