If you ever wanted a perfect metaphor for IT security, watch Star Trek. Go ahead: bust your ass for your entire career, be the top of your class on the flagship of the fleet; when things start going bad because of a management decision you had no say in, you’re going to get killed and nobody in the next episode will even remember your name. Remember Galaxy Quest? “Let’s get out of here before one of those things kills guy.”
Because really, nobody cares about security.
Well, some of us do. And some of us that do, regardless of our best efforts, will still get screwed, because there’s not much you can do if your bank doesn’t.
Sweet Jeebus. To sum up, an American scrapyard owner has had to go to court in Maryland to prevent the CIBC from sending him any more of its clients’ confidential transaction information. No kidding. How does the mind boggle? Let me count the ways:
- The CIBC handles internal branch-to-branch communications by unencrypted fax. In terms of modern information technology, this is like sending your cave drawings via brontosaurus express. It is two trilobites tied together with a long string. I realize that things get pretty hectic between 10:00 and 4:00, but you guys might want to take a look at the landscape; the world’s changed a little since 1978.
- Apparently, nobody bothered to ask what actually happened to all those faxes with people’s names, addresses, phone numbers, bank account, SIN numbers and signatures that were sent to somewhere but never received at the other end.
- The guy receiving all this stuff called the CIBC in 2001, as in “2004 minus 3” to tell them about it, and got the brush-off.
- The CIBC claims they responded to Mr. Peer in 2002, and thought the problem was solved, a thinking that apparently didn’t involve “checking”. Nevertheless,
- The bank is now spinning for damage control, saying that the guy they were accidentally sending extremely-private faxes to “failed to co-operate with CIBC’s attempts to solve the problem”, a sure sign that they know that this is huge-for-sure.
The enormity of a fuckup like this defies description; even so, the CIBC should wonder how lucky they were that his next phone call wasn’t directly to the Mob, who would have been more than willing to help him out. It wouldn’t surprise me to hear that a full third of the CIBC’s legal department actually soiled themselves reading the Globe & Mail today.
“Boss, I read the Globe & Mail this morning, and I’ve soiled myself. I have to go home and change.”
“Take a cab. Expense it. On your way back, you should let your wife know that you won’t be home for dinner for the next five years.”
At a guess, I’d say that the CIBC is about to get taken to court and ridden like a pony. I don’t know if there’s one word to describe what happens when a major corporation gets gang-raped by an army of extremely excited lawyers set in the twin pursuits of justice and fat sacks of bank money while the national privacy commissioner is nearby cracking a bullwhip, waving a Stetson around his head and yelling “Yeehah!”, but if I did, this is exactly where I would use that word. I bet there’s one really long German word for it that they don’t use much.
I don’t know who’s in charge of information security at CIBC, but I’m betting nobody; a Tickle-Me Elmo doll in a blue blazer could probably have kept this one at bay. But let me get back to my original point about redshirts just in case whoever’s given that vacant-either-way job next is reading this: if you are in charge of security, and you can’t say “no” to management, then you are not in charge of security – you are in charge of being the fall guy.
Just once, I would have liked to see a redshirt say no.
UPDATE: He was still receiving missent faxes yesterday. So the CIBC has banned faxes completely, and they’re going to courier everything. Yeehah!
Update 2 – The Comedy Continues: “Courier service is something we’ve had since the 19th century,” said Robert Waite, a spokesman for the bank. “It works fine. It may take somewhat longer, but it’s actually an efficient system.”