Thursday, August 28, 2008

$75 sale - 1 Million customers details; includes sample signatures


An e-bay computer purchased for £35 ($75.00) came with the added bonus of bank records for 1 million American Express, NatWest and the Royal Bank of Scotland customers.

The bank records included bank account numbers, phone numbers, mothers' maiden names and signatures.

The surplus computer sold on e-bay did not belong to any of the banks but belonged to Mail Source, a data processing company which has recently purchased Graphic Data a financial data processing firm.

The Graphic Data web site proudly announces their new owners: “The document processing business of Graphic Data UK Ltd has been acquired by MailSource UK Ltd with effect from 1st April 2008. MailSource UK is a well established and regarded supplier of innovative, technology driven solutions for outsourced digital mailroom management and document management services.”

Graphic Data are listed as suppliers on the UK government portal and profile them selves with “Our quality-assured, best practice solutions encompass the entire document lifecycle, from digital mailroom, through automated document workflows to archiving and storage.”
Given Graphic Data’s core business is to hold financial information for banks and other organisations the value that can be leveraged from the April acquisition must now be severely challenged.

It is not that the British don’t take data security seriously last year; Nationwide Building Society was fined nearly $2 million after a laptop containing private customer data was stolen from an employee's home.

Given the risk to brand, profit and regulatory penalty it is worth noting that it is not only the UK banks that are struggling with data-management failures; the UK government admitted in November it had lost confidential records for 25 million Britons who receive child benefit payments, and in January, the Ministry of Defence revealed that a laptop with details of some 600,000 people interested in joining the armed forces had been stolen from a naval officer.

The first time a major adverse outcome happens it could be an accident; the second time it happens there is a good chance your processes are playing a part in this – the third time … well we have all the evidence we need that it is our business processes that are producing the outcome.

The good news is if it is your business process that is contributing to the problem you have control and corrective action options – it is your business process, you can change it right now and start reducing the risk of there being a repeat failure.


REFERENCE:
http://www.smh.com.au/news/technology/customers-bank-details-sold-on-ebay/2008/08/27/1219516507005.html
http://www.graphicdata.co.uk/
http://canadianpress.google.com/article/ALeqM5iYgBHThaj1Z6LZYf4N8mJU5mte9w
http://www.planningportal.gov.uk/england/government/en/1115314841753.html
Posted by at No comments:

Monday, August 25, 2008

AUD$8.1 Million Fine - Unsafe Aircraft



If you were flying American Airlines during the busy Christmas period you were most likely very happy if your plane got off on time and grateful that you made it to your Christmas parties on time.

If you knew they were able to be so available and meet their schedule because they had delayed their maintenance of the airplane you may have been just as happy to wait a couple of hours.

CBS News reports:
“The Federal Aviation Administration said Thursday it is seeking $7.1 million from American Airlines for continuing to fly airliners after safety problems were reported and for drug-testing violations.
The Texas-based airline delayed repairs on two MD-80s — a mid-sized airliner — after problems were reported with their autopilot systems and flew them 58 times in violations of federal regulations, the FAA said. "The FAA believes the large total amount of the fine for these violations is appropriate because American Airlines was aware that appropriate repairs were needed, and instead deferred maintenance," the agency said in a statement.
"In intentionally continuing to fly the aircraft, the carrier did not follow important safety regulations intended to protect passengers and crew."

It is difficult to believe that airline executives could consider the safety risk and an AUD$8 Million fine worth it but they clearly did; these types of regulatory requirements are no secret in the airline industry.

New York Times reports that American Airlines “deliberately flew two planes 58 times in December with broken parts that made them unsafe to operate under certain conditions and “not airworthy.””

When things escalate to the level that "not airworthy planes" are being sent out full of passengers and crew 58 times, then you are asked to question the level of commitment to good governance.

The culture should have presented other evidence of environmental inducements encouraging indifference to compliance and good practice.

If there ever was a an event that would prompt you to consider making some real cultural change paying off an $8 Million fine should at least cause some pause for reflection.



Posted by at No comments:

Thursday, August 21, 2008

The Privacy Issue - Chief Justice Gleeson


While the Privacy legislation that is currently under review (see earlier posts) may be seeking to increase regulation and penalties for SME’s; Justice Gleeson appears to suggest that the boundaries of what is “private” may need to be rolled back; rather than expanded.


The National Press Club was the venue for the Chief Justice of the High Court, Justice Gleeson to deliver his final public address. During this address he said that he had begun to change his view that "certain things … were self-evidently private". "The ground seems to me to be shifting," he said.


"I used to think that having a telephone conversation was normally private. But you can't walk down the street without hearing a number of telephone conversations, some of them with people speaking loudly because of the noise of the surrounding traffic … "When you look at the kind of information that people publish about themselves, it makes you wonder." Justice Gleeson said.


Graham Greenleaf, an expert on privacy and information technology law at the University of NSW, said that legal definitions of privacy were "not static" and new technologies had enabled people to be increasingly willing to disclose information that would once have been considered private.


"The widespread availability of communications technologies that allow individuals to publish information about themselves that can be accessed by others is unprecedented in our society," Professor Greenleaf said.


The Privacy issue does not look like it is going anywhere so ensuring that the business process that provides governance for how information on Suppliers, Customers and Employees is collected stored and used is likely to become a much bigger issue for Enterprise size organisations and SME’s alike.
Posted by at No comments:

Monday, August 18, 2008

Press Delete! – Data Security Breaches


In April this year it was reported that The HSBC banking group offices in Southampton had lost a computer disc with the details of 370,000 customers.

The lost customers' details included their names, dates of birth, and their levels of insurance cover.

But you don’t need to lose a disk to have security breach, deleting data from old laptops and servers, when they are disposed of is not as easy as it sounds; failure to do it right can create a window of opportunity for your confidential data to be retrieved and end up as tomorrow mornings headlines.

It is important to have a specific data erasing procedure and get some help with the process to ensure your data is definitely deleted – it is not a matter of just pressing “delete”.

Bill Taylor-Mountford, general manager of Acronis says "Deleting data leaves a fingerprint, or a ghosted image. With the right tools, specialists can recover the data after it has been deleted. That's why some software-wiping algorithms use 35 passes to destroy data."

Milton Baar, director of IT Security consultants, and committee member representing Australia for ISO27001, the international standard for information security management says this about Australian organisations "They need corporate governance practices, which cover information security issues.”

Inadvertent data security breaches are a big issue, and if you have an inadvertent data breach you may have to report it publicly to the Authorities.
On 16 June the Office of the Privacy Commissioner closed submissions for Draft Voluntary Information Security Breach Notification Guide.

Major enterprises including IBM Australia, National Australia Bank, Telstra Corporation Limited, Microsoft Australia, Suncorp-Metway Ltd & Unisys have made submissions.

The big Government Departments like Centrelink, Department of Human Services; Inspector General of Intelligence and Security and the Australian Tax Office have also weighed in.

Posted by at No comments:

Thursday, August 14, 2008

Privacy Act Changes - increase data-management costs


The Australian Law Reform Commission yesterday (13 August 2008) released a 2,700 page report recommending changes to the Privacy Act.

The impact of the proposed changes on enterprise operations goes way beyond controls on ensuring security when you record credit card details; it impacts on your business process for the collection, storage and use of all information on employees and customers.

The recommendations include the removal of the current exemption in relation to employee records and to expand the scope to new media including email address and web address information.

Ian Jordan, a senior associate in workplace relations at Mills Oakley Lawyers in Melbourne, notes “The biggest impact will be on business. The proposed changes to the Privacy Act will significantly expand the scope of privacy requirements for business and government
If the proposed changes are given effect, enterprises that allow information to be used in ways other than it was intended face stiff fines for breach of the law.

The proposed changes even outline that information can only be disclosed for the enterprises primary or related secondary business purposes; and specifically address information collected in an obtrusive or unlawful way. Trans-border data flow and personal information of young people are also addressed in more detail.


If you have nothing to do for 3 or 4 weeks … you can download and view the report and its recommendations HERE.


Posted by at No comments:

Monday, August 11, 2008

Human Error - Navy Medical Evacuation


ABC news reported today “Leading Seaman Michael Bass, 22, was seriously injured while on patrol last year on Thursday Island, off far north Queensland, but was kept on the island for three days without follow-up medical attention.”

The family of Leading Seaman Bass reported that a Navy review confirmed appropriate procedures were in place but human error resulted in Leading Seaman Bass waiting 3 days for medical treatment.

Human error occurs as a factor in many major incidents, maybe not the major root cause but often a significant contributing factor. Human error is not code for blaming someone, in the Navy, and in all other enterprises individual workers are balancing many pressures at any one time, they work in complex environments with many competing demands.
No one in this situation has a pocket manual that they whip out every 5 mins that tells them what to do next; they need to make decisions that weigh up the pressures and competing demands they have on them.

When a significant near-miss occurs, Leading Seaman Bass is reported to have been “near death” by the time he received treatment in Darwin Hospital, the opportunity to objectively analyse the competing demands on individuals can lead to real systemic change.

We use the RAID™ human factor analysis model. With the RAID™ model unwanted human behaviour is a consequence of one of three factors:
- Individual purposeful decision not to observe the requirements.
(intentional error)
- Individual physical or mental mistake. (mistake)
- Individual response to an obstacle in appropriate behaviour.
(progress blocked)

The first option is rarely the reality for day-to-day operations and often provides limited opportunity to develop a systemic response – the other two options are more common; a person just slips and hits the wrong button or attempts to follow procedure but one or more of the resources for the next step is not available; so they are required to rely on their individual creativity to find a solution that works around the designated procedure.

The RAID™ approach is a process to analyse these incidents; the factors are analysed accross four dimensions:
- Requirement; how was the requirement of the task/function specified to
the individual
- Assignment; how was the task/function assigned to the person, did they
know it was clearly their role to act
- Inducements; were there inducements in the environment that encouraged
the person to make poor choices i.e. time pressure, pay reward on volume
not quality, past expectations that the rules would be overlooked when
under time pressure?
- Disposition; if the person was required to creatively problem-solve and find
a solution that worked around the procedure; where they experienced and
mature enough to make those decisions in an informed way?
By analysing human error in a structured way it is possible to deploy changes that will bring systemic returns. The lessons learned from a near miss can be translated to real change in the workplace and the near-miss never becomes a critical incident.
Posted by at No comments:

Thursday, August 7, 2008

$1Billion - getting NAB’s technology right


NAB is certainly taking the strategic view in terms of its automation risk management announcing a $1 billion program (over 5 years) to overhaul its technology platforms.

We posted during July on the payroll processing failures at Westpac and NAB and that each of these failures impacted on service delivery to millions of people.

The overhaul of the technology platform is will position NAB for a more aggressive assault on the internet banking market share of its competitors.

The move by NAB follows on from an earlier commitment by the Commonwealth bank to a $580 million core banking modernisation project to speed the development of new online products.

A benchmark business process is a benchmark business process; regardless of the application. The management of process failure risk and error in one industry sector is very similar to management of process failure risk and error in another industry – the subject matter may change but the process and principles of good practice do not change.

Referring to our earlier post on Harvard’s Professor Andrew MacAfee’s views on IT deployment the breakdown of IT budget into:
1. Function IT - Supports execution of tasks i.e. spreadsheets, CAD
2. Network IT- Supports collaboration and connections i.e. e-mail, wiki, blog.
3. Enterprise IT- Specifies a Business Process i.e. defines tasks and sequences, mandates data formats, use is mandatory.

This type of deployment fits into the Enterprise IT and really creates an opportunity for the individual Banks to create unique competitive advantage through process innovations.

Getting the right technology aligned with the right deliverables and the right people is the change management challenge for large enterprises; as the payroll processing failures have demonstrated the margin for error is extremely small when the volume of transactions is high and customer expectations are at 100% reliability.


REFERENCES:
http://www.australianit.news.com.au/story/0,25197,24141373-15306,00.html

Andrew MacAfee’s Blog: http://blog.hbs.edu/faculty/amcafee/
HBR Article: http://harvardbusinessonline.hbsp.harvard.edu/hbsp/hbr/articles/article.jsp?ml_action=get-article&articleID=R0611J&ml_page=1&ml_subscriber=true
Posted by at No comments:

Monday, August 4, 2008

Qantas – “There was no systemic error behind the incidents”

Today’s Sydney Morning Herald reported that Qantas chief executive Geoff Dixon said “there was no systemic problem behind the three incidents.”

This was followed on by CASA spokesman Peter Gibson saying “there is no evidence that safety standards at Qantas are dropping.”

Given the last 10 days of media coverage, is this just spin or do the statements stack up against the publicly released facts?

Root cause analysis theory holds that good governance requires an organisation to maximise all opportunities for corrective action by creating windows that prevent a system failure from escalating to the point where there is an adverse outcome.

It is unrealistic to expect that adverse unexpected changes will not occur in a dynamic and changing environment; airline operations are complex, they have hundreds of airplanes taking off and landing every day. There is a continual dynamic of engineering and human factors in play that are bound to come together at some time in a way that is unexpected.

What is realistic is to expect, from a governance and safety perspective, is that Qantas; and any other organisation, will have pre-planned and taken precautions to ensure that there are many barriers that prevent the failure from escalating to the point that passengers are at risk.

At each moment in time every opportunity to create a window for corrective action needs to be taken.

When the oxygen bottle exploded (theory) on the Boeing 767 last week, the crew are reported to have responded in a well trained way; the 767 dropped to 10,000 feet (breathable air); landed safely at a nearby airport location; all crew and passengers were able to leave the plane safety.

In addition to finding out why the oxygen bottle exploded, the investigation team is sure to explore the reported failure of oxygen delivery to the passengers face masks.
If the 767 had of been flying at a higher altitude, and taken longer to drop to 10,000 feet, the incident may have identified a latent risk where there is only a single source of back-up oxygen for passengers. This may have resulted in an adverse safety outcome occurring. The investigators will also no doubt be looking to ensure that there is more than one source of back up oxygen for the flight deck – even though this was not a reported risk during this incident the consequences are evident.

In relation to the second public incident; QF19 to Manila sprung a hydraulic fluid leak. From the publicly available information, Qantas had appropriate safety precautions in place and responded in a well trained appropriate manner.

To prevent a failure escalating they are reported to have had two (2) back up hydraulic fluid systems; they acted immediately to land and disembark the passengers; they dumped the fuel (in order to reduce landing risk) all in all, from a safety perspective, the reported information indicates that they responded as any responsible organisation could be expected to.

The front page Sun-Herald photograph of QF19 with smoke coming out of the right hand engine did not look that comforting for prospective passengers; but there is nothing in the report to indicate the Qantas response was anything other than appropriate.

Clearly the RCA for this incident will now look at why the hydraulic fluid was leaking and seek to address that in a systemic way i.e. maintenance procedural change, change in schedule for replacement of hydraulic fluid system parts (maybe the age of the aircraft is causing the maintenance schedule to be more frequent).

While Qantas new CEO may have hoped for a more relaxed introduction to his transition from JetStar to Qantas the public reports on the incidents over the last 9 days has not revealed any item that indicates systemic failure, unless something else comes out as part of the investigations Mr Dixon and Mr Gibson appear to be backed up by the reported facts in their safety assurances to the public.


REFERENCES:
http://www.smh.com.au/news/news/qantas-the-safest-airline-probably-says-ceo/2008/08/04/1217701907795.html

http://www.abc.net.au/news/stories/2008/08/03/2322458.htm?section=justin
Posted by at No comments:
Subscribe to: Posts (Atom)