Google, bank resolve issue over misfired e-mail

A bank that accidentally sent sensitive customer information to a Gmail address and persuaded a judge to order Google to deactivate the account has resolved the issue with Google and the companies have filed a motion to dismiss the case.

Google spokesman Andrew Pederson declined to say exactly how the issue was resolved or to identify the owner of the Gmail account.

The problem began August 12 when a worker at Rocky Mountain Bank inadvertently sent an e-mail containing names, addresses, Social Security numbers, and loan information of more than 1,300 customers to a random Gmail address. When the worker realized the mistake, a subsequent e-mail was sent to the address asking that the recipient contact the bank and destroy the data, but the bank heard no word, according to a MediaPost report.

The bank asked Google for information on the owner of the Gmail address, but Google said the bank had to get a court order to get access to that information. Last week, a judge in the U.S. District Court in San Jose, Calif., ordered Google to deactivate the Gmail account and Google complied, Pederson said.

"After notifying the account owner, we complied with the court's order. However, after working with Rocky Mountain Bank and the court, we resolved the issue around the bank's error, and both sides have agreed to vacate the TRO and dismiss the case," he said.

"While we regret that the user has been locked out of their account through no fault of their own, we're not legally able to reactivate the account until the court approves our motion to dismiss the case and vacate the TRO," Pederson added. "We're hopeful that the court will act quickly, and as soon as the motion is approved, we'll reactivate the account."

Calls to Rocky Mountain Bank and the court clerk were not immediately returned on Monday.

Update, September 29, 9:35 a.m. PDT: Google spokesman Pederson said the court granted the motion to dismiss the case on Monday, allowing the company to re-activate the Gmail account.

[Pete Bardo]

But did that worker get fired?

[S3kur17y]

The worker is not the problem!

It is the policy of the banks that are the problem.

Consumers think that banks are held to some stringent standards to protect their information and that is simply not true.

I have worked with several banks in information security audits, and they are a joke.

It is just a bunch of red tape and paper work that really does nothing in reality.

Banks could care less about your security. They are just interested in what turns a profit.

Unless some regulatory body steps up and has the guts to really hold banks accountable, millions of peoples information will continue to be lost this way.

[knowles2]

S3kur17y
Agreed one of friends who work for a bank IT department actually told me that is was cheaper just refund customers the money they loose than to actually build descent security into there system.
The only way to solve such a issues is to make it worth while for the banks to probably secure there system. Refunding the money plus double the amount for compensation should do the trick. An whiles the government around the world are busy rewriting vast areas of finance law this should be one area they should tackle.

[mrcjacobs]

The fact that the court required Google to delete the account bothers me. This surely opens up the possibility of others having their accounts deleted also if someone, be it a corporation or otherwise, claims that sensitive information was inadvertently sent to an email address. And that doesn't change the fact that the info has been out there or months. If the person that received the email had any plans to do anything nefarious with the information you can best believe it's already been forwarded somewhere else.

[Wild_D]

They simply deactivated the account, not delete it. Though your point is still valid, Google said that they would reactivate the account with the courts permission or when the case is dismissed.

[rcrusoe]

First, I use Google Apps, but the fact that some idiot can get an account closed (deactivated, etc.) by sending an email is enough to make me seriously question using Google or any third party for hosting my email.

[BIGELLOW]

@rcrusoe,

Even if you host your own email, you aren't immune to the courts. If Google didn't comply, they'd be in trouble with the law. The same thing would happen if you didn't comply if the courts went directly to you.

[n3td3v]

It sounds to me obvious that Google looked at the statistics for that Gmail account and realized that the account owner had not accessed the email in question, and probably hadn't accessed the entire email account since the rogue email had been delivered to it, and that's why the case is speedily being dropped.

[jc364]

Exactly my thoughts. They also could have checked to see if the user deleted the email without opening it.

[zshazz]

So, let me get this straight... if I email someone sensitive information and tell them to delete it... I can now shut down their email account, even though they did nothing?

This reeks of bull.

[n3td3v]

It could become a loophole in the law that people abuse to get someones account shut down because they don't like that person.

[shinji257]

I doubt that. This was a bank that sent sensitive information and to get a court order you need a really valid reason. I don't think that you would be able to go to court to just get any email shut down. They would likely throw it out.

[faceless128]

so, i can get someone's email account removed with a court order because i screwed up and sent them sensitive information?

sounds like a plan...

[paulej]

And the account holder can make a plan to sue the bank, too. An email account these days is roughly the same as a postal mailbox. If this account is the person's primary account, this could be extremely disruptive.

[calculatorwatch]

i just have to say that i seriously doubt this will lead to bunch of people going to court and convincing the judge they sent sensitive information to someone else's account just to get that persons account closed down

1) it's an awful lot of effort to go through compared to the effort it takes for the victim to just open a new account
2) it relies on a judge not realizing your being an idiot and just trying to get someones account closed down
3) and here's the ringer: the account in this case didn't even get closed down permanently, only until the judge dismisses the case

this is an isolated incident and it worked out just fine, why do people have to try to read farther into it when there's nothing else there?

[JunkSiu]

Because this a case that someone (email account owner) paying for others (the bank) mistake.

I don't see any compensation from the bank mention anywhere.

[calculatorwatch]

yeah, this kind of thing already happened plenty outside of the internet and people are used to it, what's so surprising about this?
the one person that the bank accidentally sent the info to had to have their account temporarily blocked while the information was deleted, and it happened once, it's not as if this is going to become commonplace

and maybe the bank should've compensated the individual, but it sounds like they didn't use their account all that much anyways

[paulej]

I disagree with argument (1). If I was asked to go create a new primary email address for myself, I would spend the better part of a week going through all of my on-line accounts and notifying contacts of the address change. If I were forced to do that, I'd definitely expect compensation.

And why didn't the person reply? It might be that it was considered spam and/or some kind of new trick to phish for information. Depending on how it is worded, I'd be hesitant to respond. Perhaps worse, I would not respond without first reading over the material completely. Oh, then what? I need a lawyer to protect myself because I have information in hand I ought not have? I might need compensation for that, too ;-)

The bank employee ought to be fired and the bank out to be punished for sending around this kind of information via email in the first place. Email is absolutely no place to put sensitive customer data, even if it were an internal email.

[shinji257]

I usually check suspected phishing messages. I can tell a phishing message that appears to come from a bank from one that actually did come from a bank. On that note I need to look into a text message I got from my bank recently.

[joerickx]

Excuse me, but before I get down on Google for suspending an account in accordance with a court order, I'd like to know how, EXACTLY, "... a worker at Rocky Mountain Bank inadvertently sent an e-mail containing names, addresses, Social Security numbers and loan information of more than 1,300 customers to a random gmail address." Was the worker just having a bad morning and clicked away at everything in sight, and in the process attaching a file with confidential information for over 1,300 customers to a "random" gmail account? Why was a worker in a Bank signed on to Google in the first place? Doesn't The Rocky Mountain Bank have any Internet security policy or network safeguards to protect their customers from ******* employees? I'm sorry, this isn't about some innocent person's gmail account being deactivated, it's about a huge corporation that has no way of protecting thier customer's personal information from being broadcast all over the Internet.

[Dalkorian]

Bullseye. Nice shot.

[dougbugl]

joerickx is onto something but I doubt the employee had to be "logged onto Google" because you can send email to someone without being logged into their domain. But what really surprises me is the bit about emailing bank documents which are not encrypted. No bank document with any kind of financial or account information should be going out in email. It is like sending a postcard, there's nothing keeping anybody between the two locations from seeing what is in the email. The Google email account was just the destination, what about all the routes it took to get there? Is the bank asking for all those email computers and servers to be shut down because this document went through them and could be duplicated anywhere along the line?

The guy/girl with the email should be talking with a lawyer and smiling at how much money they can make from this bank. All they have to do is start contacting each name in that email and ask if they want to be part of a law suit. Idiots need to be fired for these things and businesses need to pay for being so ignorant of security.

[glwxieus]

Why isn't someone covering the REAL story here? Namely how can ANY bank EVER send ANY information WITHOUT encryption? How many servers did that information passthru on its ways to the GMail account? The entire banking industry should be held accountable for such shoddy security!

[cchanote]

I think the bank need a better email server, there is existing email server that can detect sensitive information before actually sending out. Also, things like device access control can come in handy in protecting thing kind of error.

[knowles2]

The first thing I thought when I read this article.

[iceberg020]

ahhh, i was wondering why i can't get into my gmail. stupid bank

[jc364]

"Hey guys, Gmail's down again! Is pop3 working for you guys?"

[S3kur17y]

I have worked with banks a lot.

And I can say for certain that they are to blame in incidents like this.

Most Banks could care less about your security, they only care about what turns a profit!

That is the truth....

http://www.securitt.com

[jc364]

If it had been my account, I would have been ticked. And since I use pop3, I would have a local copy of the email anyways. And when my account got shut down, it would be VERY tempting to post the email on bit torrent. At the very least, I would have sued the bank for invasion of privacy.

[jc364]

before I get any angry responses, I should say that I wouldn't ever spread others' personal info just to get back at a stupid company with lax security measures. A better solution would be to send an email to every individual whose data was compromised, and recommend they sue the crap out of the bank.

[setjeff15081947]

Let us see now? The dumb clerk at Rocky-Mountain sends the sensitive data to an unsuspecting, and probably harmless, Google-Mail-Account. Conclusion --- Punish the Innocent. Mr. Huxley must be laughing himself silly, because this is most certainly his ?Brave New World?. Or should we contact Mr. Orwell and get an update on "Double-Think"?

[DanP243]

I just accidentally sent a confidential spreadsheet with sensitive information to Rocky Mountain Bank, at the address listed for the CEO on their web site. Anybody have any advice what I should do now that that bank has my file?