How big do you think the envelopes were? The BBC reports:

An Aberdeen woman who asked for her bank statement was sent those of 75,000 other customers.

[…]

HBOS said in a statement: “We are treating this matter very seriously and are investigating in full.

“This is a very specific, isolated incident and we will take steps to ensure there is no security issue for customers as a result of this matter.

What control would be the best fit for this mistake? Match the account address to the mailing address? Require customer re-verification if the number exceeds a certain buffer of statements?

Perhaps what is most strange about this case is that it happened through the regular post. We all worry about exposing accounts in the digital world because the controls are virtual, so it seems hard to believe that a system could screw this up in the paper/physical world.

Fire investigators rely on a lot of scientific theory, and instinct, in order to conclude whether an incident was intentionally caused. But what if the scientific theory is based on its own assumptions, which have not been properly assessed? I was just reading an article that mentioned John Lentini’s work and found reference to his research of the 1991 Oakland fires:

How can you tell if a fire was caused by arson? For years, fire investigators were taught to look for key “indicators.” Crazed glass, melted copper wiring, and melted steel were all said to indicate an unusually hot fire, consistent with the use of accelerants. Uneven burn patterns were said to reflect multiple ignition points, another indicator of arson. This conventional wisdom of fire investigation appears in textbooks and provided a “scientific” basis for expert testimony in thousands of cases.

In their provocative article, John Lentini and his colleagues argue that the conventional wisdom of fire investigators is simply wrong. Their analysis of 50 homes burned the 1991 Oakland Hills fire (a wild fire) showed a high frequency of traditional “arson indicators” where arson clearly had not occurred. Lentini and colleagues suggest that fire investigators have not realized the error in their conventional wisdom because there have been few careful, empirical studies of the results of “naturally occurring” fires.

This makes a lot of sense. The more you understand the baseline, the easier it should be to find the anomaly. Without a baseline, anything can seem anomalous, even the norm. Lentini, Smith and Henderson explained this nicely in their report “Unconventional Wisdom: The Lessons of Oakland”:

If someone was seen running from the house with a gas can, or if a fireman can reliably testify to two distinct fires within a structure, then it is not necessary to call a fire undetermined simply because previously accepted conventional indicators have proven untrustworthy. While this approach casts a wider net, calling a fire incendiary based on melted copper, apparently melted steel, and crazed glass, has no scientific basis.

Conventional wisdom which associated incendiary fires with these indicators was based on coincidence and anecdotal evidence, and investigators should not factor these artifacts into their conclusions.