By Tim Ferguson, 14 February 2007 13:15
NEWS
Nationwide Building Society has been fined £980,000 by the Financial Services Authority (FSA) for information security lapses.
The fine follows investigations into the theft of a laptop containing confidential customer data from an employee's home last year.
The FSA said it found "the building society did not have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime". It also found Nationwide was unaware the laptop contained confidential customer information until three weeks after the theft.
A Nationwide spokeswoman told silicon.com: "We accept that we didn't get it right and we apologise for that."
She added: "We do have extensive and sophisticated layers of security in place and on this occasion one of those layers was found wanting and we've rectified that.
"We've put very stringent processes in place to ensure it doesn't happen again."
silicon.com Financial Services
Get the latest financial services news straight to your inbox. Sign up for the FS newsletter today!
The FSA acknowledged Nationwide's efforts to rectify the situation and because the building society agreed to a settlement it reduced the fine by 30 per cent - from £1.4m to £980,000.
The building society wrote to all customers at the time of last year's laptop theft, informing them of the theft and reminding them to take steps to keep information secure.
Nationwide said the theft has not resulted in any loss of customer money. It also said the laptop did not contain any customer PINs, passwords or account balance information that could lead to identity theft.
Margaret Cole, director of enforcement at the FSA, said in a statement the authority's swift enforcement action in the case would "send a clear, strong message to all firms about the importance of information security".
Comments
There are 8 comments. Join the discussion
1. Steve Phillips
What the FSA lose sight of, is the fact that it's the customers and investors that will be paying this fine. One way or another, it's always the punter that loses.
2. Lever
My security breach notification from Nationwide came in an unsealed envelope!
However, let's now hope that the FSA comes down just as heavily on the other banks, the ones that are more profit-oriented and than Nationwide.
Anyway, what happens with that cool million pound fine? Do the FSA bosses now get new cars, bigger houses and holidays in the sun?
3. anonymous
Can anyone tell me. This fine, who gets the money?
4. anonymous
Seems a bit harsh. I am a Nationwide customer, and felt this lapse was pretty unforgiveable given BS7799/ISO17799,
but I am finding this level of fine from the FSA inconsistent due to that Christmas Hamper Co., and such schemes not being covered by the FSA.
That Hamper scheme failing pushed more into the arms of loan sharks.
Inconsistency I feel.
5. Ruth
And this is the company that wants to take over the Portman Building Society later this year! As a Portman member, I shall certainly be voting against it.
6. Richard
Typical of “New” Britain: Punish the victim!
As a member of the Nationwide Building Society (a “Mutual” owned by its members, not by faceless shareholders) I've suffered several times over:
First the unfortunate (opportunist?) theft made worse by a breach of regulations; then that ridiculous BBC “Today” interview when a arrogant, ignorant Humphrys kept trying to force Nationwide's CEO to reveal sensitive information which could have made the breach more serious:
Then the unnecessary cost of mailing the millions of Nationwide's Members.
Now this ridiculous fine from the ridiculous, box-ticking FSA which seems to exist largely to feather its own nest.
The publicity has now alerted the thieves to the presence of the information on this laptop; but remember that it is valuable only because crazy government & FSA regulations have made it valuable: Until very recently, old bank statements & utility bill had little value to criminals.
More worryingly, the DWP has recently mailed millions of largely unnecessary “benefits” letters, all containing more information than this laptop. Tens of thousands were sent to the wrong people: Will the FSA now fine the DWP? Will we tax-payers have to pay the fine?
7. Faisal Danka
What guarantee do we have that data did not contain pins, passwords and account details?
They should release detailed description of the information that was leaked (not the actual details though).
8. Nigel Kilpatrick
Processes are not just about getting people to sign off pieces of paper. Security processes are about living and breathing best practice all day, everyday. People need access to what they should do and how they should do it, so that they can assure the business they are doing the right thing.
Humans need to be told, told and told again what to do, and while businesses fail to invest in compliance life-cycle management, from people to process, these mistakes and resulting fines will continue to occur.
Most lapses in information security and compliance are caused because people do not have simple access to the rules, and until businesses create a life-cycle of compliance, they will be held accountable for their, and their employees, actions.