By Will Sturgeon, 27 March 2007 11:00
NEWS
UK high street bank Halifax has admitted stolen documents from one of its employees contained data on 13,000 mortgage customers.
The documents were in a briefcase stolen from the locked car of an employee last week and the bank yesterday started writing to affected customers, after first reporting the breach to the Financial Services Authority (FSA) and the police.
Around 1,800 of the 13,000 customer records exposed by the theft included name, address, mortgage account number and account balance. The remainder included name, mortgage account number and approval status.
According to a spokesman for Halifax: "It would be almost impossible for any fraud to be committed with the information on the printout."
However, the bank, part of the HBOS Group, has promised: "No customer will be left out of pocket in the very unlikely event of fraudulent activity on their account following this unfortunate theft."
The theft further highlights the risk of taking data outside the organisation - whether in a digital or hard copy format. In this instance the employee was intending to use the data during meetings with mortgage intermediaries.
Proponents of encryption have argued any sensitive data should travel in an encrypted format from point to point and a spokesman for encryption experts PGP said he found the decision to cart around printouts of 13,000 customer records - protected by "nothing more than a briefcase lock" - a strange one.
He said: "When people set up a security policy there are many steps to it and one of them will be the physical aspect in terms of what form you carry data in. Nowadays with the ability to manage this information much more easily on removable media with encryption whether that is on a USB or a hard drive or whatever makes sense, why would you take this as a hard copy?"
Shane O'Riordan, general manager of group communications at Halifax, said lessons have been learned, adding: "We are reviewing our procedures as a matter of urgency."
However, the PGP spokesman said Halifax should be praised for "doing the decent thing and notifying people" - despite no requirement on UK companies to do so.
Earlier this year the Nationwide building society was fined nearly £1m by the FSA after the theft of a laptop exposed customer data.
Comments
There are 5 comments. Join the discussion
1. Babur Mirza - QCC Information Security
This story has a depressing familiarity coming less than two months after the exposure of Nationwide’s similar security flaws. The rise of the “digital native” and the blurring of private and professional lives is going to continue to be a big problem for companies. It will be counterproductive for companies to try and enforce old style rigid systems of security, in an age where mobile phones, PDAs, and memory sticks are widespread. Basically companies need to go back to basics and review their general operational risks. If risk assessments would be adequately undertaken then it would question the business need for the storage of the customer record information on a mobile device, especially when remote access to the data stored at a central secure location, is entirely possible to achieve. What is the business justification for an employee to have such a large amount of confidential customer details on a laptop? Whilst Halifax’s swift response is admirable – particularly compared to Nationwide’s three week lag - their protestations that of the 13,000 customers affected only 1,800 had the name, address, mortgage account number and balance still reflects a serious problem. The fact that the information which has been stolen would not be of use to a financial fraudster is almost irrelevant, since customers will not offer their trust to organisation’s which cannot guarantee to protect them.
2. anonymous
I hope that whoever resonsible, employee or manager, is no longer employed by them.
As a HBOS customer for both morgage and banking if I am one of the customers who's information has been stolen I will soon be an ex customer of theirs.
3. Ruth
Human error (carelessness, stupidity) will always occur but Halifax have contacted the FSA, are contacting customers & reviewing security procedures, all within a couple of days. They're doing the decent thing so good for them & let's hope there aren't any further repercussions.
4. Jeremy Robinson
Banks are pretty casual with their data, so we can expect government departments to be worse.
Has anyone the remotest idea how an ID card could help when the basic controls are so lax?
5. anonymous
Print outs containing details of 13,000 accounts! Shame on the Halifax. How many trees got felled for that? Sensitive data should be kept on disk an encrypted. Why does all that information need to be passed around anyway? So much for privacy and security. Don't bother buying a personal shredder. What is the point? The banks and building societies are the ones who are helping criminals to commit fraud.