By Tom Espiner, 14 November 2006 08:40
NEWS
The theft of a laptop containing Nationwide Building Society customer information is being probed by the Financial Services Authority (FSA).
The laptop was stolen from an employee's house in a burglary in August. Both the FSA and Nationwide have refused to say exactly what data was stolen. According to Alan Oliver, Nationwide's head of external affairs, the laptop contained "limited customer information for market research purposes".
The building society is willing to say what has not been stolen. No PINs, passwords or information about financial transactions were contained on the computer, and no account details such as customer names, account numbers or sort codes were compromised, according to Oliver.
However, there is a chance the limited customer data stolen could be linked to other information about individuals and used for identity fraud.
The building society would not say how many customers' details were contained on the stolen laptop. It is in the process of writing to all of its 11 million UK customers to outline the security measures they need to take as a result of the theft.
Nationwide insists any victims of identity fraud will not suffer financial loss as it has a policy of reimbursing money stolen.
Authorities, including the police and the Information Commissioner, have been informed about the loss of the data. The building society said it could not give any details of the burglary as that could compromise the police investigation. However, it said the police believe the crime was not targeted and was probably opportunistic.
Following the incident, Nationwide has taken "a number of different steps to increase security", although it would not provide details of these steps. It also refused to comment on its security policy regarding laptops, and whether encryption was used to protect the data.
Got two seconds?
Make your voice heard - take our latest poll.
The employee who had the laptop stolen may not have been acting in accordance with Nationwide security policy, according to Oliver. "We're looking at our procedures as we speak. It appears that all procedures may not have been complied with," he said.
Although Nationwide was keen to play down the severity of its security lapse, the FSA - which regulates the banking industry - is currently investigating the incident.
An FSA spokesman said: "We're continuing to discuss with Nationwide the incidence of a loss of data. Our principle concern is to minimise the risk to consumers.
"Along with other authorities including the Information Commissioner and the police we considered when and how Nationwide should communicate with customers on this issue in a way that minimises any potential misuse of the data. We discussed what Nationwide needs to do to alert customers of the fact that data had been stolen."
While the FSA refused to comment on the nature of the data stolen, it said the very act of alerting affected customers could have further compromised their security. This indicates the data stolen could be used by criminals if linked to customer names or addresses.
Tom Espiner writes for ZDNet UK
Comments
There are 19 comments. Join the discussion
1. anonymous
"The building society would not say how many customers' details were contained on the stolen laptop. It is in the process of writing to all of its 11 million UK customers to outline the security measures they need to take as a result of the theft."
And the theft was in August - As a customer this is the first I've heard of it - hope any fraudsters aren't quicker than Nationwide to act!
2. Gary Clark
Once again, a laptop containing confidential consumer data is stolen, and the need for stricter security for mobile devices is highlighted once more.
'Random thefts' or loss of laptops and other physical assets inevitably occur, however, if access to the data on these stolen items is protected, for example through encryption, this information will remain protected and out of the reach of criminals.
3. anonymous
I have several accounts with Nationwide and find them generally very good. I contacted them about this matter and asked if any of my details had been compromised, i.e. name, address, email, telephone numbers etc. I received a very bland response, almost verbatim with this article. Nationwide raised the question of ID Theft, well forewarned is forearmed, but Nationwide doesn’t see it like this when it comes to letting you know what personal details are on the laptop.
Nationwide may insist that any victims of identity fraud will not suffer financial loss as it has a policy of reimbursing money stolen. I understand this to be a loss due to ID Theft from ANY bank, building society, lender or credit card issuer, and not just Nationwide accounts. I hope Nationwide has the same understanding.
4. anonymous
If Nationwide ARE indeed communicating with their 11 million stong customer base on this incident - then this is going to cost upwards of GBP22M to them - minimally GBP2 per person assuming of course no-one phones in on the customer care lines - then the costs go thru the roof.
Makes you think - if they'd spent a fraction of that on introducing and enforcing strong security policies and technology, they would have saved themselves a fortune.
Assuming, of course, that they are actually communicating with their customers - I for one have 3 or 4 Nationwide Accounts and have had absolutely NO communication at all!!
Skeptical - Uh huh
5. anonymous
H'm - let me see - laptop stolen in August. Nationwide getting round to contacting customers mid-November - and only after the theft has become public knowledge. Seems to be a slight lack of responsibility, a slight lack of customer care there. And when can we expect these letters to arrive? I've got an account with them and certainly haven't had any letter.
6. anonymous
I know someone who was contacted by Nationwide yesterday regarding fraudulent use of their credit card. This is the first time it has happened to them and the fraudsters had used some information that would not have been available from just a card swipe - I was trying to work out how they got this information and now it's very apparent.
7. anonymous
I'm also a Nationwide customer & have heard nothing from them either so I've emailed them & asked them when exactly are they sending these letters out. IF I get a response I'll post it as another comment here. I'd recommend that all Nationwide customers who haven't been informed email/phone the company & then maybe they'll take it seriously. August, mid-November - rubbish!
8. anonymous
Gary of Camberley is right. It should have been encrypted.
I was considering using Nationwide when I defect from First Direct due to the charges.
Bad timing or what.
9. anonymous
Sensitive data on a mobile device?!!
I have 5 accounts including a credit card plus mortgage with them so feel particulalrly vulernable.
Surely the cost of checking credit history for an account holder should fall with Nationwide?
It is unbelievable, sack the IT Director, what in Gods name was he thinking allowing sensitive information to be stored on a mobile device.
Basic Lesson in IT security;
Do not store sensitive data on a mobile device, it should be secured in a centralised Data Centre and accessed securley remotely NOT on a local PC or laptop
I take it all fraudsters will be applying to the nationwide for a job because of the shocking security..... so for all you fraudsters out there forget the cash machine send your CV to the IT director, c/o Nationwide, probably be more lucrative....
10. anonymous
Nationwide claims that "no PIN numbers, account passwords or memorable information was on the laptop."
Well what a comfort - that only leaves:
11 million....
Full name and all initials - possibly also maiden names; Sex; Address & Postcode; Credit rating; Type of account; length of loan period; Annual income of account holder; nature of account holder's occupation; possibly also medical conditions; amount of mortgage/loan / deposit; date account was opened; details of joint accounts; details of communication with Nationwide; rating of 'value' of customer to Nationwide in marketing terms.
Maybe you too can think of items of data which may have been held. Obviously much more extremely valuable 'information' can be derived by mining the available 'raw' data.
It is outragous that bank employees are
allowed to cary ANY sort of custiomer data on laptops - let alone take them home. On the limited public information available this would appear to be a GROSS breach of the Data Protection Act. Nationwide should be banned from trading if it treats its customer data with such gay abandon.
I do not have an account with Nationwide - but I'm surprised that 11 million other suckers have not already closed their accounts.
I wonder how long before Nationwide goes bankrupt 'cos of this.
11. anonymous
I have 3 accounts with Nationwide. In September I had someone try to obtain a mobile phone in my name and set up a direct debit at my bank to pay the monthly bill. It took me approx 10 phone calls and 2 letters to this company trying to sort it out. It is still being investigated by their fraud department. As I had not had any of my personal documents lost or stolen I could not understand how they knew my details. WELL I DO NOW! Doesn't take a genius to put it together. I am fuming. I should have known about this stolen laptop when it happened not 3 months later. It would have saved me a lot of anxiety. I have been thinking that someone has been going through my bins or Ive not been vigilent enough on-line etc. What idiot takes home sensitive information???? I hope this moron also has a Nationwide account and someone comits an identity fraud on them.
12. anonymous
Quote: " it [FSA] said the very act of alerting affected customers could have further compromised their security."
Wow did they really say that!
Surely teh FSA can't be advocating this varient of "security through ignorance".
ie don't tell anyone that there's a user called 'admin' with a password of 'admin' and everything will be safe.
Who are these idiots?
13. anonymous
Had Nationwide reported the theft of the laptop in August they would have told the thief the true value of his booty and increaced the risk of fraudulent use of the data it contain. As a nationwide customer of many years I am sure that all that is required to be done is being carried out under the instructions of the Police.
14. Brian Robinson
For the life of me I cannot understand why this data has to leave the supposed secure confines of an office based mainframe computer and downloaded to a laptop - surely for remote access to the mainframe by a mobile computer would be enough and far more secure - I have several accounts with Nationwide and now wonder if Mickey Mouse is in charge??
15. anonymous
Oh dear, I don't think I will ever bank with them, how slack to let a member of staff take confidential information out of the building. Surely if the information was encrypted, that would be something they would be shouting about, allbeit, not the biggest of consolations under the circumstances.
Aren't I glad I work for and bank with the best bank in the world !!!!!!!!
16. anonymous
This was not the fault of Nationwide being sloppy, or a lack of security. The employee had their home broken it to. It happens everywhere. It just so happens that this time, an employee had a laptop stolen. Come on! I have been a very loyal customer to Nationwide and have every faith in this. It could have been any institution. And with regards to the comment about not knowing how a fraudster got your credit card details but now you do - come on do you really think that fraud hasnt occurred before this incident? You can not say this was because of the laptop. Incase you didnt read it properly, no pins, account numbers or details are on there. So the only way fraud could be committed is with your card number, which has been stressed wasnt made available to the people who stole the laptop. Give them a break!
17. anonymous
This is an addendum to my comment of last week where I said I had sent an email to Nationwide, via their web site, asking them when they intended to officially tell their members about the stolen laptop. I have not had any response from Nationwide - not even to acknowledge my inquery. I realise it was all in the newspapers over the weekend, however I do feel an acknowledgement at least was in order. And this is the company that wants to take over the Portman Building Society... As a Portman account holder I will certainly be voting against it and I would advise all other Portman voters to think hard and long before casting their vote.
18. anon
I phoned Nationwide and felt there service was outstanding to this matter it was explained fully and as it was only NAMES AND ADDRESS there is nothing to worry about.
19. anonymous
Not sure if it's coincidental, but I got home last night to find a message to ring the Nationwide card fraud office - and they were working till 9pm!
After an hour on hold, it turns out that numerous cash amounts in Thailand had been taken from my account over a twelve hour period until the Nationwide stopped them.
The lady on the phone was very helpful and reassuring, but I got the impression that I was just one of a large number of cases, all identical.