UK Bank Laptop Stolen With 11M Customer Records

daveewart writes "BBC News reports that the UK Building Society Nationwide has admitted that a laptop containing account records of more than 11 million customers has been stolen from an employee's home. This story raises a number of worrying questions: The theft happened three months ago, why has the news only just been made public? Why was it possible (indeed, why was it necessary at all) to put data relating to their entire customer base on an employee's laptop stored at an employee's home? Why was the information on the laptop not encrypted?"

worrying questions

[homer_s]

This story raises a number of worrying questions:

The worrying questions should be
Why should anyone be able to ruin your finances by just knowing some numbers?
Why should someone be able to borrow in your name by just quoting some number?
Why is my future dependent on whether some data entry operator in some company follows the proper security precautions?

I hate how everyone is using the term 'identity theft'. No one can steal someone else's identity (for now anyway).

What 'identity theft' really means is that the the methods the financial industry uses to identify people is broken.Whenever the govt holds hearing on 'identity theft' they are only legitimizing these methods and making the people responsible for the failures of the financial industry.

Re:worrying questions

Amen

Re:worrying questions

This very very insightful. For instance when I lived in the US by social security number had to be used for almost everything I did. FOor example, it was my employee number at work and printed on everything. In Canada, where I am from, your number is more closing guarded, basically only used for tax purposes. If I get a form from my stock broker it says "number on file" and doesn't prtint the number, because there is no reason too.

Anyway the parent is right on the money, but we could start by taking easy baby steps and we don't even do that.

Re:worrying questions

[cloricus]

This probably shows how much of a geek I am compared to you but 11 million records...So say a name, an address, several series of numbers and general info...That is a hell of a lot of plain text. When did laptop hard drives get that big and what are bank PHBs doing with those DBs at home anyway?

Re:worrying questions

Everyone should come up with two large prime numbers p and q the moment they're born, state p*q for the birth certificate, and compute arbitrary cube roots mod p*q in their head to prove their identity.

Re:worrying questions

[Opie812]

his probably shows how much of a geek I am compared to you but 11 million records...So say a name, an address, several series of numbers and general info...That is a hell of a lot of plain text. When did laptop hard drives get that big...

Nah, 11 million records isn't that much. Even with every conceivable piece of information about each of the 11 million people a laptop could easily handle it.

Re:worrying questions

[Dunbal]

11 million records...So say a name, an address, several series of numbers and general info...

say 500 bytes per record - plenty to store name, address, phone number, account number, balance, ID number.
11M * 500 = 5500MB or about 5.5 GB. There's still plenty of room.

Re:worrying questions

[elgatozorbas]

Why should anyone be able to ruin your finances by just knowing some numbers?

Because otherwise you would not be able to use all these nifty on-line things, and would need to go to the bank everytime you wanted to transfer money. The problem is not in the use of numbers, but in recklessness.

Re:worrying questions

err... 11 million records being a lot of plaintext? Let's assume that it was a flat file with generous fixed record lengths, 4 byte index, 30 character first name, 40 character last name, 10 character ID, 10 character phone*3 (home/work/cell), 40 character address, 20 character "line 2", 30 character city, 15 character nation (this is the "UK" right? Or is it just Britain?) 6 character postal code, and 1000 bytes of other account information...

1.2KB per record * 11M records= 13GB of data, so it'd fit on most laptop drives, 20GB ones have been around for a while now, with modern laptops being 40-80GB usually.

Re:worrying questions

[nospam007]

This probably shows how much of a geek I am compared to you but 11 million records...So say a name, an address, several series of numbers and general info...That is a hell of a lot of plain text. When did laptop hard drives get that big and what are bank PHBs doing with those DBs at home anyway?
--
With 4096 bytes per record for example, which is a lot, it's way below 5 Gig, nothing nowadays really.

Re:worrying questions

[LordPhantom]

11 million.... "woah, that's a lot".
Ok, consider this. Let's assume that each record is, say, a couple of kilobytes (that's much more than it probably is) of just text, as you say.
11,000,000 * 2kb = 22,000,000 kbytes.
22,000,000Kb = 21484.375 MB = 20.98 GB.
If it's in a raw database format, that is.
Last time I checked, laptops aren't exactly being sold with 20GB of HD space.

Re:worrying questions

I agree that the system of identification in general is flawed at the moment, but I can't help but think that most things that could be done to enhance security would generate another Slashdot article about how our privacy is being eroded.
 
I am also surprised by the IT staff at that bank though. When I envision security implementations by internal IT, I generally assume my greatest risks come from users on the inside, intentional or not. Most security breaches in companies get initially generated by some poor user who honestly didn't know better.

Re:worrying questions

One time pad with a PIN works fine. That's the way it is done in Finland.

Re:worrying questions

[ShieldW0lf]

I left a job once when I first started working in IT, and one of the projects I'd done was for a web hosting company. I wanted the project to finish before I quit so I could use it on my resume, so I sent myself home the files I needed to work on to finish it so I could quit.

One of the databases I was working on had hundreds of thousands of credit card numbers in it. I deleted it, of course, but it was trivial to bring it home... at that time, to me, it wasn't a collection of credit card numbers, it was just "the database I needed to have present to finish my work".

It's SOO easy to be trivial about these types of things when you're an overworked IT pro. Security procedures exist BECAUSE it's so easy to forget that the stuff that you deal with in such a routine fashion is sensitive. It's just like reality tv stars forgetting about the cameras.

Re:worrying questions

[cloricus]

Excluding my licensed usage of the patented /. late night maths for not realising that a large number isn't really that big I still would like an answer to my second question of PHBs taking this much data home. Seriously we have several gig DBs at work with thousands of customer records yet I've never seen one good reason for it to leave the main storage site and with banking details which I would consider more sensitive why would a company even open itself up to this sort of thing...

Re:worrying questions

[mspohr]

Why should anyone be able to ruin your finances by just knowing some numbers? Why should someone be able to borrow in your name by just quoting some number? Why is my future dependent on whether some data entry operator in some company follows the proper security precautions?

This is the crux of the problem. The entire basis of the credit industry is that they collect all of your personal information and then sell it freely without your knowledge or permission. They profit from each sale and thus have a big incentive to make the information available to as many people as possible. They've been burned by past practices and have had to eliminate outright fraudsters from their sales prospects (much to their dismay) but they still make big bucks by selling to just about anyone else prospecting for suckers for their credit cards, "financial services", and every other hair-brained marketers wet dream.

If people could actually claim ownership of their data and have it released only when they specifically agreed to the release with proper notification, the identity theft problems would go away (but so would the business model of the credit agencies).

Re:worrying questions

[rgbecker]

Having had this story rejected at 10:01 I wonder what it is about this particular report that makes it acceptable.

None of the above 'worries' were mentioned in the BBC interview of Nationwide's CEO. He implied that the laptop was 'secured'.

The main thrust of the questioning was 1) why the three month delay in revealing the theft & 2) what information was actually at risk. The diversionary answer was that on Police advice no answers or relevant information could be given except that PIN numbers were not part of the information and that no financial loss would be incurred. Repeated attempts by the interviewer to clarify the situation were stonewalled. We don't even know that all customers are involved.

As for Identity Theft it happens all the time; the BBC indicates that ID theft is one of the fastest growing frauds in Britain. We are daily warned to shred all of our paper records before trashing them.

It's no use whining about the way things ought to be; economics currently dictates that a Utility Bill or Bank Statement is taken by many as being proof of identity. We were informed the other day that Glasgow police believe 1 in 8 call centres in that city had been infiltrated by organized criminals specifically for the purpose of obtaining credit card and other personal details. We want things cheap, but look away when the local bank is closed in favour of some remote transaction processing centre.

Re:worrying questions

[ummit]

Why should anyone be able to ruin your finances by just knowing some numbers?

Excellent question.

One big problem is that in the U.S., at least, we've generally conflated identification with authentication. But they're two very different problems.

If, for example, Social Security numbers were only ever used for identification -- telling two different John Smiths apart, for example -- it wouldn't matter if they were public. In fact I've heard that one of the Scandanavian countries publishes a freely-available database of everyone's identification numbers. Besides being convenient, this ensures that nobody ever sets up a scheme that stupidly uses an identification number as an authenticator.

The big problems arise when the same number that's widely used for identification -- e.g. a SSN -- is also used for authentication.

It wouldn't be so bad if all it took to pove to my bank that I'm me was a number or word, as long as that number or word is secret, and only used for that purpose, so that it has a decent chance of staying secret.

Re:worrying questions

[Knuckles]

Last time I checked, laptops aren't exactly being sold with 20GB of HD space.

I'm not sure, do you mean "aren't exactly being sold with 20GB of HD space anymore"? Because last time I checked, the usual size was around 60 GB :)

Re:worrying questions

[guilliamo]

Right on brother. Identity, identification and access accommodations are broke. Have been. You have nailed it!

Re:worrying questions

Hate to break it to you, but 11 million times 4096 bytes is nearly fifty gigs.

Re:worrying questions

[efence]

Also, please enlighten me why would a bank employee have a laptop with 11M customer records at home?

Re:worrying questions

[timeOday]

Why should anyone be able to ruin your finances by just knowing some numbers?
Why should someone be able to borrow in your name by just quoting some number?

Probably because money is just some numbers? Seriously. Money is just information, you can't have financial security without information security.

Re:worrying questions

[Cyberax]

It's possible, moreover it's already 'implemented' in many countries.

For example, I live in Russia. Stolen databases of passport data are freely sold on black market. But it's impossible to do anything with them, because _every_ business where identity is important requires your physical presence with your passport. And it's a common practice to attach photocopied passport pages to documents (in banks, etc.).

Of course, there's a downside to this: you need national ID system AND you are going to lose a lot of time standing in queues because you can't do things by mail/phone.

Re:worrying questions

[Dunbal]

Excluding my licensed usage of the patented /. late night maths for not realising that a large number isn't really that big

      Hehehe. It happens! There's nothing wrong with critical thought.

with banking details which I would consider more sensitive

      Ugh, you should try dealing with all the niceties HIPAA provides...

Re:worrying questions

If people could actually claim ownership of their data and have it released only when they specifically agreed to the release with proper notification, the identity theft problems would go away (but so would the business model of the credit agencies)

Actually, isn't the "business model" of the credit agencies to extend billions of dollars of credit and charge interest on it? Whether or not they actually sell private information, it's a drop in the bucket compared to what they make from selling credit.

Re:worrying questions

11 million records is nothing to a modern computer - you could easily squeeze the lot on a bloody flash card.

Looks like it's time to re-introduce the phonebook/library of congress metrics of memory capacity.

Re:worrying questions

[Loconut1389]

100GB is very common on very recent laptops, but up to 160gb is available.

Re:worrying questions

But it's not just limited to the financial industry; it applies anyplace one needs to identify themselves.

Last year I got a letter from the police department saying there was a warrant out for my arrest for an unpaid ticket in a part of town I have never been to in my life. Here in TX, as long as you know the DOB, name and address of a person - and you somewhat resemble them (i.e. similar height and weight) - you can just claim that you're them and that you forgot your license at home and drive off scot-free.

This has happened to THREE times since I have received that initial ticket and I have contacted numerous people ranging from the police to my representatives to the judge who dismisses the ticket but the general response is "the ticket has been dismissed, leave us alone".

Re:worrying questions

[Foobar+of+Borg]

When did laptop hard drives get that big and what are bank PHBs doing with those DBs at home anyway?

Simple. They are feeling Important, so that they can also feel Virile (or Fertile, depending on their gender). PHB's always do stupid shit like this. That's one of the many reasons this world is so fucked up!

Re:worrying questions

[RAMMS+EIN]

``The entire basis of the credit industry is that they collect all of your personal information and then sell it freely without your knowledge or permission.''

Now, hold on just a second. Aren't there laws against that in the EU? Laws that detail consumers' right to privacy and specify what companies can and can't do with personal information? I can certainly imagine a few companies getting away with breaking these laws, but not a whole industry being founded on it. Besides, it seems to me banks make money by borrowing it from customers and investing it or lending it out against higher interest rates, charging for transactions, premium services, etc.

Re:worrying questions

[Fastolfe]

This is absolutely insane. You do not need a full account database in order to do a project. A project like this should have a test database that contains bogus customer information for testing purposes. I work for a major telecommunications company on our billing-related application team, and I have never seen or heard of our developers doing things like this.

I can understand, though, how some smaller companies may not have the resources to do things like this properly, but for the benefit of other readers, not everyone handles customer data the way you/your client did here.

Re:worrying questions

[ivothamdrup]

The bit about identification numbers is actually true. In Estonia, everyone's [1] SSN can be looked up from a public LDAP directory (ldap://ldap.sk.ee). The SSN is used, as you said, only for identification. There are however some people who view it as a security hazard, but the same people can't tell the difference between identification and authorization...
[1] - Everyone who's been issued an ID Card; that is, about 90% of the population.

Re:worrying questions

What made them publish it?

Re:worrying questions

[RAMMS+EIN]

``No one can steal someone else's identity (for now anyway).''

I'd say not ever. But then, I understand identity to mean a relation that holds for p and q, if and only if p and q denote the same object. Like eq in Common Lisp. What is "stolen" is not the identity, but the traits that we look at when trying to verify identity. The checks we perform are more like eql or equal than eq.

Also, many cases of identity "theft" don't actually remove credentials (let alone identity) from the victim: very often they copy the information. The victim can still authenticate himself...it's just that someone else can impersonate them.

Re:worrying questions

[RAMMS+EIN]

At least one bank in the Netherlands used to do that, too. I don't know if they still do it, but I do know that people (including myself) used to find it horribly inconvenient and lose the pads. The bank I'm with now uses a device that reads your bank card, asks for your PIN, asks for a challenge that you are sent by the server (encrypted, of course), and then gives you a response that you send to the server.

Since the device is a black box, I have no idea how good the security is (it particularly worries me that the device detects it when your PIN is wrong - the devices are interchangeable, so it must somehow be able to tell your PIN from your bank card, which doesn't strike me as a Good Thing), but it's a whole lot more convenient than the printed sheets of paper, and it could be at least as good as what you get from cash withdrawal or electronic payment machines (bank card + PIN + black box).

Re:worrying questions

[RAMMS+EIN]

``Because otherwise you would not be able to use all these nifty on-line things, and would need to go to the bank everytime you wanted to transfer money.''

That raises the question of how the bank authenticates you. I'm confident a web interface can be at least as secure as whatever you get when you're physically at the bank (note that I did not say "what you _could_ get when you're at the bank"). Of course, this case is about a leak in the back end; a front end is never going to protect against that, no matter how secure you make it.

Re:worrying questions

[RAMMS+EIN]

``This very very insightful. For instance when I lived in the US by social security number had to be used for almost everything I did. FOor example, it was my employee number at work and printed on everything. In Canada, where I am from, your number is more closing guarded, basically only used for tax purposes. If I get a form from my stock broker it says "number on file" and doesn't prtint the number, because there is no reason too.''

Right. It's interesting to see how, in the USA, where (more) people are (more) paranoid about "them" watching them, you need SSNs for nearly every transaction beyond every day stuff, whereas in Canada and the EU, where people are, generally, much more trusting, the local equivalents of SSNs are much more closely guarded and restricted in their purpose.

Having said that, mine is printed on my passport, so, I suppose, everyone who has ever seen my passport could have my SSN...but that's not a whole lot of people, actually. In fact, there are probably more people who know whatever number I used as an SSN when I lived in the US for half a year than there are people who know my actual, Dutch, SoFi number.

Re:worrying questions

[RAMMS+EIN]

``I can't help but think that most things that could be done to enhance security would generate another Slashdot article about how our privacy is being eroded.''

I wouldn't be so sure. Security and privacy often go hand in hand. In this case, for example, a security problem caused private information to be leaked. Privacy was lost, because of bad security. Also, if these records contain enough information to actually impersonate the customers, then the privacy leak causes a breach of security: banks' authentication systems can't be trusted anymore, because information that should be private, isn't.

Re:worrying questions

[jridley]

Right, I don't think you can get a laptop with a drive that small anymore.

On another note, what kind of *MORONIC* company allows sensitive customer data on portable media in unencrypted form? I mean hell, it's not like there haven't been plenty of cautionary tales, and it's not like it even costs any damn money, just run truecrypt if you're too cheap to buy anything, it works well.

I'm guessing that they think that the possibility that somebody might forget a password is more important than actually safeguarding customer data. I mean, you have to ASSUME that anything on a laptop WILL be stolen; laptops get stolen ALL THE TIME. Our company loses several a year to theft from travellers.

Re:worrying questions

[homer_s]

The entire basis of the credit industry is that they collect all of your personal information and then sell it freely without your knowledge or permission.

It is not 'private information' if someone other than you knows about it. My point is that data that is known to someone other than me should not be used to control my bank account/ credit ,etc.

My SSN is known to at least 100 other people. So it should not be used as a means of identification. Passing a law prohibiting those 100 people not to disclose my SSN without my notification will not make me comfortable because if one of them does leak me SSN, it will still harm me.

All the law can do is punish the guy who leaked it after the fact. That does not undo the damage to me. Unless the law can travel back in time and undo what has been done, it is useless.

Re:worrying questions

[Tim+C]

Agreed. The project I'm currently on involves a database of information protectively marked as RESTRICTED (the lowest protective marking, but still legally protected by the UK's Official Secrets Acts), and we don't even get to see it. We're not even allowed to use a randomly scrambled version of the real data for performance testing, let alone functional testing.

I can understand, though, how some smaller companies may not have the resources to do things like this properly

Rubbish. Even if they have to develop against the live database (an absolute no-no), they should be using a separate schema with representative data and have no access to the real tables. There is no excuse for using real, live data of that sort of sensitivity for development purposes. The only time I would consider it acceptable would be in investigating a problem that only manifests when the live dataset is used, and then it should be handled with extreme care.

Re:worrying questions

[homer_s]

What is "stolen" is not the identity, but the traits that we look at when trying to verify identity.
The victim can still authenticate himself...it's just that someone else can impersonate them.

Imagine if a company/govt relies on the person's name as an identification and authentication code - now would you say I can impersonate you because I know your name? I hope not.

Now, companies should be allowed to use whatever the heck they want as a means of identification - as long as they bear the losses arising from that. Pretty soon, you will have a foolproof system. But right now, it is the responsibility of the people to keep such information secret. It bugs me that the govt also uses the same means of identification and asks the ppl to bear the costs of the failures arising from this braindead method.

Re:worrying questions

[mikael]

Last time I checked, laptops aren't exactly being sold with 20GB of HD space.

The latest models of laptops have not one but two slots for the 2.5" hard disk drives, which are accessible from a side panel (rather than being mounted deep inside the system). And 20 GB is at the lower end of the memory capacity for this size of drive, with 100GB at the high end. So it's easy for a laptop to have 200GB of storage if you really wanted to. For design engineers having a workstation that they can take into meetings or onto the shop floor is becoming an attractive option.

Looking at any internet latop retailer- you will see a whole range of laptops with varying hard disk drive capacities in this range.

Re:worrying questions

[mikael]

When did laptop hard drives get that big and what are bank PHBs doing with those DBs at home anyway?

The information was being used for marketing purposes (according to Sky News. Presumably, this list of names and addresses was going to be used to send out mail shots. At 11 million records, that covers well over 10% of the entire UK population.

Re:worrying questions

[ShieldW0lf]

In my defense, at that time, I had negligible real-world experience to speak of and was attempting to single-handedly reverse engineer, repair and extend a huge mess that looked like it had been written by a secretary. I think they migrated the db from Access with a wizard and then poked around looking for ways to make it worse.

The idea of not using "live data" in that particular case was a bit of a joke.

Re:worrying questions

[menkhaura]

Hell, they do it even here in Brazil (pretty much the definition of "third-world country", notwhitstanding government propaganda to the contrary), in one private bank, at least.

Re:worrying questions

[MrMarket]

This is a great point. Not only form a technical perspective, but from a legal perspective. Why should I be liable for a credit balance that I did not physically open? If someone is caught opening an account in my name, they should be responsible for the debt. Why is the burden of proof on the consumer to prove that they did not open the account. If the burden went the other way, banks would be much more diligent about making sure the person opening the account is really who they way they are.

Re:worrying questions

[mspohr]

I don't know about the EU (I'm in the US) but here is a credit industry that collects personal information about every "consumer" and sells this to anyone who isn't obviously a crook. Some of the users of the information are legitimate (i.e. bank checks my credit when I apply for a loan or credit card). Most of the sales are to companies that want to sell you something (i.e. all of those unsolicited credit card applications).

As far as banks go, they tell you that they are releasing your personal bank information and loan payment information to the credit bureaus (it's in the fine print of their "privacy disclosure") and that makes it "OK" in the eyes of the law. You as a consumer can't prevent this information sale. The only way to opt out is to not have any bank accounts, loans, or credit cards (but they still collect other "public record" information on you such as DMV, court records, property transfers, etc.).

As Bill Joy once said... You don't have any privacy... get over it.

Re:worrying questions

[ScrewMaster]

It wouldn't be so bad if all it took to pove to my bank that I'm me was a number or word, as long as that number or word is secret, and only used for that purpose, so that it has a decent chance of staying secret.

And, more importantly, could be changed if it ever became compromised. If you didn't have the ability to change that "secret number", it would be no better than a biometric authentication system that depends upon some supposedly unique aspect of your body.

Social Security numbers wouldn't be so bad if you could change them every couple of months. The fact there is a permanently assigned number that can be easily accessed by anyone and aid in authenticating someone is what's so dangerous.

Re:worrying questions

[LordPhantom]

Yes - I should have stated more clearly "Last time I checked, laptops aren't exactly being sold with such a small amount of hard drive space".

Re:worrying questions

[nospam007]

Yep, good catch, missed a zero, but nonetheless gets several times on a modern notebook, even without compression, and databases compress _very_ well.

Why was the info. on the laptop not encrypted?

[msobkow]

Why was the information on the laptop not encrypted?

That is the one question that doesn't step on internal business processes, data, or procedures.

With free "hard" encryption tools out there such as TrueCrypt and encfs, there is no excuse whatsoever for customer data to leave the data center without an encryption envelope/container.

Re:Why was the info. on the laptop not encrypted?

[AnonChef]

there is no excuse whatsoever for customer data to leave the data center without an encryption envelope/container.

When did stupidity stop being a valid reason?

Re:Why was the info. on the laptop not encrypted?

[paulius_g]

In corporate and enterprise environments, many people have the mentality of "if it ain't broken, don't fix it".

I know a few companies (although really small) which have the same mentality. One is a photographer who uses a laptop without a firewall, IE6, without antivirus and without any updates. They say that they don't need any updates or nothing because he only uses the laptop to check emails and go on eBay. Sigh.

Re:Why was the info. on the laptop not encrypted?

[hey!]

While I agree that encrypted file systems and strong authentication should be used when data is taken offsite, it's important to remmeber that the data probably wasn't supposed to be offsite in the first place.

A more secure policy does not good unless policies regarding data are strictly enforced at every step. As soon as the data was copied in an unauthorized manner, the bank lost the power to control its subsequent use.

More leniant policies, more strictly enforced would do better. If it is necessary for workers to take data home, then a policy permitting it but requiring safeguards would be called for. However, I doubt it is necessary for workers to take data home, and outside the work place I doubt policies can be enforced as effectively as in.

Re:Why was the info. on the laptop not encrypted?

Anyone who has used or evaluated HD encryption tools such as TrueCrypt will realize that ultimately the encryption/decryption scheme depends upon a password and the user's willing cooperation not to write it down say, in a .bat procedure that mounts the encrypted volume. It's the old tradeoff between cryptographically strong passwords and relative difficulty of remembering them. Consequently HD encryption is not the answer because no one, and especially your IT people, can ensure the end user's cooperation. It is insufficiently preventive that the end user should count on getting fired for letting 11M customer records slip from his grasp whether encrypted or not. The only answer is that the data MUST remain in the data center at all times and that remote access to it be granted only when absolutely necessary (e.g. via terminal server). And even then it should be as a last resort. Then, and only then, will the rest of us stop being innocent victims of others' ignorance and carelessness.

Re:Why was the info. on the laptop not encrypted?

[Fastolfe]

While I agree that encrypted file systems and strong authentication should be used when data is taken offsite, it's important to remmeber that the data probably wasn't supposed to be offsite in the first place.

I agree. Where I work, we actually take things further. Any customer information like this, even if it's stored on internal systems, must still be stored encrypted. It is also unlikely our developers would have ever needed live production customer data to test with, so it would be odd (suspicious) that this information would ever be needed on any non-production system, much less an individual's laptop.

Unfortunately, once you let one person into your systems that doesn't understand the need for security, it doesn't matter how many layers your security policy has. If it doesn't occur to them that ignoring one layer is bad, they're going to ignore all of them. So it doesn't surprise me that someone willing to copy live production customer data to their laptop to play around with would take that same laptop home, and would then fail to protect it.

While I'm usually the first to suggest incompetence over maliciousness, I really have to wonder what percentage of these "thefts" are really employees selling customer data, under the guise of an "innocent" security lapse.

Re:Why was the info. on the laptop not encrypted?

[pbhj]

>>> When did stupidity stop being a valid reason?

I've always been told that "ignorance is no excuse under the law"; so, the answer is "a long time ago"!

Re:Why was the info. on the laptop not encrypted?

[lvcipriani]

The more I read stories like this the more I think there should be sizeable criminal penalties for putting private information on laptops. This is just too damn stupid to allow. Yeah, I know, but what about freedom, what about efficiency, blah blah blah. Too many companies and governments have screwed up too many times for this to be allowed anymore. Enough is enough.

Re:Why was the info. on the laptop not encrypted?

[msobkow]

If an employee needs regular access to sensitive data and password entries with TrueCrypt or encfs are too much work, the company could always spend a few hundred extra on laptops preconfigured to use drive encryption, with or without biometric drive security. Several companies including IBM/Lenovo sell such hardware.

The point is that the usual excuse of budget constraints don't wash -- there are free options that require little work.

Double click TrueCrypt container. Select virtual drive letter. Click mount. Enter password.

Dismount when done working.

Simple.

Why, why, why?

[SpaceLifeForm]

Obviously, the UK Building Society Nationwide does not read Slashdot, otherwise they would have known about the risks.

It is not often I say . . .

[Don_dumb]

Thank god I have only £30 in my Nationwide account.

Re:It is not often I say . . .

[pr0digy25]

Thank god I have only £30 in my Nationwide account.

Or is that *had* in your account? :)

Re:It is not often I say . . .

[weffew...]

You better check you haven't just become overdawn then....

Re:It is not often I say . . .

Thank god I have only £30 in my Nationwide account.

And your name is..?

Re:It is not often I say . . .

You mean -£500?

a reason to SMILE

[cliffski]

Another good reason I use smile (www.smile.co.uk) They have great customer service (best ive encountered), reasonable interest rates, a great,usable website, and are consistantly ranked the top UK bank for security. On top it all, they are an ethical bank who restrict where they invest your cash.
It amazes me that people still use high street banks. I haven't set foot in a bank in 5 years.

Re:a reason to SMILE

How do you know that this couldn't happen to them?

Seems like you're nothing but a petty shill.

Re:a reason to SMILE

[Richard_at_work]

This seems to be the latest stupid 'slashdot-ism' - other than a few well known exceptions, you are not allowed to have a good word about or make a recommendation about any company big or small because you are instantly branded a shill for doing so.

Pathetic.

Re:a reason to SMILE

I haven't set foot in a bank in 5 years.

into what do you pay cheques and cash?

Re:a reason to SMILE

[xwizbt]

Nobody's suggesting it couldn't happen to them, but you may want to check their website and see just how obsessed they are with security. However, this doesn't mean those silly systems where you get a random number through the post and have to input various digits every now and then, which you promptly forget. Their security is simple but effective. Coupled with great customer service, I can totally see where the original poster is coming from.

And hey - how many other banks have two rabid fans that are prepared to stand up and say 'Hey, my bank's great!' for no reason at all other than they've had a great customer experience? Yeah, so I guess it's very nearly off-topic, but there you go. Online banking is a valid alternative to places like Nationwide, and because they're on the internet security seems to be more of a concern for these banks.

Re:a reason to SMILE

[ozbird]

I keep all my ISK In the Eve Intergalactic Bank - as safe as 1.0 space!

Re:a reason to SMILE

[loconet]

They can be all that, but if an silly employee with access copies the data to a laptop to bring home, all those wonderful things become irrelevant. Security is as weak as the stupidest operator with access....

Re:a reason to SMILE

[jez9999]

How do you pay physical cheques or money into your account? Either you must never pay that in, or use snail mail, both of which sound irritating compared to walking into a bank...

Re:a reason to SMILE

[cortana]

Snail mail. If you pay in a lot of cash, Smile/Cahoot and similar banks are not for you.

Re:a reason to SMILE

The poster made an unsubstantiated claim - that this bank was better than other banks in terms of security, and implied that this incident could never happen to them.

His post is basically an advertisement. Hence, accusing this person of being a shill (not saying that he was indeed one) is a valid accusation.

You're pathetic for trying to reduce everything down to "isms".

Re:a reason to SMILE

[xwizbt]

You can pay in at a Post Office (cash or cheques) or by mail (cheque only).

Re:a reason to SMILE

Nobody's suggesting it couldn't happen to them

Then how is this on-topic?

but you may want to check their website and see just how obsessed they are with security.

Most banks are obsessed with security. That doesn't mean their security does not have holes or human malfunction.

Unless there is a competent audit of this bank's security by a trustworthy outside source, I take you and other's claims of this bank's superior security with a grain of salt.

And hey - how many other banks have two rabid fans that are prepared to stand up and say 'Hey, my bank's great!' for no reason at all other than they've had a great customer experience?

Relevant how?

Online banking is a valid alternative to places like Nationwide, and because they're on the internet security seems to be more of a concern for these banks.

I appreciate your faith in their security, but unless I see something more substantial, its just FUD to me. I'll stick with my current bank.

I'm not saying you may not be correct, but I have no reason to put faith in two people's claims.

Re:a reason to SMILE

[cliffski]

from: http://www.smile.co.uk/servlet/Satellite?cid=11248 67052002&pagename=Smile%2FPage%2FsmView&c=Page

"We're the only UK online bank with the BS7799 Information Security certification from the BSI. That means we have an extremely secure Internet Banking service"

wikipedia entry:

http://en.wikipedia.org/wiki/BS_7799

Plus every newspaper that ever runs a story on the most / least secure banks seems to always rank smile #1. I'm not a 'shill', I dont work for smile, I run my own games company. I'm just a happy customer.

Re:a reason to SMILE

Most banks are obsessed with security. That doesn't mean their security does not have holes or human malfunction.

I do some consulting for various banks' IT regarding software and security. Let me tell you that none of the banks I have worked with are "obsessed" with security. All of them are concerned with security, but the degree to which they take it seriously varies significantly. Additionally, there's a large difference in how security is handled whenever (the bank's or the customers') money is involved, and anything else, which may include handling of customer data for marketing purposes.

Re:a reason to SMILE

Cheques? This isn't the 1970's, pal.

Re:a reason to SMILE

[duguk]

I'm with nationwide for exactly the same reasons, fantastic customer service and never had a problem with inernet banking or money going missing.

On the two occasions I have had trouble with another company, I was refunded the money without question right away.

They also promise NEVER to email customers because of the inherent problems.

Reading the article, it does not say that all 11 million customers' information was even on the laptop, and the only information on there was account numbers and names.

I have no worries that my details will get into the wrong hands -- and I'm positive even if they did, Nationwide wouldn't complain. As one of the few BUILDING SOCIETIES (Its not a bank!) running, I'm sticking with them.

Smile is run by the Co-Op, who I've got no problems with, but they are a Bank rather than a Building Society.

I'm honestly not even concerned, though I will be keeping an eye on my money, as usual.

DugUK

Re:a reason to SMILE

[jimicus]

I'm a customer of Smile too. And I find their telephone banking worrying, to say the least.

I also have an account with Lloyds TSB. With them, the computer asks 3 questions which the phone bank person relays to you. They punch the answers in, computer either says "no" or "yes". It doesn't say which questions were wrong if access is denied. In any case, the person in the call centre can't get at your bank details until such time as the questions are answered.

Not so with Smile. With Smile, as soon as they have your account number they're in. They simply glance over your statement on their screen to decide which questions to ask.

Now, let's say I hang around outside the Lloyds TSB call centre with £5,000 in used notes in a paper bag. While I might get some useful information, it will be slow and painful and may not get me anywhere - certainly not if the computer asks the wrong questions when I ring up and impersonate a customer.

So instead I take my paper bag full of cash and hang around outside the Smile call centre. A few days later, someone in the call centre is £5,000 richer and I've got enough account details to recover that several times over.

I complained to them about this, and while they acknowledged that such a scenario would work, it "hadn't happened yet" so they didn't see the problem.

Re:a reason to SMILE

This seems to be the latest stupid 'slashdot-ism' - other than a few well known exceptions, you are not allowed to have a good word about or make a recommendation about any company big or small because you are instantly branded a shill [wikipedia.org] for doing so.

It stems from Groklaw. They have a really bad habit over there of labelling a "shill" anybody who didn't buy into the whole black-helicopter reverse-vampire Microsoft-plotting-in-a-darkened-room conspiracy theory. The meme is overflowing into Slashdot. I agree it's stupid. What's the point of having a discussion if only one point of view is acceptable?

Re:a reason to SMILE

[lysse]

I understand your ire at banks, but the Nationwide Building Society isn't one - it's a mutual society, one of the last, and it's committed to remaining one, despite the efforts of the carpetbaggers who all but destroyed the principle of mutuality in the 1990s. Whilst it doesn't brag about an ethical policy as such, its commitment to mutuality is already an ethically desirable quality, and it's consistently voted one of the best big companies to work for in the UK.

(In contrast, Smile is a division of the Co-operative Bank, which IS a bank, despite having grown from a co-operative organisation; moreover - and ironically, given its origins - the Co-operative Bank has repeatedly recorded the highest levels of staff dissatisfaction of the high street banks. A case of "do as I say, not as I do"?)

Re:a reason to SMILE

Bullshit. Pure and simple. BS7799 has nothing to do with "secure Internet banking". It means they've got some boxes full of paper that show that they have identified assets that they have that should be kept secure, and they have undertaken a risk assessment to identify what risks those assets face, and what they're going to do about them. Also, they haven't said what scope their certificate covers, they could have done the entire company, they could have done the canteen.

Death Penalty

[Bohemoth2]

We need to implement the death penalty for this sort of thing.

Such stupidity needs to be removed from the gene pool if we are to progress.

Re:Death Penalty

[thrillseeker]

Well, £100 fine per lost record would be a good first step.

Re:Death Penalty

[Dunbal]

We need to implement the death penalty for this sort of thing.

      Nahh, just 1 day in jail for the directors of the company, for each individual's information that was stolen.

      See you in 11000000/365 = about 30,000 years!!!

Sounds like they should be prosecuted

[Colin+Smith]

The Data Protection Act requires that businesses and individuals take precautions to protect personal data.

Re:Sounds like they should be prosecuted

Nationwide is a mutual. If members want to they could seek a "motion of no confidence" in the director(s) responsible for this mess, and I hope they do.

Re:Sounds like they should be prosecuted

[Colin+Smith]

The directors are liable under the act anyway.

How can we stop this happening so often?

[Xest]

How can companies with so many resources consistently be so incompetent? This isn't the first time we've heard about loss of many customer's details needlessly and inexcusably.

Is it just that no matter how much money you throw at the problem, basic security procedures, such as not taking home your entire customer base's details on a laptop are going to be ignored by certain members of staff? If this is the case how can we begin to make these people listen? Would jail time for anyone releasing this kind of information through negligence make everyone a bit more careful about what they do or would even that not stop people this utterly stupid and ignorant? Perhaps targetting the companies would be more fruitful such as a decent amount of conpensation paid to everyone involved in this kind of data leak, would that then make companies a bit more careful about avoiding employing people who are likely to make this kind of idiotic mistake? 11 million customers being compensated even £100 each would be a massive financial blow to a company to surely make them avoid such a catastrophic mistake? of course this does also lead to the question, should a company be brought to near bankruptcy for the mistake of a single employee?

Re:How can we stop this happening so often?

[ummit]

Is it just that no matter how much money you throw at the problem, basic security procedures... are going to be ignored by certain members of staff?

I think that's actually a big part of the problem.

should a company be brought to near bankruptcy for the mistake of a single employee?

If the threat of that is what it takes to force companies to arrange their affairs more securely, then quite possibly yes.

Some people take security seriously; most don't. "All you have to do" to run a secure operation is: (1) Arrange that only a few people have access to sensitive data or are otherwise in a position to ruin the company. (2) Identify which of your employees truly take security seriously and which can't be bothered. (3) Match trustworthy employees with sensitive positions, as appropriate.

Re:How can we stop this happening so often?

[einar2]

Because some people conduct their business very incompetent.

I work for a Swiss bank. All notebook harddisks are encrypted by default. There is no way our employees could get access to the customer database to replicate data!!! The Swiss banking law is rather harsh on such issues. For the employee as well as the bank.
In the end, you have to severly punish enterprises for being lax with customer data. The loose of reputation is not incetive enough. It has to hurt so that execs decide to recognize the issue.

Amazon and customer data

Having worked at Amazon, I can tell you no employee is putting that data on their laptop .

When will this 'putting critical data on laptops' BS stop? That's gross negligence right there. Unfortunately, the judgements in these cases amount to just a slap on the wrist so we can expect it to continue.

Banking competition...

[__aaclcg7560]

I think this UK Bank wants to be bought out by an US bank by advertising that they can dump customer data just like the US Banks.

Re:Banking competition...

[jabuzz]

It's a mutual building society, so firstly it is not a bank anyway. Secondly it cannot just be brought out unless a majority of it's current customers vote that way. The Nationwide in line with most of the other remaining building societies in the U.K. have made the process of de-mutualization much harder in recent years. It therefore unlikely that it could be brought out by anyone.

Re:Banking competition...

[plugholeUK]

That's what I thought when I opened an account with the Portman Building Society a couple of years ago...

Re:Banking competition...

[caluml]

be brought out
Bought. As in "to buy". Brought is as in "to bring".

Re:Banking competition...

[matthew.thompson]

And as a member of the Portman Building Society you will be provided with a vote to decide wether the MERGER or Portman and Nationwide should take place.

Suck it up

[Toby+The+Economist]

Well, I think it's clear from the repeated stories of millions of confidential files being lost that enough large organisations simply don't understand security enough to get it right.

However, we all carry on using their services because we're stuffed if we don't - if your university loses your details, what are you going to do? quit? if your morgage is with your bank and they lose your account information, are you going to change bank?

Because there is basically, when all is said and done, no *real* pain for organisations, for loosing information, there is no *real* need for them to understand security enough for these data losses to stop.

So suck it up!

Personally, I'm trying to get out from under. I gave up my mobile phone last week - I do not accept having my mobile phone calls logged for a year. I'm moving over to Tor, because I do not accept having my browsing logged for four days (current UK retention). I'm thinking about getting rid of the phone, too, and moving over purely to encrypted email which will be sent/receieved from my own home-run POP/SMTP server.

Re:Suck it up

[Fnkmaster]

Well, this is one of those cases where government intervention would actually be useful. If there were a mandatory penalty of $10 per record lost, plus the requirement that the company covers identity theft protection insurance for at least 2 years for all affected customers, well, you wouldn't ever see 11 million records leave the office, period.

When the customers have low bargaining power due to a natural oligopoly market scenario with few large, powerful competitors, the government needs to provide some protections from this sort of abusive behavior.

Re:Suck it up

[Toby+The+Economist]

I totally agree.

Unfortunately, the State is not independent of these corporations - their lobbies are effective and well funded. In other words, the mechanism which we, as individuals, have collectively agreeded to bring into existance (the State) is not functioning; it has been compromised by the entities it was created to constrain.

Re:Suck it up

Sure, there is a set of customers who are locked in. But as a new grad, I will be looking at banks for new loans in the near future. I will not choose a bank where my information is not secure. And in the coming decades do you really think that I would send my children to schools that treats personal information so lackadaisically? Perhaps companies have you or I locked in today, but they need to think about tomorrow's business as well.

Re:Suck it up

[bhalter80]

This person is completely right as much as Ed Norton's speak in Fight Club about automotive recalls only happening if the cost of the recall were less than the cost of settling all the lawsuits may be frightening and seem outrageous this is the same situation. It doesn't currently cost enough to lose the data. Only once losing the data becomes outrageously expensive and unlitigatable will corporations protect it.

Not a Huge Surprise

[segedunum]

Having worked indirectly, contracting for a few UK banks, I can't say this is a huge surprise. The people that work at these places aren't exactly the sharpest tools in the box, and quite frankly, they can't attract anybody with any intellect. When a UK bank or building society says they're tightening security or doing anything, it's always a panic reaction and things revert to normal when the whole thing goes away.

People are asking various questions like "Why wasn't it encrypted?" That's a pointless question. I want to know how on Earth you get 11 million customer records on to a single laptop in the first place.

But, Barry Stamp, former director of CIFAS, the fraud prevention service, said it was unusual for an entire customer database to be stored on a laptop......."We've seen cases like this almost every week at the moment, but on the other hand you have to ask why that information was contained on a laptop and why the security was lax at Nationwide in such a way that you could download the entire database to a laptop. "This is really unusual."

It's not that unusual at all sadly. All customer details are stored on mainframes or in big databases centrally, so no, there's no chance of stealing everything to do with a customer. This is where the disorganisation of UK banks' IT systems comes in handy. I'm wondering if this is perhaps a dirty great Access database or something used for mailing list or money laundering (ironic, I know) purposes. If so, this kind of thing happens all the time.

Re:Not a Huge Surprise

[Gratch06]

Simple DB: 256 bytes of person's name 16 bytes of credit card number 16 bytes for a phone number

Oh, and just for fun, let's round that up to 1 KB to make sure that we cover the overhead of the DB infrastructure and the multitude of information I missed.

1 KB * 11,000,000 customers = 11,000,000 kilobytes = ~10.5 gigs.

People are asking various questions like "Why wasn't it encrypted?" That's a pointless question. I want to know how on Earth you get 11 million customer records on to a single laptop in the first place.

Now please show me one laptop that *doesn't* have a hard drive that can hold a Database that size. It just doesn't seem to make sense any more.

Re:Not a Huge Surprise

[TyrWanJo]

What i find most disturbing about this is that if this can happen at a bank, and, as the previous post assures us, happens all the time, what happens in industries and businesses where security should be just as tight, but there isn't as obvious a need for said security. (i.e. insurance companies, stock trading companies, small businesses that deal in e-commerce, etc.) Whenever i see something like this bank problem, it makes me quail at the thought of the things that aren't being seen.

The real problem exists, i think, with non-geeks' inability to understand the risks involved with computers. In order to write a paper once, i had to create a term, anti-geeks: people who use computers, but don't respect the power they afford us, and thus, don't really understand how they can be both a boon and a danger. I believe said term is vastly appropriate for situations such as this. In as much as i think we would like not to believe it, many people still have the "if i turn it on, and it works, then everything is all right" mentality, and this is bad enough, but the people that really scare me are the ones with that aforementioned mentality that also believe by turning on the computer and writing a mean spread-sheet, they are terribly savvy people and don't need to pay any heed to security advice or the wise words of their IT guys.

For a while i worked at a camp for kids with special needs, and one of the things we did was teach disability awareness to the community at large. It makes me think that perhaps there should also be a general class to give people some sort of literacy - although i don't know how literacy would be defined or how to implement such a program, but it seems at least like it might be a helpful thing for schools and municipalities to offer. The real issue isn't so much ignorance, but ignorance of ignorance - many people, often, don't even know that they don't know; this is far more dangerous than simply not knowing and admiting it.

Re:Not a Huge Surprise

[segedunum]

Now please show me one laptop that *doesn't* have a hard drive that can hold a Database that size. It just doesn't seem to make sense any more.

I was referring to how anyone would want to take that data, physically, home with them.

Re:Not a Huge Surprise

[T-Ranger]

Because "SELECT * FROM blah" is easer to type then "SELECT * FROM blah WHERE...".

Re:Not a Huge Surprise

[EnglishTim]

I want to know how on Earth you get 11 million customer records on to a single laptop in the first place.

There's no evidence that there were 11 million customer records on the laptop. That's just a 'fact' made up by the submitter and swallowed hook, line and sinker by the editors.

Yes, Nationwide has 11 million customers. There's nothing to suggest that the laptop had information about all of them on it.

The page on Nationwide's site simply says that "The laptop contained some customer information to be used mainly for marketing purposes".

well its a good thing they don't.....

[3seas]

allow the use of 4 gig thumb drives.....

Oh wait, Did I say "don't"?

Re:well its a good thing they don't.....

[einar2]

That is a rather silly comment.

Stop thinking technical for a second. Do you think employees have access to copy/paste databases? On bigger banks, the customer DB is on a mainframe, you as a clerc sit in front of a pitifull PC. There is no way you get access to the mainframe DB directly. So feel free to bring in external HDs or what ever you want.
Banking applications allow you to access single customer records if your job requires you to do so. Yes, you could copy/paste these in another file but this would take ages to collect data.

I work for a bank. All our applications are browser based. You as a clerc are just given a web interface. You can never ever connect to a DB. There is no way you could leech the customer DB.
The case they described looks like serious incompetence.

They need

[William+Robinson]

They need to check my SIG once...

Re:They need

Great Security!

Pity, some moderators did not read your sig.

why? why? why?

[elgatozorbas]

Possibly for the simple reason that many people don't see the "big picture" and have no idea of the risk they are exposing themselves to.

Probably not enough ID..

[Channard]

.. this is worrying, but it's probably not quite enough to take out finance/credit cards etc. My local store requires, if you're doing finance, proof of ID such as driving licence or passport, and also a recent household bill.

Re:Probably not enough ID..

[Gandalf_the_Beardy]

I've seen people stealing these out of letterboxes before now on our estate. I can't personally think of any other useful reason to pinch a gas bill, unless you've been dumpster diving ot have bought a laptop for £50 with 11 million acount numbers on it.... Since the postie doesn't deliver until midday in many locations, and since it's easy to stick your fingers in a floor level letterbox and fish the mail back out again it's amazing anyone accepts a utility bill as proof of ID. All it is proof you have access to the mailbox of that address.

TFA

[Chris_Keene]

TFA does not say that the laptop had infomation on "their entire customer base" (not saying the submitter is wrong, but the BBC article certainly doesn't say this). It seems that it included names and account numbers but not pins, balances or passwords.

More infomation
http://www.nationwide.co.uk/security/news_and_aler ts/

This was a domestic burglary, there's a chance that the theif has no idea this laptop was special, and has already sold it cash in hand down the pub. It's probably being used right now by someone browsing for porn or doing 'ebay' unaware of what sits of that disk.

Not to say they should not presume the worse and react accordingly of course.

MM not M

[EaglemanBSA]

For future reference, M means thousand, MM means million.

Re:MM not M

[nuggz]

FYI
m - milli = 0.001
k - kilo = 1 000
M - mega = 1 000 000

I consider local namings/conventions a sort of slang that should not be used in a global forum.

My first question would be?

What was an employee doing taking records of 11 million customers home in the first place?

why was it even there?

[v1]

What does any employee of that bank need with the entire customer database? If he is doing work, he should be doing it at work not at home.

How many of this business's employees have full access to the entire customer database with account numbers?

Is it company policy to allow empoyees to take business records home at all? Or for that matter, is it even within company policy to bring your own personal laptop into the building?

So, what policies were broken, what policies are being changed, and what's not going to be fixed so that it just happens again?

Re:why was it even there?

[caluml]

What does any employee of that bank need with the entire customer database?

Agreed.

If he is doing work, he should be doing it at work not at home.

Why? Stop thinking like an employer from the 50s. I work at home sometimes and it's better because: a. No commute. b. No interruptions. c. I can have a decent meal for lunch. d. I can listen to my music via speakers rather than headphones. e. I can be in to sign for parcels etc.
Sounds like you're the suspicious never-trust-people-you-can't-see type.

Re:why was it even there?

[Doshin]

I work for a major US bank, at a fairly low level, and i have access to a good 90% of information in our database its important to my job to be able to access the information. There are also a number of positions in the bank which require employees to have laptops with the information on it, its locked by a number of features and encrypted, but its still a big deal if one of these is lost, because even though whoever has the laptop might not ever be able to access the information, the information is out of the hands of the bank, i read the article, and the statement from the bank, and nowhere does it say the laptop was not secure or unencrypted.

this isn't that strange that the employee had the laptop, and i work in the fraud department of my bank, trust me, if it was a situation where the information was just hanging out somewhere out in the open, the bank itself would be doing a lot more than issuing an apology. This is just the bank covering themselves publicity wise, most likely there is no actual risk.

Re:why was it even there?

[v1]

One poster raises the point that the employee was working from home and that's why he had the data off site. I find that hard to believe for a bank to have people that "work from home". I still want to know what he was doing with the laptop full of personal information outside the walls of that bank in the first place.

Yes, access to the data is completely understandable. On company computers. On site. In a room out of sight of customers. But if you're out sitting at a keosk eating your lunch while browsing financial transaction records on your laptop, I don't care if you're doing your job, you are a risk.

If you think that's reasonable, then imagine a jewelwry store employee sitting next to you at the keosk. He's doing a pre-evaluation of a new collection to be sold next week at auction, about $350,000 worth of diamond and emerald pieces in a complete set. Wouldn't you ask yourself, what the heck is he DOING with that, HERE? Isn't that an incredible risk?

Suuure, jewelwry we can see the value of, and if he gets mugged, ouch, company's out 350 large ones. Lord knows they will never let that happen and he'd get his knuckles broke when he came back to the office if they ever found out he took the goods out of the safe.

But customer information. Big deal. Stolen? Do we really care? Are we out merchandise? Fined? OK maybe sued but we have 8 lawyers on retainer so that's not going anywhere this century. The only difference is who gets hurt. Hurt the company, and omigod protect it, pull out all the stops, we want automated turrets and a pit bull. Hurt the customer's privacy or credit rating, owell we got some customer ill-will but no biggie, life goes on. Just a calculated risk, too expensive, the return on investment for adding security there is just not worth it.

Go tell your boss tomorrow that you'd like to take home a copy of your bank's financial records to do some analysis on. (encrypted even) See how far he throws your can out of the office.

Re:why was it even there?

[Doshin]

its not important to my job to have all the records at home, but if it were, then i'd recieve a company laptop with a number of security features. there may not be a large number of people with the information, because for the most part it isn't a necessity for most situations, and there is also a difference from sitting in a public place analyzing customer information, and having it at your house, there are a number of policies involved in the storage and safety of information. and the diamond analogy isn't valid, because unless you're toting around a safe, the jewelry would be completely unprotected. but even on a laptop the information is going to be very protected, and most people wouldn't even be able to begin to attempt to extract it, and furthermore chances are 9 out of 10 the person stealing the laptop will have no idea that its even on there. the idea behind having the abillity to have and access customer records remotely and having access to those items on a computer away from a building associated with the bank isn't so john the analyst can sit in a coffee house and look at things, its so when people are traveling or living outside of an area with a banking office, that they are still able to do their job, and the need does arise for that situation. unless you work directly in the banking industry i doubt you'd see the need for it, so i'm not going to try and convince people that its needed, but the truth is, its what goes on, its not by any means a stretch and i'd be willing to bet that most companies, even non bank companies have people doing the same.

Re:why was it even there?

[v1]

there is also a difference from sitting in a public place analyzing customer information, and having it at your house

The most important difference being a false sense of security you get in being at home. Little consolation to the millions of people that you will be making have a "very bad day" for the next several months. Does it really matter if it gets stolen from your house, or forgotten at a rest stop on the way home, left on the roof of the car as you drive off, or forgotten in your car when you get home from work and stolen with your car that night? It's really no safer in your "protection" than it is at the keosk, the keosk just gives you a greater awarenss of your vulnerability.

furthermore chances are 9 out of 10 the person stealing the laptop will have no idea that its even on there

That flies about 32 inches when you realize that only a small percentage of the damage is done by the information getting into the wrong hands. The greatest damage is that you have exposed 3 million people to the risk of identity theft. The cost that could place on your company to have to provide free credit report monitoring for the next three years on the 1 million or so that request it is probably a lot more than all the fraud that will be cost to the people on that list. Once you lose track of the information in the first place the damage has been done.

unless you work directly in the banking industry i doubt you'd see the need for it

You are dealing with customer information. To be quite honest, I see banking as one of the lower-damage areas. If you were say, a psychiatrist or a doctor I could see much much greater damage being inflected than losing a few bucks. An extortionist with patient records could make out a lot better than a basic thief with some checking account numbers.

I would love to hear a good example or two of why someone that works at a bank needs to take live, authentic customer information home. If you are coding then you should be using test data. (really you should be doing your work at work, see below) If you are doing some number crunching, then you should be doing that at work. If you have more of that work to do than hours in the day then your business needs to hire more help, the company is turning a blind eye to your dangerous behavior and allowing you to work from home because it is saving them a buck. If you are taking work home to get more done than Bob and Julie at work trying for the same promotion as you, then you are risking customer information for your own personal gain. I don't see a single valid reason to take that data home.

I seriously hope you are not one of the people keeping track of my bank records. Sadly, your take on the situation is not at all uncommon, so I guess a lot of us are on thin ice as a result. You are relying on good luck to protect the data, just slightly lowering the odds it is stolen rather than using an appropriate amount of defensive behavior. The world is not a nice place. If you put your wallet on the front porch it is likely to get stolen. Placing a pail over it so you feel more safe is not helping much. Put it back inside where it's actually safer.

What they're doing is breaking the law.

[Colin+Smith]

"7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

From the UK Data Protection Act 1998.

If this hasn't been followed then the law has been broken and the perpetrators should suffer the consequences. Which is currently a fine of up to £5,000 per offence. Directors being liable. With potentially 11 million offences that could add up to a lot of money.

Re:What they're doing is breaking the law.

[eipgam]

No, it won't be a lot of money. Breaches of the data protection act are essentially treated with a slap on the wrist, it's pathetic. Hopefully this will make the Information Commissioner actually do something at last, especially after the recent incident of banks simply throwing away sensitive customer details in the normal waste (sans shredding).

Re:What they're doing is breaking the law.

[jimicus]

Nationwide are one of the few remaining building societies in the UK. This means that they're effectively a co-operative owned by their members rather than a bank.

Not that they would - the DPA isn't that heavily enforced - but I don't want them facing a fine that size. My mortgage is with them and the last thing I need is for them to foreclose everyone's mortgages to pay off a fine.

Re:What they're doing is breaking the law.

Not that they would - the DPA isn't that heavily enforced - but I don't want them facing a fine that size. My mortgage is with them and the last thing I need is for them to foreclose everyone's mortgages to pay off a fine.

HA HA! We can break the law 11 million times ... and its OKAY CAUSE WE OWN YOUR HOUSE TOO!! -Nationwide

Public Key Infrastructure ?

at least here in germany, banks do not use PKI extensively for communications with "normal" people.

now i am wondering:

a) do they have an extensive PKI in other countries ?
b) would that prevent identity theft as the bank laptop could only contain public keys ?

Re:Public Key Infrastructure ?

[gilgongo]

I sometimes wonder when, or if, it will become necessary for ordinary people to understand PKI as part of their everyday lives, in the same way as they understand how to drive, the rudiments of the taxation system and the stock market.

Surely there has to come a time when the issue of identiry theft has to be tackled in some reasonably effective way, not simply buck-passing from bank to customer to insurance provider to government, as is the case right now?

The directors *are* liable to a fine

[Colin+Smith]

Up to £5000 per offence. With 11 million offences they should probably have taken security a bit more seriously.

Re:The directors *are* liable to a fine

Unfortunately this is just one offence - losing one database you see. £5000 fine, bargain really.

Re:The directors *are* liable to a fine

[jimicus]

And if it only happens occasionally, then the cost of rolling out encryption to every laptop owner (it's not just software cost, you've got to train them in something which most people have no understanding of whatsoever) seems absurdly expensive.

UK banking laws will protect customers, but...

[AmiMoJo]

In this regard, UK banking laws are actually quite good. Customers of the building society will not loose out financially if any fraudulent activity happens on their account. However, it's the secondary effects that are the problem.

Someone takes out a loan with your bank account details. Problem is discovered. You waste time and effort fixing it. Bank and loan company waste time. Loan amount is lost to criminal. Loss results in higher rates and charges for everyone. Who will pick up the bill? Not the bank, that`s for sure, it will be the customers in the end.

There *is* a penalty

[Colin+Smith]

Up to £5,000 fine per offence against the Data Protection Act. 11 million records, 11 million offences. Directors are liable and the company is liable to cover any damages incurred, plus damages for distress inflicted.

Re:There *is* a penalty

[Fnkmaster]

Yeah, but how is it actually enforced? That's the real issue.

Still you guys over in the UK seem to be a bit ahead of us here in the US on this issue...

Probably the same gig as in the u.s.

[unity100]

some sources get the confidential information about some people, then they will use this to entice these people to do their bidding. election fraud maybe ? politics ?

How is it

[JustNiz]

That this is even possible?
Its very worrying that even banks don't seem to understand the very basics about security, especially after other financial companies have already experienced the same kinds of security breaches. Don't they ever read the news? or learn for others mistakes?

Stupidity and Ego

There is a lot of stupidity and ego in IT and probably all businesses. There are people working in IT departments for 20+ years in programming related positions, who do not know how to program in ANY language. Having access to production data is considered a privilege that comes with seniority. Having update access to production is even higher in the totem pole. Having all production data on your data must have been considered priceless.

BTW ego does not affect only "old" people. Recently talked with a young whippersnapper, who seems to look down upon all programming languages! He seemed to imply that the only thing anybody needs is a database.

Don't hurt the bottom line

[ITI_guy]

If it's cheaper for a financial institution to have a great identity theft/fraud/security breach/data misplacement/dumbass employee insurance policy than to actually protect the their data why should they care? This is a problem that's not going away, eventually the public will be dumbed down enough when this keeps happening it won't even be big news any more.

Re:Don't hurt the bottom line

[dirvine]

From a PR point of view how many new folk now know of the Nationwide - now news is bad news for marketeers. Sad but true - they state they will reimburse any losses - thats a good marketing statement - come to us we may loose your data - but we will cover you ass

Utter tosh

[mccalli]

Having worked indirectly, contracting for a few UK banks, I can't say this is a huge surprise. The people that work at these places aren't exactly the sharpest tools in the box, and quite frankly, they can't attract anybody with any intellect.

Ah, the 'I know everything better than you do' type of genius. Tell us, oh great one, of how your towering intellect dwarfs the mere minnows you have dealt with in the past.

I too have contracted around various UK and foreign-owned but UK-based banks. Some of the people I met there were fools. Some were amongst the brightest people I've known. As ever, and particularly in organisations that huge, there's a large mix of people involved. There are also a number of bright people in banks who's area of expertise isn't computing - they're banks remember?

There may well be an issue of education, and also I'd like to know why these things didn't have full-drive encryption installed. Then again, we don't know that it didn't - despite the article summary, Nationwide have refused to give any details. That's any details, whether positive or negative, nor have they confirmed any numbers. 11 million is just the number of customers they have, not necessarily the ones on the laptop.

Cheers,
Ian

Re:Utter tosh

[segedunum]

Ah, the 'I know everything better than you do' type of genius. Tell us, oh great one, of how your towering intellect dwarfs the mere minnows you have dealt with in the past.

Thinking mainly ;-). "Should I take this money laundering database home with me on my laptop, that contains details on hundreds of thousands of customers? Errrr, no. I don't think I will." That sort of thing.

I too have contracted around various UK and foreign-owned but UK-based banks. Some of the people I met there were fools.

Some? You haven't got around enough.

There may well be an issue of education, and also I'd like to know why these things didn't have full-drive encryption installed.

Very few laptops or desktops in many companies are set up like that; even in banks ;-). Regardless of whether encryption was or wasn't used, there is simply no reason to take that data out of the building and leave it lying around. Many companies, and even banks, simply have VPN's for people to dial into so they can get access to data out of the office that way.

Then again, we don't know that it didn't - despite the article summary, Nationwide have refused to give any details.

Given that Nationwide have reported this then it's safe to assume it's at least a large proportion of customers and their account numbers. This is called covering their backside. If it was just a subset of data that was essentially useless then it would have been hushed up, as it usually is, while hoping no brown stuff hits the fan.

Re:Utter tosh

[KZigurs]

Hi guys,

Just wanted to let you know that I haven't contracted for any UK or USA financial institution whatsoever, directly or indirectly.

Thought ya might want to know, you know...

Re:Utter tosh

[Douglas+Goodall]

I like where he says: I used to work with UK banks, They can't attract anybody with any intellect. Then simple logic says, poster == intellect not

Jumping the gun?

Why was the information on the laptop not encrypted?"

Where in the article did it say that the information wasn't encrypted? I'm not asking this in defense of the bank or its practices, but because I've read the article twice, and I can't find it.

I wouldn't be surprised if it was or wasn't. The point here is that you've stated fact without citing the source. The article covers a serious problem and by asking this, without support, you're at risk of changing the issue.

Interesting indeed...

[SeaFox]

This story raises a number of worrying questions: The theft happened three months ago, why has the news only just been made public? Why was it possible (indeed, why was it necessary at all) to put data relating to their entire customer base on an employee's laptop stored at an employee's home? Why was the information on the laptop not encrypted?

I'm so happy my bank uses high-tech data security on it's computer systems: they talk about it in this little pamphlet I got when I opened my checking account... It does so much good when my account information is on a laptop being used as a tray to sort seeds and stems at some employees house!

Oblig. Seinfeld

[SeaFox]

JERRY: So the door was wide open?

KRAMER: Wide open!

JERRY: [Elaine enters the living-room] And where were you?

ELAINE: I was at Bloomingdale's...waiting for the shower to heat up.

KRAMER: Look, Jerry, I'm sorry, I'm uh, you have insurance, right buddy?

JERRY: No.

KRAMER: [looks shocked] How can you not have insurance?

JERRY: Because...I spent my money on the Clapgo D. 29, it's the most impenetrable lock on the market today...it has only one design flaw: the door...[shuts the door] must be CLOSED!

I have had similar experiences

Large businesses that track all kinds of customer information often make use of other businesses for various types of technical service. I have worked in places that maintain databases and interface applications for such large businesses. The kind of information that has come across my desk is astounding. Huge databases full of account numbers, social security numbers, pay scale information, addresses, birth dates, names, even passport numbers, you name it. Of course, as the poster did, I diligently delete copies of these databases as soon as my work is done, and I also provide data obfuscation scripts (which they only sometimes remember to run before giving me access to the data), but it only takes one mistake for this information to get out on the black market and be exploited.

Security theater is the present norm. Businesses insist that they take reasonable precautions, but they in fact do not. I have seen the weakness of "reasonable precautions" first-hand, over and over again. It is a bad situation, and it will only get worse.

Actual effective "reasonable precautions" are just too expensive, too time-consuming, and too cumbersome. They will not be implemented so long as the people in a position to implement them are not outright forced to do so.

I didn't used to be a cynic. Really I didn't. But then I saw the industry from the inside.

You're wrong - AFAIK it's a criminal offence

[cheros]

Nationwide is a UK business and thus subject to the UK Data Protection Act 1998. In chapter 9.5 of the UK Data Protection Act 1998 it defines this specific data loss as unlawful, and AFAIK this is a criminal offence for which the Directors get hit unless they can prove some poor schlob didn't do his job properly.

However, that doesn't quite get them off the hook if it can be demonstrated that the directors were negligent in enforcing the rules.

So, it's not a la Microsoft, pay the fine and try again - a criminal offence creates a criminal record, and it is destined to land in a person's lap, not a 'corporation'.

IANAL, though.

I guess the coverage will help..

[cheros]

If the guy doesn't know by now he's not very world aware (story on BBC and probably in newspapers). I think his price just went up..

Why are people so stupid?

Why the hell are the customers' records kept on a laptop? All that information should be kept on a secure server. If you need to access customer data, you should have secure, in-house, client software to access the data so that it never resides on any machine aside from the server itself.

And the right question is...

[adsl]

Why does "Bank" employee need all 11mm customer records downloaded onto a Laptop and taken home? Such wholesale downloads should NOT be allowed as they neceasarrily but the confidential data at HUGE risk.

Re:And the right question is...

Learn to read. Where does it say all 11m were taken?

Laptops should connect via RDP over SSH or VPN

There should be NO local data on a laptop, or even a PC, in situations like these. It is possible to move entire infrastructures onto server-based computing now, and present any critical data only over a secure connection with no local storage. This one move would instantly eliminate all of these data theft problems where data resides on one or more endpoints of a corporate network.
 
Can't work if you are offline? Nonsense. In a world of widely available WiFi hotspots, EV-DO and GRPS cell phone access this is no longer an issue and the price of those connections in the occasional cases they are needed is an ounce of prevention much easier to swallow than a pound of class action lawsuits.

waiting 3 months

[teslar]

The theft happened three months ago, why has the news only just been made public?

Uhm... so the thief gets a chance to format the disk and sell the laptop on, not bothering about the data on it, before Nationwide tells him that he's stolen a potential goldmine?

This was a good decision, it probably stopped the data from actually being misused.

Media Speculation

[HammerHead2000]

It should be highlighted that a lot of this is media speculation. Nationwide did not deny that 11 million customer records were on the laptop, but they did not confirm it either - I know it makes a good headline but sensationalism should be avoided until the facts are known.

The truth is probably that Nationwide just doesn't know exactly what they've lost.

Profit!!

[RAMMS+EIN]

1. Withdraw all money from account

2. Write letter to bank, complaining that all money was stolen, and demanding compensation. The bank can't refute your claim, because your authentication data has been stolen, so they can never prove it was _really_ you who did the withdrawal.

3. Profit!!!

Nationwide Chief Executive on Today

Nationwide Chief Executive Philip Williamson puts all of our minds at rest:

http://www.bbc.co.uk/radio4/today/listenagain/ram/ today3_nationwide_20061118.ram

EDITOR!!!

number is a part of PIN!

Whats worse than having it stolen...

[zug82]

Would be everybody who stole a laptop that day knowing they could have hit the jackpot. 3 months down the line the things going to have been wiped clean and maybe passed on. Atleast this way theres less chance of anything "useful" being found out. Pushing the boat a little further I'd also guess they have some form of security on the laptop end, lets just hope the password isn't "Admin" ^^

11 million confirmed email addresses?

[choongiri]

I used to have an account with Nationwide... and they had my email address. I always use separate throwaway addresses for each company I give information to, so I'll be watching my spam folder to see if I get more spam to that address now.

The source of the problem

[Mondor]

All these questions about "why was it possible or necessary" to store unencrypted data in employees computer, have a simple answer - MSDE.

Of course the only method for storing 11M records in business application is relational database engine. Of course, bank is using Windows. Of course, they are using SQL server and Microsoft-advertised model of making a corporate software.

This model requires every disconnected (i.e. notebook, "on road" user) to have "mobile" version of SQL server, and retrieve a new snapshot of the database every time user connects to branch office network.

I assume, that they were using older MSDE, not newer SQL 2005 engine, which supports data encryption. And even if they would use 2005, they wouldn't use encryption, because in that case "performance" suffers.

So the source of the problem, for me, looks like the problem of software architect, who puts the performance above security. Who thinks about security only after fried chicken bites his ass. And, of course, taking the Microsoft development model blindly, without using his own brain.

Encryption

It doesnt cost that much.

If you can't trust your bank and can't know if anyone else is better.......
IMO they should be fined Per customer record lost to a third party, may motivate them to encrypt their laptops.

Which for whatever reason needed 11,000,000 records on it, at home.

Re:Encryption

For crying out loud, how many times...? Nobody knows how much data was on the laptop, and Nationwide aren't saying anything (see, they're neither confirming nor denying anything). Just because they've got 11 million customers does not automatically imply that the laptop contained details of all those customers.

Incorrect

[cheros]

As much as it pains me to defend MS, this has zero to do with the OS, and everything to do with process.

(1) those files hould have NEVER gotten out of the door. Full stop, no if, no but, no maybe. Should. Not. Have. Left. The. Building.

(2) the oink that had them should have no need to work with real data. Real data should be processed inhouse (see point 1) andor transported with protection. Real data is NOT a development/test tool.

Only after all of the above do you start thinking about the conditions under which this data may possibly travel and may be used for otherpurposes (which, incidentally, would be potentially another violation of the UK Data Protection Act 1998 as usage is defined at the point of collection - it cannot be changed later without explicit permission of the provider, i.e. you). Even with MS you can encrypt matters to a sensible degree (or install Truecrypt, but that seems to equate to 'hassle' until it goes wrong).

There is no excuse for negligence.

Re:Incorrect

[Mondor]

I'm sorry, but scenario in which confidential data does not leave the building is unrealistic.

Such data as personal financial information, social security number and so on, does not have such sensitivity, that it shouldn't be transferred even by means of SSL. If you're using internet banking, you know it.

And I didn't say the problem is in OS (operating system) - the problem is in software architecture, and by software I mean that corporate software that is working with company data and was written solely for this purpose.

Indeed, using XML web services or similar technology allows you to work with data without them leaving the headquarters. However, there is not always internet connection available (although I believe that use of the GPRS wouldn't be so costly for that bank), so they're probably using personal copies of the database. And the problem is not in using that copies, but in wrong implementation of the concept, which allows stealing of all the company customers personal data.

I think I don't even need to comment, that chances are low that bank would use TrueCrypt, just because it's OS (open source) and free. And PGP doesn't work on 64-bit systems yet. And NTFS encryption is flawed. And taking into account that the whole work is going on notebook, any software encryption would make the work with so large database ... unpleasant.

Re:Incorrect

[cheros]

Hmm,
 
  Such data as personal financial information, social security number and so on, does not have such sensitivity, that it shouldn't be transferred even by means of SSL. If you're using internet banking, you know it.
There's a difference of scale here. If someone decrypts a recording of that session (not impossible but hard work) they will get ONE (1) account. I imagine phishing to be more successful. Grabbing the data off that laptop is much more useful as it can help with mass compromise, and the return on effort is thus MUCH higher.
 
  so they're probably using personal copies of the database. And the problem is not in using that copies, but in wrong implementation of the concept, which allows stealing of all the company customers personal data.
No, no, no. If you're the treasurer, do you walk around with all the bonds in your briefcase just in case you'd need them? There are so many ways in which confidential data can be contained and it starts with identifying the very need in the first place: is it really required to have real data? Maybe for someone working with customers, yes, but for software dev purposes live data should not even be used (depending on the data it can even be considered a breach of the UK Data Protecion Act as 'testing' is generally not given as a reason to collect information). Secondly, if you DO need live data, do you (a) really need it outside the building and (b) do you need all of it or can you carry a subset that will allow you to work but not expose the lot. Thirdly, if you DO wander around with live customer data, how long do you need it for? You're not 100% outside, and if you do you need to protect that data.
 
  I think I don't even need to comment, that chances are low that bank would use TrueCrypt, just because it's OS (open source) and free. And PGP doesn't work on 64-bit systems yet. And NTFS encryption is flawed. And taking into account that the whole work is going on notebook, any software encryption would make the work with so large database ... unpleasant
 
You're missing the point, or maybe I didn't make myself clear enough. The observation was that you require at least the basics of encryption, product names were merely as examples. NTFS encryption is flawed, yes, but even that gives at least SOME protection from someone spinning up a boot CD and grabbing the data. Having said that, good corporate encryption could not be using Truecrypt unless they can back up the data in the clear as they would be at risk of breaking the Regulation of Investigative Powers Act (RIPA) 2000. They will use a system that has a multiple parts masterkey so data can be recovered, but without the risk of a sole administrator doing that (hence the multiple parts). So, to summarise, this data should not have been in the clear, full stop. If the encryption overhead is too much that's a good incentive to keep the dataset small or stay in contained environments.
 
Oh, and before I forget, that they didn't lose all the details is hardly reassuring, a bit of mosaic matching with other 'creatively discovered' information is all that is needed to complete the set.

Re:Incorrect

[Mondor]

Imagine a manager who is traveling to the middle of nowhere with his notebook, where his customers live. There is no internet. He needs some data for his corporate software. But what I meant with architecture flaw, is that he doesn't need the data of all customers of his organization in his notebook. He needs just a few records.

Also, if this is a bank, then probably his notebook and software must correspond to PCI standards. In that case stealing of information is very difficult.

Re:Incorrect

OK lets take this back a step and put some sense to this.
1) I am a customer of this Building Society and I have been assured that the laptop was encrypted.
2) I am also told that this theft was reported to the police and the Financial Services Authority immediately not kept top secret as appears to have been suggested previously.
3) I am also told that it was not common practice for the employee to take home a laptop and certainly not one with such information on so the chances are that this was an opportunistic theft. So the low life that stole it most likely hasn't got a clue what he has.
4)Finally everyone on here is crucifiying the company and appear to be overlooking the fact that some little toe-rag committed a crime!! But that seems to be OK as long as there is a big company to have a go at.

Ethical?

[16K+Ram+Pack]

Surely you jest.

Google for "co-op party" sometime. They'll tell you about all the Labour MPs that they funded. You know, the people who voted for the war in Iraq.

WTF was this bank playing at?!?

[cardboard_boxA]

Are they ******* stupid? How could they of overlooked this?

Is there a point for such a comment?

[jotaeleemeese]

Every idiot and their dog could post something saying "my bank is the greatest thing since sliced bread was first buttered".

Since they are providing no evidence and most likely they have none (unless you work in the bank you can't really vouch for their internal security procedures), they only safe assumptions to make is that they are a shill or talking out of there where the Sun sines rarely, if ever....

Nowadays there is no reason.

[jotaeleemeese]

There is absofuckinglutely no reason whatsoever to have real record of clients in a laptop.

Most situations that require access to data of clients can be covered by remote access tools over a VPN of some kind so you only get back to you a display and nothing else.

Putting confidential data in a laptop is relying on one key or password in order to access the data, you are making it easier to steal the data for any interested parties by removing physical restraints to access the data, you could as well open your datacentre to anybody that wanted access....

We of us do get it.

I work in a big bank in the UK, and let me tell you that a bozo having data like that in a laptop would have his ass out of the door faster than you can say "I am an idiot, please fire me".

At least where I work it is made very clear to all of us that such practice is unnaceptable, but you will always get the bozo that thinks he is too clever (or, touch wood, outright malicious), and even with the best policies in place you can't police all the people all the time.