Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Bank Laptop Stolen With 11M Customer Records

Posted by ryuzaki0 on from the easy-come-easy-go dept.

daveewart writes "BBC News reports that the UK Building Society Nationwide has admitted that a laptop containing account records of more than 11 million customers has been stolen from an employee's home. This story raises a number of worrying questions: The theft happened three months ago, why has the news only just been made public? Why was it possible (indeed, why was it necessary at all) to put data relating to their entire customer base on an employee's laptop stored at an employee's home? Why was the information on the laptop not encrypted?"

6 of 184 comments (clear)

  1. Re:Banking competition... by jabuzz · · Score: 2, Informative

    It's a mutual building society, so firstly it is not a bank anyway. Secondly it cannot just be brought out unless a majority of it's current customers vote that way. The Nationwide in line with most of the other remaining building societies in the U.K. have made the process of de-mutualization much harder in recent years. It therefore unlikely that it could be brought out by anyone.

  2. TFA by Chris_Keene · · Score: 3, Informative

    TFA does not say that the laptop had infomation on "their entire customer base" (not saying the submitter is wrong, but the BBC article certainly doesn't say this). It seems that it included names and account numbers but not pins, balances or passwords.

    More infomation
    http://www.nationwide.co.uk/security/news_and_aler ts/

    This was a domestic burglary, there's a chance that the theif has no idea this laptop was special, and has already sold it cash in hand down the pub. It's probably being used right now by someone browsing for porn or doing 'ebay' unaware of what sits of that disk.

    Not to say they should not presume the worse and react accordingly of course.

    --
    You will forget this sig before you next see it
  3. Re:worrying questions by mspohr · · Score: 3, Informative
    Why should anyone be able to ruin your finances by just knowing some numbers? Why should someone be able to borrow in your name by just quoting some number? Why is my future dependent on whether some data entry operator in some company follows the proper security precautions?
    This is the crux of the problem. The entire basis of the credit industry is that they collect all of your personal information and then sell it freely without your knowledge or permission. They profit from each sale and thus have a big incentive to make the information available to as many people as possible. They've been burned by past practices and have had to eliminate outright fraudsters from their sales prospects (much to their dismay) but they still make big bucks by selling to just about anyone else prospecting for suckers for their credit cards, "financial services", and every other hair-brained marketers wet dream.

    If people could actually claim ownership of their data and have it released only when they specifically agreed to the release with proper notification, the identity theft problems would go away (but so would the business model of the credit agencies).

    --
    I don't read your sig. Why are you reading mine?
  4. Re:How can we stop this happening so often? by einar2 · · Score: 2, Informative

    Because some people conduct their business very incompetent.

    I work for a Swiss bank. All notebook harddisks are encrypted by default. There is no way our employees could get access to the customer database to replicate data!!! The Swiss banking law is rather harsh on such issues. For the employee as well as the bank.
    In the end, you have to severly punish enterprises for being lax with customer data. The loose of reputation is not incetive enough. It has to hurt so that execs decide to recognize the issue.

  5. Utter tosh by mccalli · · Score: 3, Informative

    Having worked indirectly, contracting for a few UK banks, I can't say this is a huge surprise. The people that work at these places aren't exactly the sharpest tools in the box, and quite frankly, they can't attract anybody with any intellect.

    Ah, the 'I know everything better than you do' type of genius. Tell us, oh great one, of how your towering intellect dwarfs the mere minnows you have dealt with in the past.

    I too have contracted around various UK and foreign-owned but UK-based banks. Some of the people I met there were fools. Some were amongst the brightest people I've known. As ever, and particularly in organisations that huge, there's a large mix of people involved. There are also a number of bright people in banks who's area of expertise isn't computing - they're banks remember?

    There may well be an issue of education, and also I'd like to know why these things didn't have full-drive encryption installed. Then again, we don't know that it didn't - despite the article summary, Nationwide have refused to give any details. That's any details, whether positive or negative, nor have they confirmed any numbers. 11 million is just the number of customers they have, not necessarily the ones on the laptop.

    Cheers,
    Ian

  6. Re:worrying questions by ivothamdrup · · Score: 3, Informative

    The bit about identification numbers is actually true. In Estonia, everyone's [1] SSN can be looked up from a public LDAP directory (ldap://ldap.sk.ee). The SSN is used, as you said, only for identification. There are however some people who view it as a security hazard, but the same people can't tell the difference between identification and authorization...
    [1] - Everyone who's been issued an ID Card; that is, about 90% of the population.