UK Bank Laptop Stolen With 11M Customer Records

daveewart writes "BBC News reports that the UK Building Society Nationwide has admitted that a laptop containing account records of more than 11 million customers has been stolen from an employee's home. This story raises a number of worrying questions: The theft happened three months ago, why has the news only just been made public? Why was it possible (indeed, why was it necessary at all) to put data relating to their entire customer base on an employee's laptop stored at an employee's home? Why was the information on the laptop not encrypted?"

worrying questions

[homer_s]

This story raises a number of worrying questions:

The worrying questions should be
Why should anyone be able to ruin your finances by just knowing some numbers?
Why should someone be able to borrow in your name by just quoting some number?
Why is my future dependent on whether some data entry operator in some company follows the proper security precautions?

I hate how everyone is using the term 'identity theft'. No one can steal someone else's identity (for now anyway).

What 'identity theft' really means is that the the methods the financial industry uses to identify people is broken.Whenever the govt holds hearing on 'identity theft' they are only legitimizing these methods and making the people responsible for the failures of the financial industry.

Re:worrying questions

This very very insightful. For instance when I lived in the US by social security number had to be used for almost everything I did. FOor example, it was my employee number at work and printed on everything. In Canada, where I am from, your number is more closing guarded, basically only used for tax purposes. If I get a form from my stock broker it says "number on file" and doesn't prtint the number, because there is no reason too.

Anyway the parent is right on the money, but we could start by taking easy baby steps and we don't even do that.

Re:worrying questions

[ShieldW0lf]

I left a job once when I first started working in IT, and one of the projects I'd done was for a web hosting company. I wanted the project to finish before I quit so I could use it on my resume, so I sent myself home the files I needed to work on to finish it so I could quit.

One of the databases I was working on had hundreds of thousands of credit card numbers in it. I deleted it, of course, but it was trivial to bring it home... at that time, to me, it wasn't a collection of credit card numbers, it was just "the database I needed to have present to finish my work".

It's SOO easy to be trivial about these types of things when you're an overworked IT pro. Security procedures exist BECAUSE it's so easy to forget that the stuff that you deal with in such a routine fashion is sensitive. It's just like reality tv stars forgetting about the cameras.

Re:worrying questions

[ummit]

Why should anyone be able to ruin your finances by just knowing some numbers?

Excellent question.

One big problem is that in the U.S., at least, we've generally conflated identification with authentication. But they're two very different problems.

If, for example, Social Security numbers were only ever used for identification -- telling two different John Smiths apart, for example -- it wouldn't matter if they were public. In fact I've heard that one of the Scandanavian countries publishes a freely-available database of everyone's identification numbers. Besides being convenient, this ensures that nobody ever sets up a scheme that stupidly uses an identification number as an authenticator.

The big problems arise when the same number that's widely used for identification -- e.g. a SSN -- is also used for authentication.

It wouldn't be so bad if all it took to pove to my bank that I'm me was a number or word, as long as that number or word is secret, and only used for that purpose, so that it has a decent chance of staying secret.

Re:worrying questions

[RAMMS+EIN]

``This very very insightful. For instance when I lived in the US by social security number had to be used for almost everything I did. FOor example, it was my employee number at work and printed on everything. In Canada, where I am from, your number is more closing guarded, basically only used for tax purposes. If I get a form from my stock broker it says "number on file" and doesn't prtint the number, because there is no reason too.''

Right. It's interesting to see how, in the USA, where (more) people are (more) paranoid about "them" watching them, you need SSNs for nearly every transaction beyond every day stuff, whereas in Canada and the EU, where people are, generally, much more trusting, the local equivalents of SSNs are much more closely guarded and restricted in their purpose.

Having said that, mine is printed on my passport, so, I suppose, everyone who has ever seen my passport could have my SSN...but that's not a whole lot of people, actually. In fact, there are probably more people who know whatever number I used as an SSN when I lived in the US for half a year than there are people who know my actual, Dutch, SoFi number.

Why was the info. on the laptop not encrypted?

[msobkow]

Why was the information on the laptop not encrypted?

That is the one question that doesn't step on internal business processes, data, or procedures.

With free "hard" encryption tools out there such as TrueCrypt and encfs, there is no excuse whatsoever for customer data to leave the data center without an encryption envelope/container.

Re:Why was the info. on the laptop not encrypted?

[AnonChef]

there is no excuse whatsoever for customer data to leave the data center without an encryption envelope/container.

When did stupidity stop being a valid reason?

Sounds like they should be prosecuted

[Colin+Smith]

The Data Protection Act requires that businesses and individuals take precautions to protect personal data.

Not a Huge Surprise

[segedunum]

Having worked indirectly, contracting for a few UK banks, I can't say this is a huge surprise. The people that work at these places aren't exactly the sharpest tools in the box, and quite frankly, they can't attract anybody with any intellect. When a UK bank or building society says they're tightening security or doing anything, it's always a panic reaction and things revert to normal when the whole thing goes away.

People are asking various questions like "Why wasn't it encrypted?" That's a pointless question. I want to know how on Earth you get 11 million customer records on to a single laptop in the first place.

But, Barry Stamp, former director of CIFAS, the fraud prevention service, said it was unusual for an entire customer database to be stored on a laptop......."We've seen cases like this almost every week at the moment, but on the other hand you have to ask why that information was contained on a laptop and why the security was lax at Nationwide in such a way that you could download the entire database to a laptop. "This is really unusual."

It's not that unusual at all sadly. All customer details are stored on mainframes or in big databases centrally, so no, there's no chance of stealing everything to do with a customer. This is where the disorganisation of UK banks' IT systems comes in handy. I'm wondering if this is perhaps a dirty great Access database or something used for mailing list or money laundering (ironic, I know) purposes. If so, this kind of thing happens all the time.

well its a good thing they don't.....

[3seas]

allow the use of 4 gig thumb drives.....

Oh wait, Did I say "don't"?

Re:Death Penalty

[Dunbal]

We need to implement the death penalty for this sort of thing.

      Nahh, just 1 day in jail for the directors of the company, for each individual's information that was stolen.

      See you in 11000000/365 = about 30,000 years!!!

Re:Suck it up

[Fnkmaster]

Well, this is one of those cases where government intervention would actually be useful. If there were a mandatory penalty of $10 per record lost, plus the requirement that the company covers identity theft protection insurance for at least 2 years for all affected customers, well, you wouldn't ever see 11 million records leave the office, period.

When the customers have low bargaining power due to a natural oligopoly market scenario with few large, powerful competitors, the government needs to provide some protections from this sort of abusive behavior.

Re:a reason to SMILE

[xwizbt]

Nobody's suggesting it couldn't happen to them, but you may want to check their website and see just how obsessed they are with security. However, this doesn't mean those silly systems where you get a random number through the post and have to input various digits every now and then, which you promptly forget. Their security is simple but effective. Coupled with great customer service, I can totally see where the original poster is coming from.

And hey - how many other banks have two rabid fans that are prepared to stand up and say 'Hey, my bank's great!' for no reason at all other than they've had a great customer experience? Yeah, so I guess it's very nearly off-topic, but there you go. Online banking is a valid alternative to places like Nationwide, and because they're on the internet security seems to be more of a concern for these banks.

What they're doing is breaking the law.

[Colin+Smith]

"7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

From the UK Data Protection Act 1998.

If this hasn't been followed then the law has been broken and the perpetrators should suffer the consequences. Which is currently a fine of up to £5,000 per offence. Directors being liable. With potentially 11 million offences that could add up to a lot of money.

Re:a reason to SMILE

The poster made an unsubstantiated claim - that this bank was better than other banks in terms of security, and implied that this incident could never happen to them.

His post is basically an advertisement. Hence, accusing this person of being a shill (not saying that he was indeed one) is a valid accusation.

You're pathetic for trying to reduce everything down to "isms".

I have had similar experiences

Large businesses that track all kinds of customer information often make use of other businesses for various types of technical service. I have worked in places that maintain databases and interface applications for such large businesses. The kind of information that has come across my desk is astounding. Huge databases full of account numbers, social security numbers, pay scale information, addresses, birth dates, names, even passport numbers, you name it. Of course, as the poster did, I diligently delete copies of these databases as soon as my work is done, and I also provide data obfuscation scripts (which they only sometimes remember to run before giving me access to the data), but it only takes one mistake for this information to get out on the black market and be exploited.

Security theater is the present norm. Businesses insist that they take reasonable precautions, but they in fact do not. I have seen the weakness of "reasonable precautions" first-hand, over and over again. It is a bad situation, and it will only get worse.

Actual effective "reasonable precautions" are just too expensive, too time-consuming, and too cumbersome. They will not be implemented so long as the people in a position to implement them are not outright forced to do so.

I didn't used to be a cynic. Really I didn't. But then I saw the industry from the inside.

Re:Probably not enough ID..

[Gandalf_the_Beardy]

I've seen people stealing these out of letterboxes before now on our estate. I can't personally think of any other useful reason to pinch a gas bill, unless you've been dumpster diving ot have bought a laptop for £50 with 11 million acount numbers on it.... Since the postie doesn't deliver until midday in many locations, and since it's easy to stick your fingers in a floor level letterbox and fish the mail back out again it's amazing anyone accepts a utility bill as proof of ID. All it is proof you have access to the mailbox of that address.