Slashdot Mirror
UK Bank Laptop Stolen With 11M Customer Records
daveewart writes "BBC News reports that the UK Building Society Nationwide has admitted that a laptop containing account records of more than 11 million customers has been stolen from an employee's home. This story raises a number of worrying questions: The theft happened three months ago, why has the news only just been made public? Why was it possible (indeed, why was it necessary at all) to put data relating to their entire customer base on an employee's laptop stored at an employee's home? Why was the information on the laptop not encrypted?"
Another good reason I use smile (www.smile.co.uk) They have great customer service (best ive encountered), reasonable interest rates, a great,usable website, and are consistantly ranked the top UK bank for security. On top it all, they are an ethical bank who restrict where they invest your cash.
It amazes me that people still use high street banks. I haven't set foot in a bank in 5 years.
DRM-free indie games for the PC and Mac: Positech Games
Well, I think it's clear from the repeated stories of millions of confidential files being lost that enough large organisations simply don't understand security enough to get it right.
However, we all carry on using their services because we're stuffed if we don't - if your university loses your details, what are you going to do? quit? if your morgage is with your bank and they lose your account information, are you going to change bank?
Because there is basically, when all is said and done, no *real* pain for organisations, for loosing information, there is no *real* need for them to understand security enough for these data losses to stop.
So suck it up!
Personally, I'm trying to get out from under. I gave up my mobile phone last week - I do not accept having my mobile phone calls logged for a year. I'm moving over to Tor, because I do not accept having my browsing logged for four days (current UK retention). I'm thinking about getting rid of the phone, too, and moving over purely to encrypted email which will be sent/receieved from my own home-run POP/SMTP server.
This probably shows how much of a geek I am compared to you but 11 million records...So say a name, an address, several series of numbers and general info...That is a hell of a lot of plain text. When did laptop hard drives get that big and what are bank PHBs doing with those DBs at home anyway?
I ate your fish.
What does any employee of that bank need with the entire customer database? If he is doing work, he should be doing it at work not at home.
How many of this business's employees have full access to the entire customer database with account numbers?
Is it company policy to allow empoyees to take business records home at all? Or for that matter, is it even within company policy to bring your own personal laptop into the building?
So, what policies were broken, what policies are being changed, and what's not going to be fixed so that it just happens again?
I work for the Department of Redundancy Department.
This is absolutely insane. You do not need a full account database in order to do a project. A project like this should have a test database that contains bogus customer information for testing purposes. I work for a major telecommunications company on our billing-related application team, and I have never seen or heard of our developers doing things like this.
I can understand, though, how some smaller companies may not have the resources to do things like this properly, but for the benefit of other readers, not everyone handles customer data the way you/your client did here.
1. Withdraw all money from account
2. Write letter to bank, complaining that all money was stolen, and demanding compensation. The bank can't refute your claim, because your authentication data has been stolen, so they can never prove it was _really_ you who did the withdrawal.
3. Profit!!!
Please correct me if I got my facts wrong.