Slashdot Mirror
UK Bank Laptop Stolen With 11M Customer Records
daveewart writes "BBC News reports that the UK Building Society Nationwide has admitted that a laptop containing account records of more than 11 million customers has been stolen from an employee's home. This story raises a number of worrying questions: The theft happened three months ago, why has the news only just been made public? Why was it possible (indeed, why was it necessary at all) to put data relating to their entire customer base on an employee's laptop stored at an employee's home? Why was the information on the laptop not encrypted?"
This story raises a number of worrying questions:
The worrying questions should be
Why should anyone be able to ruin your finances by just knowing some numbers?
Why should someone be able to borrow in your name by just quoting some number?
Why is my future dependent on whether some data entry operator in some company follows the proper security precautions?
I hate how everyone is using the term 'identity theft'. No one can steal someone else's identity (for now anyway).
What 'identity theft' really means is that the the methods the financial industry uses to identify people is broken.Whenever the govt holds hearing on 'identity theft' they are only legitimizing these methods and making the people responsible for the failures of the financial industry.
That is the one question that doesn't step on internal business processes, data, or procedures.
With free "hard" encryption tools out there such as TrueCrypt and encfs, there is no excuse whatsoever for customer data to leave the data center without an encryption envelope/container.
I do not fail; I succeed at finding out what does not work.
You are being MICROattacked, from various angles, in a SOFT manner.
Thank god I have only £30 in my Nationwide account.
If this were really happening, what would you think?
Another good reason I use smile (www.smile.co.uk) They have great customer service (best ive encountered), reasonable interest rates, a great,usable website, and are consistantly ranked the top UK bank for security. On top it all, they are an ethical bank who restrict where they invest your cash.
It amazes me that people still use high street banks. I haven't set foot in a bank in 5 years.
DRM-free indie games for the PC and Mac: Positech Games
The Data Protection Act requires that businesses and individuals take precautions to protect personal data.
Deleted
How can companies with so many resources consistently be so incompetent? This isn't the first time we've heard about loss of many customer's details needlessly and inexcusably.
Is it just that no matter how much money you throw at the problem, basic security procedures, such as not taking home your entire customer base's details on a laptop are going to be ignored by certain members of staff? If this is the case how can we begin to make these people listen? Would jail time for anyone releasing this kind of information through negligence make everyone a bit more careful about what they do or would even that not stop people this utterly stupid and ignorant? Perhaps targetting the companies would be more fruitful such as a decent amount of conpensation paid to everyone involved in this kind of data leak, would that then make companies a bit more careful about avoiding employing people who are likely to make this kind of idiotic mistake? 11 million customers being compensated even £100 each would be a massive financial blow to a company to surely make them avoid such a catastrophic mistake? of course this does also lead to the question, should a company be brought to near bankruptcy for the mistake of a single employee?
I think this UK Bank wants to be bought out by an US bank by advertising that they can dump customer data just like the US Banks.
Well, I think it's clear from the repeated stories of millions of confidential files being lost that enough large organisations simply don't understand security enough to get it right.
However, we all carry on using their services because we're stuffed if we don't - if your university loses your details, what are you going to do? quit? if your morgage is with your bank and they lose your account information, are you going to change bank?
Because there is basically, when all is said and done, no *real* pain for organisations, for loosing information, there is no *real* need for them to understand security enough for these data losses to stop.
So suck it up!
Personally, I'm trying to get out from under. I gave up my mobile phone last week - I do not accept having my mobile phone calls logged for a year. I'm moving over to Tor, because I do not accept having my browsing logged for four days (current UK retention). I'm thinking about getting rid of the phone, too, and moving over purely to encrypted email which will be sent/receieved from my own home-run POP/SMTP server.
Well, £100 fine per lost record would be a good first step.
People are asking various questions like "Why wasn't it encrypted?" That's a pointless question. I want to know how on Earth you get 11 million customer records on to a single laptop in the first place.
It's not that unusual at all sadly. All customer details are stored on mainframes or in big databases centrally, so no, there's no chance of stealing everything to do with a customer. This is where the disorganisation of UK banks' IT systems comes in handy. I'm wondering if this is perhaps a dirty great Access database or something used for mailing list or money laundering (ironic, I know) purposes. If so, this kind of thing happens all the time.
allow the use of 4 gig thumb drives.....
Oh wait, Did I say "don't"?
We need to implement the death penalty for this sort of thing.
Nahh, just 1 day in jail for the directors of the company, for each individual's information that was stolen.
See you in 11000000/365 = about 30,000 years!!!
Seven puppies were harmed during the making of this post.
Possibly for the simple reason that many people don't see the "big picture" and have no idea of the risk they are exposing themselves to.
.. this is worrying, but it's probably not quite enough to take out finance/credit cards etc. My local store requires, if you're doing finance, proof of ID such as driving licence or passport, and also a recent household bill.
TFA does not say that the laptop had infomation on "their entire customer base" (not saying the submitter is wrong, but the BBC article certainly doesn't say this). It seems that it included names and account numbers but not pins, balances or passwords.
r ts/
More infomation
http://www.nationwide.co.uk/security/news_and_ale
This was a domestic burglary, there's a chance that the theif has no idea this laptop was special, and has already sold it cash in hand down the pub. It's probably being used right now by someone browsing for porn or doing 'ebay' unaware of what sits of that disk.
Not to say they should not presume the worse and react accordingly of course.
You will forget this sig before you next see it
What does any employee of that bank need with the entire customer database? If he is doing work, he should be doing it at work not at home.
How many of this business's employees have full access to the entire customer database with account numbers?
Is it company policy to allow empoyees to take business records home at all? Or for that matter, is it even within company policy to bring your own personal laptop into the building?
So, what policies were broken, what policies are being changed, and what's not going to be fixed so that it just happens again?
I work for the Department of Redundancy Department.
FYI
m - milli = 0.001
k - kilo = 1 000
M - mega = 1 000 000
I consider local namings/conventions a sort of slang that should not be used in a global forum.
"7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
From the UK Data Protection Act 1998.
If this hasn't been followed then the law has been broken and the perpetrators should suffer the consequences. Which is currently a fine of up to £5,000 per offence. Directors being liable. With potentially 11 million offences that could add up to a lot of money.
Deleted
Up to £5000 per offence. With 11 million offences they should probably have taken security a bit more seriously.
Deleted
In this regard, UK banking laws are actually quite good. Customers of the building society will not loose out financially if any fraudulent activity happens on their account. However, it's the secondary effects that are the problem.
Someone takes out a loan with your bank account details. Problem is discovered. You waste time and effort fixing it. Bank and loan company waste time. Loan amount is lost to criminal. Loss results in higher rates and charges for everyone. Who will pick up the bill? Not the bank, that`s for sure, it will be the customers in the end.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Up to £5,000 fine per offence against the Data Protection Act. 11 million records, 11 million offences. Directors are liable and the company is liable to cover any damages incurred, plus damages for distress inflicted.
Deleted
some sources get the confidential information about some people, then they will use this to entice these people to do their bidding. election fraud maybe ? politics ?
Read radical news here
That this is even possible?
Its very worrying that even banks don't seem to understand the very basics about security, especially after other financial companies have already experienced the same kinds of security breaches. Don't they ever read the news? or learn for others mistakes?
If it's cheaper for a financial institution to have a great identity theft/fraud/security breach/data misplacement/dumbass employee insurance policy than to actually protect the their data why should they care? This is a problem that's not going away, eventually the public will be dumbed down enough when this keeps happening it won't even be big news any more.
Having worked indirectly, contracting for a few UK banks, I can't say this is a huge surprise. The people that work at these places aren't exactly the sharpest tools in the box, and quite frankly, they can't attract anybody with any intellect.
Ah, the 'I know everything better than you do' type of genius. Tell us, oh great one, of how your towering intellect dwarfs the mere minnows you have dealt with in the past.
I too have contracted around various UK and foreign-owned but UK-based banks. Some of the people I met there were fools. Some were amongst the brightest people I've known. As ever, and particularly in organisations that huge, there's a large mix of people involved. There are also a number of bright people in banks who's area of expertise isn't computing - they're banks remember?
There may well be an issue of education, and also I'd like to know why these things didn't have full-drive encryption installed. Then again, we don't know that it didn't - despite the article summary, Nationwide have refused to give any details. That's any details, whether positive or negative, nor have they confirmed any numbers. 11 million is just the number of customers they have, not necessarily the ones on the laptop.
Cheers,
Ian
I'm so happy my bank uses high-tech data security on it's computer systems: they talk about it in this little pamphlet I got when I opened my checking account... It does so much good when my account information is on a laptop being used as a tray to sort seeds and stems at some employees house!
JERRY: So the door was wide open?
KRAMER: Wide open!
JERRY: [Elaine enters the living-room] And where were you?
ELAINE: I was at Bloomingdale's...waiting for the shower to heat up.
KRAMER: Look, Jerry, I'm sorry, I'm uh, you have insurance, right buddy?
JERRY: No.
KRAMER: [looks shocked] How can you not have insurance?
JERRY: Because...I spent my money on the Clapgo D. 29, it's the most impenetrable lock on the market today...it has only one design flaw: the door...[shuts the door] must be CLOSED!
Large businesses that track all kinds of customer information often make use of other businesses for various types of technical service. I have worked in places that maintain databases and interface applications for such large businesses. The kind of information that has come across my desk is astounding. Huge databases full of account numbers, social security numbers, pay scale information, addresses, birth dates, names, even passport numbers, you name it. Of course, as the poster did, I diligently delete copies of these databases as soon as my work is done, and I also provide data obfuscation scripts (which they only sometimes remember to run before giving me access to the data), but it only takes one mistake for this information to get out on the black market and be exploited.
Security theater is the present norm. Businesses insist that they take reasonable precautions, but they in fact do not. I have seen the weakness of "reasonable precautions" first-hand, over and over again. It is a bad situation, and it will only get worse.
Actual effective "reasonable precautions" are just too expensive, too time-consuming, and too cumbersome. They will not be implemented so long as the people in a position to implement them are not outright forced to do so.
I didn't used to be a cynic. Really I didn't. But then I saw the industry from the inside.
Nationwide is a UK business and thus subject to the UK Data Protection Act 1998. In chapter 9.5 of the UK Data Protection Act 1998 it defines this specific data loss as unlawful, and AFAIK this is a criminal offence for which the Directors get hit unless they can prove some poor schlob didn't do his job properly.
However, that doesn't quite get them off the hook if it can be demonstrated that the directors were negligent in enforcing the rules.
So, it's not a la Microsoft, pay the fine and try again - a criminal offence creates a criminal record, and it is destined to land in a person's lap, not a 'corporation'.
IANAL, though.
Insert
If the guy doesn't know by now he's not very world aware (story on BBC and probably in newspapers). I think his price just went up..
Insert
Why does "Bank" employee need all 11mm customer records downloaded onto a Laptop and taken home? Such wholesale downloads should NOT be allowed as they neceasarrily but the confidential data at HUGE risk.
Uhm... so the thief gets a chance to format the disk and sell the laptop on, not bothering about the data on it, before Nationwide tells him that he's stolen a potential goldmine?
This was a good decision, it probably stopped the data from actually being misused.
It should be highlighted that a lot of this is media speculation. Nationwide did not deny that 11 million customer records were on the laptop, but they did not confirm it either - I know it makes a good headline but sensationalism should be avoided until the facts are known.
The truth is probably that Nationwide just doesn't know exactly what they've lost.
I sometimes wonder when, or if, it will become necessary for ordinary people to understand PKI as part of their everyday lives, in the same way as they understand how to drive, the rudiments of the taxation system and the stock market.
Surely there has to come a time when the issue of identiry theft has to be tackled in some reasonably effective way, not simply buck-passing from bank to customer to insurance provider to government, as is the case right now?
"And the meaning of words; when they cease to function; when will it start worrying you?"
1. Withdraw all money from account
2. Write letter to bank, complaining that all money was stolen, and demanding compensation. The bank can't refute your claim, because your authentication data has been stolen, so they can never prove it was _really_ you who did the withdrawal.
3. Profit!!!
Please correct me if I got my facts wrong.
I used to have an account with Nationwide... and they had my email address. I always use separate throwaway addresses for each company I give information to, so I'll be watching my spam folder to see if I get more spam to that address now.
All these questions about "why was it possible or necessary" to store unencrypted data in employees computer, have a simple answer - MSDE.
Of course the only method for storing 11M records in business application is relational database engine. Of course, bank is using Windows. Of course, they are using SQL server and Microsoft-advertised model of making a corporate software.
This model requires every disconnected (i.e. notebook, "on road" user) to have "mobile" version of SQL server, and retrieve a new snapshot of the database every time user connects to branch office network.
I assume, that they were using older MSDE, not newer SQL 2005 engine, which supports data encryption. And even if they would use 2005, they wouldn't use encryption, because in that case "performance" suffers.
So the source of the problem, for me, looks like the problem of software architect, who puts the performance above security. Who thinks about security only after fried chicken bites his ass. And, of course, taking the Microsoft development model blindly, without using his own brain.
As much as it pains me to defend MS, this has zero to do with the OS, and everything to do with process.
(1) those files hould have NEVER gotten out of the door. Full stop, no if, no but, no maybe. Should. Not. Have. Left. The. Building.
(2) the oink that had them should have no need to work with real data. Real data should be processed inhouse (see point 1) andor transported with protection. Real data is NOT a development/test tool.
Only after all of the above do you start thinking about the conditions under which this data may possibly travel and may be used for otherpurposes (which, incidentally, would be potentially another violation of the UK Data Protection Act 1998 as usage is defined at the point of collection - it cannot be changed later without explicit permission of the provider, i.e. you). Even with MS you can encrypt matters to a sensible degree (or install Truecrypt, but that seems to equate to 'hassle' until it goes wrong).
There is no excuse for negligence.
Insert
Google for "co-op party" sometime. They'll tell you about all the Labour MPs that they funded. You know, the people who voted for the war in Iraq.
Are they ******* stupid? How could they of overlooked this?
Every idiot and their dog could post something saying "my bank is the greatest thing since sliced bread was first buttered".
Since they are providing no evidence and most likely they have none (unless you work in the bank you can't really vouch for their internal security procedures), they only safe assumptions to make is that they are a shill or talking out of there where the Sun sines rarely, if ever....
IANAL but write like a drunk one.
There is absofuckinglutely no reason whatsoever to have real record of clients in a laptop.
Most situations that require access to data of clients can be covered by remote access tools over a VPN of some kind so you only get back to you a display and nothing else.
Putting confidential data in a laptop is relying on one key or password in order to access the data, you are making it easier to steal the data for any interested parties by removing physical restraints to access the data, you could as well open your datacentre to anybody that wanted access....
IANAL but write like a drunk one.