Slashdot Mirror
UK Bank Laptop Stolen With 11M Customer Records
daveewart writes "BBC News reports that the UK Building Society Nationwide has admitted that a laptop containing account records of more than 11 million customers has been stolen from an employee's home. This story raises a number of worrying questions: The theft happened three months ago, why has the news only just been made public? Why was it possible (indeed, why was it necessary at all) to put data relating to their entire customer base on an employee's laptop stored at an employee's home? Why was the information on the laptop not encrypted?"
This story raises a number of worrying questions:
The worrying questions should be
Why should anyone be able to ruin your finances by just knowing some numbers?
Why should someone be able to borrow in your name by just quoting some number?
Why is my future dependent on whether some data entry operator in some company follows the proper security precautions?
I hate how everyone is using the term 'identity theft'. No one can steal someone else's identity (for now anyway).
What 'identity theft' really means is that the the methods the financial industry uses to identify people is broken.Whenever the govt holds hearing on 'identity theft' they are only legitimizing these methods and making the people responsible for the failures of the financial industry.
That is the one question that doesn't step on internal business processes, data, or procedures.
With free "hard" encryption tools out there such as TrueCrypt and encfs, there is no excuse whatsoever for customer data to leave the data center without an encryption envelope/container.
I do not fail; I succeed at finding out what does not work.
You are being MICROattacked, from various angles, in a SOFT manner.
Thank god I have only £30 in my Nationwide account.
If this were really happening, what would you think?
Another good reason I use smile (www.smile.co.uk) They have great customer service (best ive encountered), reasonable interest rates, a great,usable website, and are consistantly ranked the top UK bank for security. On top it all, they are an ethical bank who restrict where they invest your cash.
It amazes me that people still use high street banks. I haven't set foot in a bank in 5 years.
DRM-free indie games for the PC and Mac: Positech Games
The Data Protection Act requires that businesses and individuals take precautions to protect personal data.
Deleted
Well, I think it's clear from the repeated stories of millions of confidential files being lost that enough large organisations simply don't understand security enough to get it right.
However, we all carry on using their services because we're stuffed if we don't - if your university loses your details, what are you going to do? quit? if your morgage is with your bank and they lose your account information, are you going to change bank?
Because there is basically, when all is said and done, no *real* pain for organisations, for loosing information, there is no *real* need for them to understand security enough for these data losses to stop.
So suck it up!
Personally, I'm trying to get out from under. I gave up my mobile phone last week - I do not accept having my mobile phone calls logged for a year. I'm moving over to Tor, because I do not accept having my browsing logged for four days (current UK retention). I'm thinking about getting rid of the phone, too, and moving over purely to encrypted email which will be sent/receieved from my own home-run POP/SMTP server.
It's a mutual building society, so firstly it is not a bank anyway. Secondly it cannot just be brought out unless a majority of it's current customers vote that way. The Nationwide in line with most of the other remaining building societies in the U.K. have made the process of de-mutualization much harder in recent years. It therefore unlikely that it could be brought out by anyone.
People are asking various questions like "Why wasn't it encrypted?" That's a pointless question. I want to know how on Earth you get 11 million customer records on to a single laptop in the first place.
It's not that unusual at all sadly. All customer details are stored on mainframes or in big databases centrally, so no, there's no chance of stealing everything to do with a customer. This is where the disorganisation of UK banks' IT systems comes in handy. I'm wondering if this is perhaps a dirty great Access database or something used for mailing list or money laundering (ironic, I know) purposes. If so, this kind of thing happens all the time.
allow the use of 4 gig thumb drives.....
Oh wait, Did I say "don't"?
We need to implement the death penalty for this sort of thing.
Nahh, just 1 day in jail for the directors of the company, for each individual's information that was stolen.
See you in 11000000/365 = about 30,000 years!!!
Seven puppies were harmed during the making of this post.
TFA does not say that the laptop had infomation on "their entire customer base" (not saying the submitter is wrong, but the BBC article certainly doesn't say this). It seems that it included names and account numbers but not pins, balances or passwords.
r ts/
More infomation
http://www.nationwide.co.uk/security/news_and_ale
This was a domestic burglary, there's a chance that the theif has no idea this laptop was special, and has already sold it cash in hand down the pub. It's probably being used right now by someone browsing for porn or doing 'ebay' unaware of what sits of that disk.
Not to say they should not presume the worse and react accordingly of course.
You will forget this sig before you next see it
"7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
From the UK Data Protection Act 1998.
If this hasn't been followed then the law has been broken and the perpetrators should suffer the consequences. Which is currently a fine of up to £5,000 per offence. Directors being liable. With potentially 11 million offences that could add up to a lot of money.
Deleted
Because some people conduct their business very incompetent.
I work for a Swiss bank. All notebook harddisks are encrypted by default. There is no way our employees could get access to the customer database to replicate data!!! The Swiss banking law is rather harsh on such issues. For the employee as well as the bank.
In the end, you have to severly punish enterprises for being lax with customer data. The loose of reputation is not incetive enough. It has to hurt so that execs decide to recognize the issue.
Having worked indirectly, contracting for a few UK banks, I can't say this is a huge surprise. The people that work at these places aren't exactly the sharpest tools in the box, and quite frankly, they can't attract anybody with any intellect.
Ah, the 'I know everything better than you do' type of genius. Tell us, oh great one, of how your towering intellect dwarfs the mere minnows you have dealt with in the past.
I too have contracted around various UK and foreign-owned but UK-based banks. Some of the people I met there were fools. Some were amongst the brightest people I've known. As ever, and particularly in organisations that huge, there's a large mix of people involved. There are also a number of bright people in banks who's area of expertise isn't computing - they're banks remember?
There may well be an issue of education, and also I'd like to know why these things didn't have full-drive encryption installed. Then again, we don't know that it didn't - despite the article summary, Nationwide have refused to give any details. That's any details, whether positive or negative, nor have they confirmed any numbers. 11 million is just the number of customers they have, not necessarily the ones on the laptop.
Cheers,
Ian
I've seen people stealing these out of letterboxes before now on our estate. I can't personally think of any other useful reason to pinch a gas bill, unless you've been dumpster diving ot have bought a laptop for £50 with 11 million acount numbers on it.... Since the postie doesn't deliver until midday in many locations, and since it's easy to stick your fingers in a floor level letterbox and fish the mail back out again it's amazing anyone accepts a utility bill as proof of ID. All it is proof you have access to the mailbox of that address.
1. Withdraw all money from account
2. Write letter to bank, complaining that all money was stolen, and demanding compensation. The bank can't refute your claim, because your authentication data has been stolen, so they can never prove it was _really_ you who did the withdrawal.
3. Profit!!!
Please correct me if I got my facts wrong.