Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Bank Laptop Stolen With 11M Customer Records

Posted by ryuzaki0 on from the easy-come-easy-go dept.

daveewart writes "BBC News reports that the UK Building Society Nationwide has admitted that a laptop containing account records of more than 11 million customers has been stolen from an employee's home. This story raises a number of worrying questions: The theft happened three months ago, why has the news only just been made public? Why was it possible (indeed, why was it necessary at all) to put data relating to their entire customer base on an employee's laptop stored at an employee's home? Why was the information on the laptop not encrypted?"

17 of 184 comments (clear)

  1. worrying questions by homer_s · · Score: 5, Insightful

    This story raises a number of worrying questions:

    The worrying questions should be
    Why should anyone be able to ruin your finances by just knowing some numbers?
    Why should someone be able to borrow in your name by just quoting some number?
    Why is my future dependent on whether some data entry operator in some company follows the proper security precautions?

    I hate how everyone is using the term 'identity theft'. No one can steal someone else's identity (for now anyway).

    What 'identity theft' really means is that the the methods the financial industry uses to identify people is broken.Whenever the govt holds hearing on 'identity theft' they are only legitimizing these methods and making the people responsible for the failures of the financial industry.

    1. Re:worrying questions by ShieldW0lf · · Score: 5, Insightful

      I left a job once when I first started working in IT, and one of the projects I'd done was for a web hosting company. I wanted the project to finish before I quit so I could use it on my resume, so I sent myself home the files I needed to work on to finish it so I could quit.

      One of the databases I was working on had hundreds of thousands of credit card numbers in it. I deleted it, of course, but it was trivial to bring it home... at that time, to me, it wasn't a collection of credit card numbers, it was just "the database I needed to have present to finish my work".

      It's SOO easy to be trivial about these types of things when you're an overworked IT pro. Security procedures exist BECAUSE it's so easy to forget that the stuff that you deal with in such a routine fashion is sensitive. It's just like reality tv stars forgetting about the cameras.

      --
      -1 Uncomfortable Truth
    2. Re:worrying questions by mspohr · · Score: 3, Informative
      Why should anyone be able to ruin your finances by just knowing some numbers? Why should someone be able to borrow in your name by just quoting some number? Why is my future dependent on whether some data entry operator in some company follows the proper security precautions?
      This is the crux of the problem. The entire basis of the credit industry is that they collect all of your personal information and then sell it freely without your knowledge or permission. They profit from each sale and thus have a big incentive to make the information available to as many people as possible. They've been burned by past practices and have had to eliminate outright fraudsters from their sales prospects (much to their dismay) but they still make big bucks by selling to just about anyone else prospecting for suckers for their credit cards, "financial services", and every other hair-brained marketers wet dream.

      If people could actually claim ownership of their data and have it released only when they specifically agreed to the release with proper notification, the identity theft problems would go away (but so would the business model of the credit agencies).

      --
      I don't read your sig. Why are you reading mine?
    3. Re:worrying questions by ummit · · Score: 4, Insightful
      Why should anyone be able to ruin your finances by just knowing some numbers?

      Excellent question.

      One big problem is that in the U.S., at least, we've generally conflated identification with authentication. But they're two very different problems.

      If, for example, Social Security numbers were only ever used for identification -- telling two different John Smiths apart, for example -- it wouldn't matter if they were public. In fact I've heard that one of the Scandanavian countries publishes a freely-available database of everyone's identification numbers. Besides being convenient, this ensures that nobody ever sets up a scheme that stupidly uses an identification number as an authenticator.

      The big problems arise when the same number that's widely used for identification -- e.g. a SSN -- is also used for authentication.

      It wouldn't be so bad if all it took to pove to my bank that I'm me was a number or word, as long as that number or word is secret, and only used for that purpose, so that it has a decent chance of staying secret.

    4. Re:worrying questions by ivothamdrup · · Score: 3, Informative

      The bit about identification numbers is actually true. In Estonia, everyone's [1] SSN can be looked up from a public LDAP directory (ldap://ldap.sk.ee). The SSN is used, as you said, only for identification. There are however some people who view it as a security hazard, but the same people can't tell the difference between identification and authorization...
      [1] - Everyone who's been issued an ID Card; that is, about 90% of the population.

  2. Why was the info. on the laptop not encrypted? by msobkow · · Score: 4, Insightful
    Why was the information on the laptop not encrypted?

    That is the one question that doesn't step on internal business processes, data, or procedures.

    With free "hard" encryption tools out there such as TrueCrypt and encfs, there is no excuse whatsoever for customer data to leave the data center without an encryption envelope/container.

    --
    I do not fail; I succeed at finding out what does not work.
    1. Re:Why was the info. on the laptop not encrypted? by AnonChef · · Score: 3, Insightful

      there is no excuse whatsoever for customer data to leave the data center without an encryption envelope/container.

      When did stupidity stop being a valid reason?

  3. Why, why, why? by SpaceLifeForm · · Score: 3, Funny
    Obviously, the UK Building Society Nationwide does not read Slashdot, otherwise they would have known about the risks.

    --
    You are being MICROattacked, from various angles, in a SOFT manner.
  4. It is not often I say . . . by Don_dumb · · Score: 3, Funny

    Thank god I have only £30 in my Nationwide account.

    --
    If this were really happening, what would you think?
    1. Re:It is not often I say . . . by pr0digy25 · · Score: 3, Funny

      Thank god I have only £30 in my Nationwide account.

      Or is that *had* in your account? :)

  5. a reason to SMILE by cliffski · · Score: 3, Interesting

    Another good reason I use smile (www.smile.co.uk) They have great customer service (best ive encountered), reasonable interest rates, a great,usable website, and are consistantly ranked the top UK bank for security. On top it all, they are an ethical bank who restrict where they invest your cash.
    It amazes me that people still use high street banks. I haven't set foot in a bank in 5 years.

    --
    DRM-free indie games for the PC and Mac: Positech Games
  6. Suck it up by Toby+The+Economist · · Score: 3, Interesting

    Well, I think it's clear from the repeated stories of millions of confidential files being lost that enough large organisations simply don't understand security enough to get it right.

    However, we all carry on using their services because we're stuffed if we don't - if your university loses your details, what are you going to do? quit? if your morgage is with your bank and they lose your account information, are you going to change bank?

    Because there is basically, when all is said and done, no *real* pain for organisations, for loosing information, there is no *real* need for them to understand security enough for these data losses to stop.

    So suck it up!

    Personally, I'm trying to get out from under. I gave up my mobile phone last week - I do not accept having my mobile phone calls logged for a year. I'm moving over to Tor, because I do not accept having my browsing logged for four days (current UK retention). I'm thinking about getting rid of the phone, too, and moving over purely to encrypted email which will be sent/receieved from my own home-run POP/SMTP server.

    1. Re:Suck it up by Fnkmaster · · Score: 3, Insightful

      Well, this is one of those cases where government intervention would actually be useful. If there were a mandatory penalty of $10 per record lost, plus the requirement that the company covers identity theft protection insurance for at least 2 years for all affected customers, well, you wouldn't ever see 11 million records leave the office, period.

      When the customers have low bargaining power due to a natural oligopoly market scenario with few large, powerful competitors, the government needs to provide some protections from this sort of abusive behavior.

  7. Not a Huge Surprise by segedunum · · Score: 5, Insightful
    Having worked indirectly, contracting for a few UK banks, I can't say this is a huge surprise. The people that work at these places aren't exactly the sharpest tools in the box, and quite frankly, they can't attract anybody with any intellect. When a UK bank or building society says they're tightening security or doing anything, it's always a panic reaction and things revert to normal when the whole thing goes away.

    People are asking various questions like "Why wasn't it encrypted?" That's a pointless question. I want to know how on Earth you get 11 million customer records on to a single laptop in the first place.

    But, Barry Stamp, former director of CIFAS, the fraud prevention service, said it was unusual for an entire customer database to be stored on a laptop......."We've seen cases like this almost every week at the moment, but on the other hand you have to ask why that information was contained on a laptop and why the security was lax at Nationwide in such a way that you could download the entire database to a laptop. "This is really unusual."
    It's not that unusual at all sadly. All customer details are stored on mainframes or in big databases centrally, so no, there's no chance of stealing everything to do with a customer. This is where the disorganisation of UK banks' IT systems comes in handy. I'm wondering if this is perhaps a dirty great Access database or something used for mailing list or money laundering (ironic, I know) purposes. If so, this kind of thing happens all the time.
  8. TFA by Chris_Keene · · Score: 3, Informative

    TFA does not say that the laptop had infomation on "their entire customer base" (not saying the submitter is wrong, but the BBC article certainly doesn't say this). It seems that it included names and account numbers but not pins, balances or passwords.

    More infomation
    http://www.nationwide.co.uk/security/news_and_aler ts/

    This was a domestic burglary, there's a chance that the theif has no idea this laptop was special, and has already sold it cash in hand down the pub. It's probably being used right now by someone browsing for porn or doing 'ebay' unaware of what sits of that disk.

    Not to say they should not presume the worse and react accordingly of course.

    --
    You will forget this sig before you next see it
  9. What they're doing is breaking the law. by Colin+Smith · · Score: 4, Insightful

    "7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

    From the UK Data Protection Act 1998.

    If this hasn't been followed then the law has been broken and the perpetrators should suffer the consequences. Which is currently a fine of up to £5,000 per offence. Directors being liable. With potentially 11 million offences that could add up to a lot of money.

    --
    Deleted
  10. Utter tosh by mccalli · · Score: 3, Informative

    Having worked indirectly, contracting for a few UK banks, I can't say this is a huge surprise. The people that work at these places aren't exactly the sharpest tools in the box, and quite frankly, they can't attract anybody with any intellect.

    Ah, the 'I know everything better than you do' type of genius. Tell us, oh great one, of how your towering intellect dwarfs the mere minnows you have dealt with in the past.

    I too have contracted around various UK and foreign-owned but UK-based banks. Some of the people I met there were fools. Some were amongst the brightest people I've known. As ever, and particularly in organisations that huge, there's a large mix of people involved. There are also a number of bright people in banks who's area of expertise isn't computing - they're banks remember?

    There may well be an issue of education, and also I'd like to know why these things didn't have full-drive encryption installed. Then again, we don't know that it didn't - despite the article summary, Nationwide have refused to give any details. That's any details, whether positive or negative, nor have they confirmed any numbers. 11 million is just the number of customers they have, not necessarily the ones on the laptop.

    Cheers,
    Ian