UK Bank Laptop Stolen With 11M Customer Records

daveewart writes "BBC News reports that the UK Building Society Nationwide has admitted that a laptop containing account records of more than 11 million customers has been stolen from an employee's home. This story raises a number of worrying questions: The theft happened three months ago, why has the news only just been made public? Why was it possible (indeed, why was it necessary at all) to put data relating to their entire customer base on an employee's laptop stored at an employee's home? Why was the information on the laptop not encrypted?"

worrying questions

[homer_s]

This story raises a number of worrying questions:

The worrying questions should be
Why should anyone be able to ruin your finances by just knowing some numbers?
Why should someone be able to borrow in your name by just quoting some number?
Why is my future dependent on whether some data entry operator in some company follows the proper security precautions?

I hate how everyone is using the term 'identity theft'. No one can steal someone else's identity (for now anyway).

What 'identity theft' really means is that the the methods the financial industry uses to identify people is broken.Whenever the govt holds hearing on 'identity theft' they are only legitimizing these methods and making the people responsible for the failures of the financial industry.

Re:worrying questions

[ShieldW0lf]

I left a job once when I first started working in IT, and one of the projects I'd done was for a web hosting company. I wanted the project to finish before I quit so I could use it on my resume, so I sent myself home the files I needed to work on to finish it so I could quit.

One of the databases I was working on had hundreds of thousands of credit card numbers in it. I deleted it, of course, but it was trivial to bring it home... at that time, to me, it wasn't a collection of credit card numbers, it was just "the database I needed to have present to finish my work".

It's SOO easy to be trivial about these types of things when you're an overworked IT pro. Security procedures exist BECAUSE it's so easy to forget that the stuff that you deal with in such a routine fashion is sensitive. It's just like reality tv stars forgetting about the cameras.

Not a Huge Surprise

[segedunum]

Having worked indirectly, contracting for a few UK banks, I can't say this is a huge surprise. The people that work at these places aren't exactly the sharpest tools in the box, and quite frankly, they can't attract anybody with any intellect. When a UK bank or building society says they're tightening security or doing anything, it's always a panic reaction and things revert to normal when the whole thing goes away.

People are asking various questions like "Why wasn't it encrypted?" That's a pointless question. I want to know how on Earth you get 11 million customer records on to a single laptop in the first place.

But, Barry Stamp, former director of CIFAS, the fraud prevention service, said it was unusual for an entire customer database to be stored on a laptop......."We've seen cases like this almost every week at the moment, but on the other hand you have to ask why that information was contained on a laptop and why the security was lax at Nationwide in such a way that you could download the entire database to a laptop. "This is really unusual."

It's not that unusual at all sadly. All customer details are stored on mainframes or in big databases centrally, so no, there's no chance of stealing everything to do with a customer. This is where the disorganisation of UK banks' IT systems comes in handy. I'm wondering if this is perhaps a dirty great Access database or something used for mailing list or money laundering (ironic, I know) purposes. If so, this kind of thing happens all the time.