http://news.zdnet.co.uk/security/0,1000000189,39284689,00.htm
By Tom Espiner
ZDNet UK
13 Nov 2006
The theft of a laptop containing Nationwide Building Society customer
information is being probed by the Financial Services Authority (FSA).
The laptop was stolen from an employee's house in a burglary in August.
Both Nationwide and FSA have refused to say exactly what data was
stolen. According to Alan Oliver, Nationwide's head of external affairs,
the laptop contained "limited customer information for market research
purposes".
The building society is willing to say what had not been stolen. No
PINs, passwords or information about financial transactions were
contained on the computer, and no account details such as customer
names, account numbers or sort codes were compromised, Oliver told ZDNet
UK on Monday.
However, there is a chance that the limited customer data stolen could
be linked to other information about individuals and used for identity
fraud.
Nationwide insists that victims of identity fraud would not suffer
financial loss, as the building society has a policy of reimbursing
money stolen. "There has been no loss of money, and no chance of any
customers suffering financial loss. If they are the innocent victim of
fraud they will not lose out," said Oliver. "The information on its own
cannot be used for identity fraud."
Nationwide would not say how many customers' details were contained on
the stolen laptop. It is in the process of writing to all of its 11
million UK customers to outline the security measures they need to take
as a result of the theft.
"It's important at times like this to reassure people their information
is safe and protected and that it's a good thing to take precautions
themselves," said Oliver. "It's important people take all necessary
steps to protect their information."
Authorities, including the police and the Information Commissioner, have
been informed about the loss of the data. Nationwide said it could not
give any details of the burglary as it could compromise the police
investigation.
"The police have asked us not to give details of the theft as to do so
would compromise their ongoing investigation," said Oliver.
However, the police have told Nationwide that the crime was not
targeted, and probably opportunistic.
Following the incident, Nationwide has taken "a number of different
steps to increase security", although it would not say what steps had
been taken. The building society also refused to comment on what kind of
security policy it has regarding laptops, and whether encryption was
used to protect the data.
The employee who had the laptop stolen may not have been acting in
accordance with Nationwide security policy, the building society said.
"We're looking at our procedures as we speak. It appears that all
procedures may not have been complied with," said Oliver.
Although Nationwide was keen to play down the severity of its security
lapse, the Financial Services Authority (FSA) which regulates the
banking industry is currently investigating the incident.
"We're continuing to discuss with Nationwide the incidence of a loss of
data," said an FSA spokesman. "Our principle concern is to minimise the
risk to consumers."
"Along with other authorities including the Information Commissioner and
the police we considered when and how Nationwide should communicate with
customers on this issue in a way that minimises any potential misuse of
the data. We discussed what Nationwide needs to do to alert customers of
the fact that data had been stolen."
While the FSA refused to comment on the nature of the data stolen, it
said that the very act of alerting affected customers could have further
compromised their security. This indicates that the data stolen could be
used by criminals if linked to customer names or addresses.
Received on Tue Nov 14 01:44:44 2006