UK Bank Laptop Stolen With 11M Customer Records

daveewart writes "BBC News reports that the UK Building Society Nationwide has admitted that a laptop containing account records of more than 11 million customers has been stolen from an employee's home. This story raises a number of worrying questions: The theft happened three months ago, why has the news only just been made public? Why was it possible (indeed, why was it necessary at all) to put data relating to their entire customer base on an employee's laptop stored at an employee's home? Why was the information on the laptop not encrypted?"

worrying questions

[homer_s (799572)]

This story raises a number of worrying questions:

The worrying questions should be
Why should anyone be able to ruin your finances by just knowing some numbers?
Why should someone be able to borrow in your name by just quoting some number?
Why is my future dependent on whether some data entry operator in some company follows the proper security precautions?

I hate how everyone is using the term 'identity theft'. No one can steal someone else's identity (for now anyway).

What 'identity theft' really means is that the the methods the financial industry uses to identify people is broken.Whenever the govt holds hearing on 'identity theft' they are only legitimizing these methods and making the people responsible for the failures of the financial industry.

Re:

[by Anonymous Coward]

This very very insightful. For instance when I lived in the US by social security number had to be used for almost everything I did. FOor example, it was my employee number at work and printed on everything. In Canada, where I am from, your number is more closing guarded, basically only used for tax purposes. If I get a form from my stock broker it says "number on file" and doesn't prtint the number, because there is no reason too.

Anyway the parent is right on the money, but we could start by taking easy b

Re:

[RAMMS+EIN (578166)]

``This very very insightful. For instance when I lived in the US by social security number had to be used for almost everything I did. FOor example, it was my employee number at work and printed on everything. In Canada, where I am from, your number is more closing guarded, basically only used for tax purposes. If I get a form from my stock broker it says "number on file" and doesn't prtint the number, because there is no reason too.''

Right. It's interesting to see how, in the USA, where (more) people are (

Re:

[cloricus (691063)]

This probably shows how much of a geek I am compared to you but 11 million records...So say a name, an address, several series of numbers and general info...That is a hell of a lot of plain text. When did laptop hard drives get that big and what are bank PHBs doing with those DBs at home anyway?

Re:

[Dunbal (464142)]

11 million records...So say a name, an address, several series of numbers and general info...

say 500 bytes per record - plenty to store name, address, phone number, account number, balance, ID number.
11M * 500 = 5500MB or about 5.5 GB. There's still plenty of room.

Re:

[cloricus (691063)]

Excluding my licensed usage of the patented /. late night maths for not realising that a large number isn't really that big I still would like an answer to my second question of PHBs taking this much data home. Seriously we have several gig DBs at work with thousands of customer records yet I've never seen one good reason for it to leave the main storage site and with banking details which I would consider more sensitive why would a company even open itself up to this sort of thing...

Re:

[LordPhantom (763327)]

11 million.... "woah, that's a lot".
Ok, consider this. Let's assume that each record is, say, a couple of kilobytes (that's much more than it probably is) of just text, as you say.
11,000,000 * 2kb = 22,000,000 kbytes.
22,000,000Kb = 21484.375 MB = 20.98 GB.
If it's in a raw database format, that is.
Last time I checked, laptops aren't exactly being sold with 20GB of HD space.

Re:worrying questions

[ShieldW0lf (601553)]

I left a job once when I first started working in IT, and one of the projects I'd done was for a web hosting company. I wanted the project to finish before I quit so I could use it on my resume, so I sent myself home the files I needed to work on to finish it so I could quit.

One of the databases I was working on had hundreds of thousands of credit card numbers in it. I deleted it, of course, but it was trivial to bring it home... at that time, to me, it wasn't a collection of credit card numbers, it was just "the database I needed to have present to finish my work".

It's SOO easy to be trivial about these types of things when you're an overworked IT pro. Security procedures exist BECAUSE it's so easy to forget that the stuff that you deal with in such a routine fashion is sensitive. It's just like reality tv stars forgetting about the cameras.

Re:

[Fastolfe (1470)]

This is absolutely insane. You do not need a full account database in order to do a project. A project like this should have a test database that contains bogus customer information for testing purposes. I work for a major telecommunications company on our billing-related application team, and I have never seen or heard of our developers doing things like this.

I can understand, though, how some smaller companies may not have the resources to do things like this properly, but for the benefit of other read

Re:

[ShieldW0lf (601553)]

In my defense, at that time, I had negligible real-world experience to speak of and was attempting to single-handedly reverse engineer, repair and extend a huge mess that looked like it had been written by a secretary. I think they migrated the db from Access with a wizard and then poked around looking for ways to make it worse.

The idea of not using "live data" in that particular case was a bit of a joke.

What they're doing is breaking the law.

[Colin Smith (2679)]

"7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

From the UK Data Protection Act 1998.

If this hasn't been followed then the law has been broken and the perpetrators should suffer the consequences. Which is currently a fine of up to £5,000 per offence. Directors being liable. With potentially 11 million offences that could add up to a lot of money.

 

Re:

[by Anonymous Coward]

Everyone should come up with two large prime numbers p and q the moment they're born, state p*q for the birth certificate, and compute arbitrary cube roots mod p*q in their head to prove their identity.

Re:

[elgatozorbas (783538)]

Why should anyone be able to ruin your finances by just knowing some numbers?

Because otherwise you would not be able to use all these nifty on-line things, and would need to go to the bank everytime you wanted to transfer money. The problem is not in the use of numbers, but in recklessness.

Re:worrying questions

[mspohr (589790)]

Why should anyone be able to ruin your finances by just knowing some numbers? Why should someone be able to borrow in your name by just quoting some number? Why is my future dependent on whether some data entry operator in some company follows the proper security precautions?

This is the crux of the problem. The entire basis of the credit industry is that they collect all of your personal information and then sell it freely without your knowledge or permission. They profit from each sale and thus have a big incentive to make the information available to as many people as possible. They've been burned by past practices and have had to eliminate outright fraudsters from their sales prospects (much to their dismay) but they still make big bucks by selling to just about anyone else prospecting for suckers for their credit cards, "financial services", and every other hair-brained marketers wet dream.

If people could actually claim ownership of their data and have it released only when they specifically agreed to the release with proper notification, the identity theft problems would go away (but so would the business model of the credit agencies).

Re:worrying questions

[ummit (248909)]

Why should anyone be able to ruin your finances by just knowing some numbers?

Excellent question.

One big problem is that in the U.S., at least, we've generally conflated identification with authentication. But they're two very different problems.

If, for example, Social Security numbers were only ever used for identification -- telling two different John Smiths apart, for example -- it wouldn't matter if they were public. In fact I've heard that one of the Scandanavian countries publishes a freely-available database of everyone's identification numbers. Besides being convenient, this ensures that nobody ever sets up a scheme that stupidly uses an identification number as an authenticator.

The big problems arise when the same number that's widely used for identification -- e.g. a SSN -- is also used for authentication.

It wouldn't be so bad if all it took to pove to my bank that I'm me was a number or word, as long as that number or word is secret, and only used for that purpose, so that it has a decent chance of staying secret.

Re:

[ivothamdrup (991171)]

The bit about identification numbers is actually true. In Estonia, everyone's [1] SSN can be looked up from a public LDAP directory (ldap://ldap.sk.ee). The SSN is used, as you said, only for identification. There are however some people who view it as a security hazard, but the same people can't tell the difference between identification and authorization...
[1] - Everyone who's been issued an ID Card; that is, about 90% of the population.

Why was the info. on the laptop not encrypted?

[msobkow (48369)]

Why was the information on the laptop not encrypted?

That is the one question that doesn't step on internal business processes, data, or procedures.

With free "hard" encryption tools out there such as TrueCrypt and encfs, there is no excuse whatsoever for customer data to leave the data center without an encryption envelope/container.

Re:

[AnonChef (947738)]

there is no excuse whatsoever for customer data to leave the data center without an encryption envelope/container.

When did stupidity stop being a valid reason?

Re:

[paulius_g (808556)]

In corporate and enterprise environments, many people have the mentality of "if it ain't broken, don't fix it".

I know a few companies (although really small) which have the same mentality. One is a photographer who uses a laptop without a firewall, IE6, without antivirus and without any updates. They say that they don't need any updates or nothing because he only uses the laptop to check emails and go on eBay. Sigh.

Why, why, why?

[SpaceLifeForm (228190)]

Obviously, the UK Building Society Nationwide does not read Slashdot, otherwise they would have known about the risks.

It is not often I say . . .

[Don_dumb (927108)]

Thank god I have only £30 in my Nationwide account.

Re:

[pr0digy25 (915443)]

Thank god I have only £30 in my Nationwide account.

Or is that *had* in your account? :)

a reason to SMILE

[cliffski (65094)]

Another good reason I use smile (www.smile.co.uk) They have great customer service (best ive encountered), reasonable interest rates, a great,usable website, and are consistantly ranked the top UK bank for security. On top it all, they are an ethical bank who restrict where they invest your cash.
It amazes me that people still use high street banks. I haven't set foot in a bank in 5 years.

Re:

[by Anonymous Coward]

How do you know that this couldn't happen to them?

Seems like you're nothing but a petty shill.

Re:

[Richard_at_work (517087)]

This seems to be the latest stupid 'slashdot-ism' - other than a few well known exceptions, you are not allowed to have a good word about or make a recommendation about any company big or small because you are instantly branded a shill [wikipedia.org] for doing so.

Pathetic.

Re:

[xwizbt (513040)]

Nobody's suggesting it couldn't happen to them, but you may want to check their website and see just how obsessed they are with security. However, this doesn't mean those silly systems where you get a random number through the post and have to input various digits every now and then, which you promptly forget. Their security is simple but effective. Coupled with great customer service, I can totally see where the original poster is coming from.

And hey - how many other banks have two rabid fans that are prep

Re:

[ozbird (127571)]

I keep all my ISK In the Eve Intergalactic Bank [eve-online.com] - as safe as 1.0 space!

Re:

[loconet (415875)]

They can be all that, but if an silly employee with access copies the data to a laptop to bring home, all those wonderful things become irrelevant. Security is as weak as the stupidest operator with access....

Re:

[jez9999 (618189)]

How do you pay physical cheques or money into your account? Either you must never pay that in, or use snail mail, both of which sound irritating compared to walking into a bank...

Sounds like they should be prosecuted

[Colin Smith (2679)]

The Data Protection Act requires that businesses and individuals take precautions to protect personal data.

 

Re:

[Colin Smith (2679)]

The directors are liable under the act anyway.

 

Banking competition...

[creimer (824291)]

I think this UK Bank wants to be bought out by an US bank by advertising that they can dump customer data just like the US Banks.

Re:

[jabuzz (182671)]

It's a mutual building society, so firstly it is not a bank anyway. Secondly it cannot just be brought out unless a majority of it's current customers vote that way. The Nationwide in line with most of the other remaining building societies in the U.K. have made the process of de-mutualization much harder in recent years. It therefore unlikely that it could be brought out by anyone.

Suck it up

[Toby The Economist (811138)]

Well, I think it's clear from the repeated stories of millions of confidential files being lost that enough large organisations simply don't understand security enough to get it right.

However, we all carry on using their services because we're stuffed if we don't - if your university loses your details, what are you going to do? quit? if your morgage is with your bank and they lose your account information, are you going to change bank?

Because there is basically, when all is said and done, no *real* pain for organisations, for loosing information, there is no *real* need for them to understand security enough for these data losses to stop.

So suck it up!

Personally, I'm trying to get out from under. I gave up my mobile phone last week - I do not accept having my mobile phone calls logged for a year. I'm moving over to Tor, because I do not accept having my browsing logged for four days (current UK retention). I'm thinking about getting rid of the phone, too, and moving over purely to encrypted email which will be sent/receieved from my own home-run POP/SMTP server.

Re:Suck it up

[Fnkmaster (89084)]

Well, this is one of those cases where government intervention would actually be useful. If there were a mandatory penalty of $10 per record lost, plus the requirement that the company covers identity theft protection insurance for at least 2 years for all affected customers, well, you wouldn't ever see 11 million records leave the office, period.

When the customers have low bargaining power due to a natural oligopoly market scenario with few large, powerful competitors, the government needs to provide some protections from this sort of abusive behavior.

Re:

[Toby The Economist (811138)]

I totally agree.

Unfortunately, the State is not independent of these corporations - their lobbies are effective and well funded. In other words, the mechanism which we, as individuals, have collectively agreeded to bring into existance (the State) is not functioning; it has been compromised by the entities it was created to constrain.

There *is* a penalty

[Colin Smith (2679)]

Up to £5,000 fine per offence against the Data Protection Act. 11 million records, 11 million offences. Directors are liable and the company is liable to cover any damages incurred, plus damages for distress inflicted.
 

Not a Huge Surprise

[segedunum (883035)]

Having worked indirectly, contracting for a few UK banks, I can't say this is a huge surprise. The people that work at these places aren't exactly the sharpest tools in the box, and quite frankly, they can't attract anybody with any intellect. When a UK bank or building society says they're tightening security or doing anything, it's always a panic reaction and things revert to normal when the whole thing goes away.

People are asking various questions like "Why wasn't it encrypted?" That's a pointless question. I want to know how on Earth you get 11 million customer records on to a single laptop in the first place.

But, Barry Stamp, former director of CIFAS, the fraud prevention service, said it was unusual for an entire customer database to be stored on a laptop......."We've seen cases like this almost every week at the moment, but on the other hand you have to ask why that information was contained on a laptop and why the security was lax at Nationwide in such a way that you could download the entire database to a laptop. "This is really unusual."

It's not that unusual at all sadly. All customer details are stored on mainframes or in big databases centrally, so no, there's no chance of stealing everything to do with a customer. This is where the disorganisation of UK banks' IT systems comes in handy. I'm wondering if this is perhaps a dirty great Access database or something used for mailing list or money laundering (ironic, I know) purposes. If so, this kind of thing happens all the time.

Utter tosh

[mccalli (323026)]

Having worked indirectly, contracting for a few UK banks, I can't say this is a huge surprise. The people that work at these places aren't exactly the sharpest tools in the box, and quite frankly, they can't attract anybody with any intellect.

Ah, the 'I know everything better than you do' type of genius. Tell us, oh great one, of how your towering intellect dwarfs the mere minnows you have dealt with in the past.

I too have contracted around various UK and foreign-owned but UK-based banks. Some of the people I met there were fools. Some were amongst the brightest people I've known. As ever, and particularly in organisations that huge, there's a large mix of people involved. There are also a number of bright people in banks who's area of expertise isn't computing - they're banks remember?

There may well be an issue of education, and also I'd like to know why these things didn't have full-drive encryption installed. Then again, we don't know that it didn't - despite the article summary, Nationwide have refused to give any details. That's any details, whether positive or negative, nor have they confirmed any numbers. 11 million is just the number of customers they have, not necessarily the ones on the laptop.

Cheers,
Ian

well its a good thing they don't.....

[3seas (184403)]

allow the use of 4 gig thumb drives.....

Oh wait, Did I say "don't"?

why? why? why?

[elgatozorbas (783538)]

Possibly for the simple reason that many people don't see the "big picture" and have no idea of the risk they are exposing themselves to.

Probably not enough ID..

[Channard (693317)]

.. this is worrying, but it's probably not quite enough to take out finance/credit cards etc. My local store requires, if you're doing finance, proof of ID such as driving licence or passport, and also a recent household bill.

TFA

[Chris_Keene (87914)]

TFA does not say that the laptop had infomation on "their entire customer base" (not saying the submitter is wrong, but the BBC article certainly doesn't say this). It seems that it included names and account numbers but not pins, balances or passwords.

More infomation
http://www.nationwide.co.uk/security/news_and_aler ts/ [nationwide.co.uk]

This was a domestic burglary, there's a chance that the theif has no idea this laptop was special, and has already sold it cash in hand down the pub. It's probably being used right now by someone browsing for porn or doing 'ebay' unaware of what sits of that disk.

Not to say they should not presume the worse and react accordingly of course.

why was it even there?

[v1 (525388)]

What does any employee of that bank need with the entire customer database? If he is doing work, he should be doing it at work not at home.

How many of this business's employees have full access to the entire customer database with account numbers?

Is it company policy to allow empoyees to take business records home at all? Or for that matter, is it even within company policy to bring your own personal laptop into the building?

So, what policies were broken, what policies are being changed, and what's not go

UK banking laws will protect customers, but...

[AmiMoJo (196126)]

In this regard, UK banking laws are actually quite good. Customers of the building society will not loose out financially if any fraudulent activity happens on their account. However, it's the secondary effects that are the problem.

Someone takes out a loan with your bank account details. Problem is discovered. You waste time and effort fixing it. Bank and loan company waste time. Loan amount is lost to criminal. Loss results in higher rates and charges for everyone. Who will pick up the bill? Not the bank,

Profit!!

[RAMMS+EIN (578166)]

1. Withdraw all money from account

2. Write letter to bank, complaining that all money was stolen, and demanding compensation. The bank can't refute your claim, because your authentication data has been stolen, so they can never prove it was _really_ you who did the withdrawal.

3. Profit!!!

Re:

[thrillseeker (518224)]

Well, £100 fine per lost record would be a good first step.

Re:

[Dunbal (464142)]

We need to implement the death penalty for this sort of thing.

      Nahh, just 1 day in jail for the directors of the company, for each individual's information that was stolen.

      See you in 11000000/365 = about 30,000 years!!!

The directors *are* liable to a fine

[Colin Smith (2679)]

Up to £5000 per offence. With 11 million offences they should probably have taken security a bit more seriously.

 

Re:

[nuggz (69912)]

FYI
m - milli = 0.001
k - kilo = 1 000
M - mega = 1 000 000

I consider local namings/conventions a sort of slang that should not be used in a global forum.