UK Bank Laptop Stolen With 11M Customer Records

daveewart writes "BBC News reports that the UK Building Society Nationwide has admitted that a laptop containing account records of more than 11 million customers has been stolen from an employee's home. This story raises a number of worrying questions: The theft happened three months ago, why has the news only just been made public? Why was it possible (indeed, why was it necessary at all) to put data relating to their entire customer base on an employee's laptop stored at an employee's home? Why was the information on the laptop not encrypted?"

worrying questions

[homer_s]

This story raises a number of worrying questions:

The worrying questions should be
Why should anyone be able to ruin your finances by just knowing some numbers?
Why should someone be able to borrow in your name by just quoting some number?
Why is my future dependent on whether some data entry operator in some company follows the proper security precautions?

I hate how everyone is using the term 'identity theft'. No one can steal someone else's identity (for now anyway).

What 'identity theft' really means is that the the methods the financial industry uses to identify people is broken.Whenever the govt holds hearing on 'identity theft' they are only legitimizing these methods and making the people responsible for the failures of the financial industry.

Re:

[Anonymous Coward]

This very very insightful. For instance when I lived in the US by social security number had to be used for almost everything I did. FOor example, it was my employee number at work and printed on everything. In Canada, where I am from, your number is more closing guarded, basically only used for tax purposes. If I get a form from my stock broker it says "number on file" and doesn't prtint the number, because there is no reason too.

Anyway the parent is right on the money, but we could start by taking easy b

Re:

[RAMMS+EIN]

``This very very insightful. For instance when I lived in the US by social security number had to be used for almost everything I did. FOor example, it was my employee number at work and printed on everything. In Canada, where I am from, your number is more closing guarded, basically only used for tax purposes. If I get a form from my stock broker it says "number on file" and doesn't prtint the number, because there is no reason too.''

Right. It's interesting to see how, in the USA, where (more) people are (

Re:

[cloricus]

This probably shows how much of a geek I am compared to you but 11 million records...So say a name, an address, several series of numbers and general info...That is a hell of a lot of plain text. When did laptop hard drives get that big and what are bank PHBs doing with those DBs at home anyway?

Re:

[Dunbal]

11 million records...So say a name, an address, several series of numbers and general info...

say 500 bytes per record - plenty to store name, address, phone number, account number, balance, ID number.
11M * 500 = 5500MB or about 5.5 GB. There's still plenty of room.

Re:

[cloricus]

Excluding my licensed usage of the patented /. late night maths for not realising that a large number isn't really that big I still would like an answer to my second question of PHBs taking this much data home. Seriously we have several gig DBs at work with thousands of customer records yet I've never seen one good reason for it to leave the main storage site and with banking details which I would consider more sensitive why would a company even open itself up to this sort of thing...

Re:

[Dunbal]

Excluding my licensed usage of the patented /. late night maths for not realising that a large number isn't really that big

      Hehehe. It happens! There's nothing wrong with critical thought.

with banking details which I would consider more sensitive

      Ugh, you should try dealing with all the niceties HIPAA provides...

Re:

[LordPhantom]

11 million.... "woah, that's a lot".
Ok, consider this. Let's assume that each record is, say, a couple of kilobytes (that's much more than it probably is) of just text, as you say.
11,000,000 * 2kb = 22,000,000 kbytes.
22,000,000Kb = 21484.375 MB = 20.98 GB.
If it's in a raw database format, that is.
Last time I checked, laptops aren't exactly being sold with 20GB of HD space.

Re:

[Knuckles]

Last time I checked, laptops aren't exactly being sold with 20GB of HD space.

I'm not sure, do you mean "aren't exactly being sold with 20GB of HD space anymore"? Because last time I checked, the usual size was around 60 GB :)

Re:

[jridley]

Right, I don't think you can get a laptop with a drive that small anymore.

On another note, what kind of *MORONIC* company allows sensitive customer data on portable media in unencrypted form? I mean hell, it's not like there haven't been plenty of cautionary tales, and it's not like it even costs any damn money, just run truecrypt if you're too cheap to buy anything, it works well.

I'm guessing that they think that the possibility that somebody might forget a password is more important than actually safegua

Re:

[mikael]

Last time I checked, laptops aren't exactly being sold with 20GB of HD space.

The latest models of laptops have not one but two slots for the 2.5" hard disk drives, which are accessible from a side panel (rather than being mounted deep inside the system). And 20 GB is at the lower end of the memory capacity for this size of drive, with 100GB at the high end. So it's easy for a laptop to have 200GB of storage if you really wanted to. For design engineers having a workstation that they can take into meetings o

Re:

[LordPhantom]

Yes - I should have stated more clearly "Last time I checked, laptops aren't exactly being sold with such a small amount of hard drive space".

Re:worrying questions

[ShieldW0lf]

I left a job once when I first started working in IT, and one of the projects I'd done was for a web hosting company. I wanted the project to finish before I quit so I could use it on my resume, so I sent myself home the files I needed to work on to finish it so I could quit.

One of the databases I was working on had hundreds of thousands of credit card numbers in it. I deleted it, of course, but it was trivial to bring it home... at that time, to me, it wasn't a collection of credit card numbers, it was just "the database I needed to have present to finish my work".

It's SOO easy to be trivial about these types of things when you're an overworked IT pro. Security procedures exist BECAUSE it's so easy to forget that the stuff that you deal with in such a routine fashion is sensitive. It's just like reality tv stars forgetting about the cameras.

Re:

[Fastolfe]

This is absolutely insane. You do not need a full account database in order to do a project. A project like this should have a test database that contains bogus customer information for testing purposes. I work for a major telecommunications company on our billing-related application team, and I have never seen or heard of our developers doing things like this.

I can understand, though, how some smaller companies may not have the resources to do things like this properly, but for the benefit of other read

Re:

[Tim C]

Agreed. The project I'm currently on involves a database of information protectively marked as RESTRICTED (the lowest protective marking, but still legally protected by the UK's Official Secrets Acts), and we don't even get to see it. We're not even allowed to use a randomly scrambled version of the real data for performance testing, let alone functional testing.

I can understand, though, how some smaller companies may not have the resources to do things like this properly

Rubbish. Even if they have to develo

Re:

[ShieldW0lf]

In my defense, at that time, I had negligible real-world experience to speak of and was attempting to single-handedly reverse engineer, repair and extend a huge mess that looked like it had been written by a secretary. I think they migrated the db from Access with a wizard and then poked around looking for ways to make it worse.

The idea of not using "live data" in that particular case was a bit of a joke.

What they're doing is breaking the law.

[Colin Smith]

"7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

From the UK Data Protection Act 1998.

If this hasn't been followed then the law has been broken and the perpetrators should suffer the consequences. Which is currently a fine of up to £5,000 per offence. Directors being liable. With potentially 11 million offences that could add up to a lot of money.

 

Re:

[jimicus]

Nationwide are one of the few remaining building societies in the UK. This means that they're effectively a co-operative owned by their members rather than a bank.

Not that they would - the DPA isn't that heavily enforced - but I don't want them facing a fine that size. My mortgage is with them and the last thing I need is for them to foreclose everyone's mortgages to pay off a fine.

Re:

[Foobar of Borg]

When did laptop hard drives get that big and what are bank PHBs doing with those DBs at home anyway?

Simple. They are feeling Important, so that they can also feel Virile (or Fertile, depending on their gender). PHB's always do stupid shit like this. That's one of the many reasons this world is so fucked up!

Re:

[mikael]

When did laptop hard drives get that big and what are bank PHBs doing with those DBs at home anyway?

The information was being used for marketing purposes (according to Sky News. Presumably, this list of names and addresses was going to be used to send out mail shots. At 11 million records, that covers well over 10% of the entire UK population.

Re:

[Anonymous Coward]

Everyone should come up with two large prime numbers p and q the moment they're born, state p*q for the birth certificate, and compute arbitrary cube roots mod p*q in their head to prove their identity.

Re:

[elgatozorbas]

Why should anyone be able to ruin your finances by just knowing some numbers?

Because otherwise you would not be able to use all these nifty on-line things, and would need to go to the bank everytime you wanted to transfer money. The problem is not in the use of numbers, but in recklessness.

Re:

[RAMMS+EIN]

``Because otherwise you would not be able to use all these nifty on-line things, and would need to go to the bank everytime you wanted to transfer money.''

That raises the question of how the bank authenticates you. I'm confident a web interface can be at least as secure as whatever you get when you're physically at the bank (note that I did not say "what you _could_ get when you're at the bank"). Of course, this case is about a leak in the back end; a front end is never going to protect against that, no mat

Re:

[RAMMS+EIN]

At least one bank in the Netherlands used to do that, too. I don't know if they still do it, but I do know that people (including myself) used to find it horribly inconvenient and lose the pads. The bank I'm with now uses a device that reads your bank card, asks for your PIN, asks for a challenge that you are sent by the server (encrypted, of course), and then gives you a response that you send to the server.

Since the device is a black box, I have no idea how good the security is (it particularly worries me

Re:

[menkhaura]

Hell, they do it even here in Brazil (pretty much the definition of "third-world country", notwhitstanding government propaganda to the contrary), in one private bank, at least.

Re:worrying questions

[mspohr]

Why should anyone be able to ruin your finances by just knowing some numbers? Why should someone be able to borrow in your name by just quoting some number? Why is my future dependent on whether some data entry operator in some company follows the proper security precautions?

This is the crux of the problem. The entire basis of the credit industry is that they collect all of your personal information and then sell it freely without your knowledge or permission. They profit from each sale and thus have a big incentive to make the information available to as many people as possible. They've been burned by past practices and have had to eliminate outright fraudsters from their sales prospects (much to their dismay) but they still make big bucks by selling to just about anyone else prospecting for suckers for their credit cards, "financial services", and every other hair-brained marketers wet dream.

If people could actually claim ownership of their data and have it released only when they specifically agreed to the release with proper notification, the identity theft problems would go away (but so would the business model of the credit agencies).

Re:

[RAMMS+EIN]

``The entire basis of the credit industry is that they collect all of your personal information and then sell it freely without your knowledge or permission.''

Now, hold on just a second. Aren't there laws against that in the EU? Laws that detail consumers' right to privacy and specify what companies can and can't do with personal information? I can certainly imagine a few companies getting away with breaking these laws, but not a whole industry being founded on it. Besides, it seems to me banks make money b

Re:

[mspohr]

I don't know about the EU (I'm in the US) but here is a credit industry that collects personal information about every "consumer" and sells this to anyone who isn't obviously a crook. Some of the users of the information are legitimate (i.e. bank checks my credit when I apply for a loan or credit card). Most of the sales are to companies that want to sell you something (i.e. all of those unsolicited credit card applications).

As far as banks go, they tell you that they are releasing your personal bank inf

Re:worrying questions

[ummit]

Why should anyone be able to ruin your finances by just knowing some numbers?

Excellent question.

One big problem is that in the U.S., at least, we've generally conflated identification with authentication. But they're two very different problems.

If, for example, Social Security numbers were only ever used for identification -- telling two different John Smiths apart, for example -- it wouldn't matter if they were public. In fact I've heard that one of the Scandanavian countries publishes a freely-available database of everyone's identification numbers. Besides being convenient, this ensures that nobody ever sets up a scheme that stupidly uses an identification number as an authenticator.

The big problems arise when the same number that's widely used for identification -- e.g. a SSN -- is also used for authentication.

It wouldn't be so bad if all it took to pove to my bank that I'm me was a number or word, as long as that number or word is secret, and only used for that purpose, so that it has a decent chance of staying secret.

Re:

[ivothamdrup]

The bit about identification numbers is actually true. In Estonia, everyone's [1] SSN can be looked up from a public LDAP directory (ldap://ldap.sk.ee). The SSN is used, as you said, only for identification. There are however some people who view it as a security hazard, but the same people can't tell the difference between identification and authorization...
[1] - Everyone who's been issued an ID Card; that is, about 90% of the population.

Re:

[ScrewMaster]

It wouldn't be so bad if all it took to pove to my bank that I'm me was a number or word, as long as that number or word is secret, and only used for that purpose, so that it has a decent chance of staying secret.

And, more importantly, could be changed if it ever became compromised. If you didn't have the ability to change that "secret number", it would be no better than a biometric authentication system that depends upon some supposedly unique aspect of your body.

Social Security numbers wouldn't be s

Re:

[timeOday]

Why should anyone be able to ruin your finances by just knowing some numbers?
Why should someone be able to borrow in your name by just quoting some number?

Probably because money is just some numbers? Seriously. Money is just information, you can't have financial security without information security.

Re:

[Cyberax]

It's possible, moreover it's already 'implemented' in many countries.

For example, I live in Russia. Stolen databases of passport data are freely sold on black market. But it's impossible to do anything with them, because _every_ business where identity is important requires your physical presence with your passport. And it's a common practice to attach photocopied passport pages to documents (in banks, etc.).

Of course, there's a downside to this: you need national ID system AND you are going to lose a lot o

Re:

[RAMMS+EIN]

``No one can steal someone else's identity (for now anyway).''

I'd say not ever. But then, I understand identity to mean a relation that holds for p and q, if and only if p and q denote the same object. Like eq in Common Lisp. What is "stolen" is not the identity, but the traits that we look at when trying to verify identity. The checks we perform are more like eql or equal than eq.

Also, many cases of identity "theft" don't actually remove credentials (let alone identity) from the victim: very often they cop

Re:

[gilgongo]

I sometimes wonder when, or if, it will become necessary for ordinary people to understand PKI as part of their everyday lives, in the same way as they understand how to drive, the rudiments of the taxation system and the stock market.

Surely there has to come a time when the issue of identiry theft has to be tackled in some reasonably effective way, not simply buck-passing from bank to customer to insurance provider to government, as is the case right now?

Re:

[RAMMS+EIN]

``I can't help but think that most things that could be done to enhance security would generate another Slashdot article about how our privacy is being eroded.''

I wouldn't be so sure. Security and privacy often go hand in hand. In this case, for example, a security problem caused private information to be leaked. Privacy was lost, because of bad security. Also, if these records contain enough information to actually impersonate the customers, then the privacy leak causes a breach of security: banks' authent

Why was the info. on the laptop not encrypted?

[msobkow]

Why was the information on the laptop not encrypted?

That is the one question that doesn't step on internal business processes, data, or procedures.

With free "hard" encryption tools out there such as TrueCrypt and encfs, there is no excuse whatsoever for customer data to leave the data center without an encryption envelope/container.

Re:

[AnonChef]

there is no excuse whatsoever for customer data to leave the data center without an encryption envelope/container.

When did stupidity stop being a valid reason?

Re:

[pbhj]

>>> When did stupidity stop being a valid reason?

I've always been told that "ignorance is no excuse under the law"; so, the answer is "a long time ago"!

Re:

[paulius_g]

In corporate and enterprise environments, many people have the mentality of "if it ain't broken, don't fix it".

I know a few companies (although really small) which have the same mentality. One is a photographer who uses a laptop without a firewall, IE6, without antivirus and without any updates. They say that they don't need any updates or nothing because he only uses the laptop to check emails and go on eBay. Sigh.

Re:

[hey!]

While I agree that encrypted file systems and strong authentication should be used when data is taken offsite, it's important to remmeber that the data probably wasn't supposed to be offsite in the first place.

A more secure policy does not good unless policies regarding data are strictly enforced at every step. As soon as the data was copied in an unauthorized manner, the bank lost the power to control its subsequent use.

More leniant policies, more strictly enforced would do better. If it is necessary for

Re:

[Fastolfe]

While I agree that encrypted file systems and strong authentication should be used when data is taken offsite, it's important to remmeber that the data probably wasn't supposed to be offsite in the first place.

I agree. Where I work, we actually take things further. Any customer information like this, even if it's stored on internal systems, must still be stored encrypted. It is also unlikely our developers would have ever needed live production customer data to test with, so it would be odd (suspicio

Re:

[msobkow]

If an employee needs regular access to sensitive data and password entries with TrueCrypt or encfs are too much work, the company could always spend a few hundred extra on laptops preconfigured to use drive encryption, with or without biometric drive security. Several companies including IBM/Lenovo sell such hardware.

The point is that the usual excuse of budget constraints don't wash -- there are free options that require little work.

Double click TrueCrypt container. Select virtual drive letter. Cli

Why, why, why?

[SpaceLifeForm]

Obviously, the UK Building Society Nationwide does not read Slashdot, otherwise they would have known about the risks.

It is not often I say . . .

[Don_dumb]

Thank god I have only £30 in my Nationwide account.

Re:

[pr0digy25]

Thank god I have only £30 in my Nationwide account.

Or is that *had* in your account? :)

a reason to SMILE

[cliffski]

Another good reason I use smile (www.smile.co.uk) They have great customer service (best ive encountered), reasonable interest rates, a great,usable website, and are consistantly ranked the top UK bank for security. On top it all, they are an ethical bank who restrict where they invest your cash.
It amazes me that people still use high street banks. I haven't set foot in a bank in 5 years.

Re:

[Anonymous Coward]

How do you know that this couldn't happen to them?

Seems like you're nothing but a petty shill.

Re:

[Richard_at_work]

This seems to be the latest stupid 'slashdot-ism' - other than a few well known exceptions, you are not allowed to have a good word about or make a recommendation about any company big or small because you are instantly branded a shill [wikipedia.org] for doing so.

Pathetic.

Re:

[xwizbt]

Nobody's suggesting it couldn't happen to them, but you may want to check their website and see just how obsessed they are with security. However, this doesn't mean those silly systems where you get a random number through the post and have to input various digits every now and then, which you promptly forget. Their security is simple but effective. Coupled with great customer service, I can totally see where the original poster is coming from.

And hey - how many other banks have two rabid fans that are prep

Re:

[cliffski]

from: http://www.smile.co.uk/servlet/Satellite?cid=1124 8 67052002&pagename=Smile%2FPage%2FsmView&c=Page [smile.co.uk]

"We're the only UK online bank with the BS7799 Information Security certification from the BSI. That means we have an extremely secure Internet Banking service"

wikipedia entry:

http://en.wikipedia.org/wiki/BS_7799 [wikipedia.org]

Plus every newspaper that ever runs a story on the most / least secure banks seems to always rank smile #1. I'm not a 'shill', I dont work for smile, I run my own games company. I'm just a

Re:

[jimicus]

I'm a customer of Smile too. And I find their telephone banking worrying, to say the least.

I also have an account with Lloyds TSB. With them, the computer asks 3 questions which the phone bank person relays to you. They punch the answers in, computer either says "no" or "yes". It doesn't say which questions were wrong if access is denied. In any case, the person in the call centre can't get at your bank details until such time as the questions are answered.

Not so with Smile. With Smile, as soon as the

Re:

[ozbird]

I keep all my ISK In the Eve Intergalactic Bank [eve-online.com] - as safe as 1.0 space!

Re:

[loconet]

They can be all that, but if an silly employee with access copies the data to a laptop to bring home, all those wonderful things become irrelevant. Security is as weak as the stupidest operator with access....

Re:

[jez9999]

How do you pay physical cheques or money into your account? Either you must never pay that in, or use snail mail, both of which sound irritating compared to walking into a bank...

Re:

[duguk]

I'm with nationwide for exactly the same reasons, fantastic customer service and never had a problem with inernet banking or money going missing.

On the two occasions I have had trouble with another company, I was refunded the money without question right away.

They also promise NEVER to email customers because of the inherent problems.

Reading the article, it does not say that all 11 million customers' information was even on the laptop, and the only information on there was account numbers and names.

I have n

Re:

[cortana]

Snail mail. If you pay in a lot of cash, Smile/Cahoot and similar banks are not for you.

Sounds like they should be prosecuted

[Colin Smith]

The Data Protection Act requires that businesses and individuals take precautions to protect personal data.

 

Re:

[Colin Smith]

The directors are liable under the act anyway.

 

Banking competition...

[__aaclcg7560]

I think this UK Bank wants to be bought out by an US bank by advertising that they can dump customer data just like the US Banks.

Re:

[jabuzz]

It's a mutual building society, so firstly it is not a bank anyway. Secondly it cannot just be brought out unless a majority of it's current customers vote that way. The Nationwide in line with most of the other remaining building societies in the U.K. have made the process of de-mutualization much harder in recent years. It therefore unlikely that it could be brought out by anyone.

Re:

[caluml]

be brought out
Bought. As in "to buy". Brought is as in "to bring".

Re:

[matthew.thompson]

And as a member of the Portman Building Society you will be provided with a vote to decide wether the MERGER or Portman and Nationwide should take place.

Suck it up

[Toby The Economist]

Well, I think it's clear from the repeated stories of millions of confidential files being lost that enough large organisations simply don't understand security enough to get it right.

However, we all carry on using their services because we're stuffed if we don't - if your university loses your details, what are you going to do? quit? if your morgage is with your bank and they lose your account information, are you going to change bank?

Because there is basically, when all is said and done, no *real* pain for organisations, for loosing information, there is no *real* need for them to understand security enough for these data losses to stop.

So suck it up!

Personally, I'm trying to get out from under. I gave up my mobile phone last week - I do not accept having my mobile phone calls logged for a year. I'm moving over to Tor, because I do not accept having my browsing logged for four days (current UK retention). I'm thinking about getting rid of the phone, too, and moving over purely to encrypted email which will be sent/receieved from my own home-run POP/SMTP server.

Re:Suck it up

[Fnkmaster]

Well, this is one of those cases where government intervention would actually be useful. If there were a mandatory penalty of $10 per record lost, plus the requirement that the company covers identity theft protection insurance for at least 2 years for all affected customers, well, you wouldn't ever see 11 million records leave the office, period.

When the customers have low bargaining power due to a natural oligopoly market scenario with few large, powerful competitors, the government needs to provide some protections from this sort of abusive behavior.

Re:

[Toby The Economist]

I totally agree.

Unfortunately, the State is not independent of these corporations - their lobbies are effective and well funded. In other words, the mechanism which we, as individuals, have collectively agreeded to bring into existance (the State) is not functioning; it has been compromised by the entities it was created to constrain.

There *is* a penalty

[Colin Smith]

Up to £5,000 fine per offence against the Data Protection Act. 11 million records, 11 million offences. Directors are liable and the company is liable to cover any damages incurred, plus damages for distress inflicted.
 

Re:

[Fnkmaster]

Yeah, but how is it actually enforced? That's the real issue.

Still you guys over in the UK seem to be a bit ahead of us here in the US on this issue...

Not a Huge Surprise

[segedunum]

Having worked indirectly, contracting for a few UK banks, I can't say this is a huge surprise. The people that work at these places aren't exactly the sharpest tools in the box, and quite frankly, they can't attract anybody with any intellect. When a UK bank or building society says they're tightening security or doing anything, it's always a panic reaction and things revert to normal when the whole thing goes away.

People are asking various questions like "Why wasn't it encrypted?" That's a pointless question. I want to know how on Earth you get 11 million customer records on to a single laptop in the first place.

But, Barry Stamp, former director of CIFAS, the fraud prevention service, said it was unusual for an entire customer database to be stored on a laptop......."We've seen cases like this almost every week at the moment, but on the other hand you have to ask why that information was contained on a laptop and why the security was lax at Nationwide in such a way that you could download the entire database to a laptop. "This is really unusual."

It's not that unusual at all sadly. All customer details are stored on mainframes or in big databases centrally, so no, there's no chance of stealing everything to do with a customer. This is where the disorganisation of UK banks' IT systems comes in handy. I'm wondering if this is perhaps a dirty great Access database or something used for mailing list or money laundering (ironic, I know) purposes. If so, this kind of thing happens all the time.

Utter tosh

[mccalli]

Having worked indirectly, contracting for a few UK banks, I can't say this is a huge surprise. The people that work at these places aren't exactly the sharpest tools in the box, and quite frankly, they can't attract anybody with any intellect.

Ah, the 'I know everything better than you do' type of genius. Tell us, oh great one, of how your towering intellect dwarfs the mere minnows you have dealt with in the past.

I too have contracted around various UK and foreign-owned but UK-based banks. Some of the people I met there were fools. Some were amongst the brightest people I've known. As ever, and particularly in organisations that huge, there's a large mix of people involved. There are also a number of bright people in banks who's area of expertise isn't computing - they're banks remember?

There may well be an issue of education, and also I'd like to know why these things didn't have full-drive encryption installed. Then again, we don't know that it didn't - despite the article summary, Nationwide have refused to give any details. That's any details, whether positive or negative, nor have they confirmed any numbers. 11 million is just the number of customers they have, not necessarily the ones on the laptop.

Cheers,
Ian

Re:

[segedunum]

Ah, the 'I know everything better than you do' type of genius. Tell us, oh great one, of how your towering intellect dwarfs the mere minnows you have dealt with in the past.

Thinking mainly ;-). "Should I take this money laundering database home with me on my laptop, that contains details on hundreds of thousands of customers? Errrr, no. I don't think I will." That sort of thing.

I too have contracted around various UK and foreign-owned but UK-based banks. Some of the people I met there were fools.

Som

Re:

[KZigurs]

Hi guys,

Just wanted to let you know that I haven't contracted for any UK or USA financial institution whatsoever, directly or indirectly.

Thought ya might want to know, you know...

Re:

[EnglishTim]

I want to know how on Earth you get 11 million customer records on to a single laptop in the first place.

There's no evidence that there were 11 million customer records on the laptop. That's just a 'fact' made up by the submitter and swallowed hook, line and sinker by the editors.

Yes, Nationwide has 11 million customers. There's nothing to suggest that the laptop had information about all of them on it.

The page on Nationwide's site simply says that "The laptop contained some customer information to be used

Re:

[segedunum]

Now please show me one laptop that *doesn't* have a hard drive that can hold a Database that size. It just doesn't seem to make sense any more.

I was referring to how anyone would want to take that data, physically, home with them.

Re:

[T-Ranger]

Because "SELECT * FROM blah" is easer to type then "SELECT * FROM blah WHERE...".

well its a good thing they don't.....

[3seas]

allow the use of 4 gig thumb drives.....

Oh wait, Did I say "don't"?

why? why? why?

[elgatozorbas]

Possibly for the simple reason that many people don't see the "big picture" and have no idea of the risk they are exposing themselves to.

Probably not enough ID..

[Channard]

.. this is worrying, but it's probably not quite enough to take out finance/credit cards etc. My local store requires, if you're doing finance, proof of ID such as driving licence or passport, and also a recent household bill.

Re:

[Gandalf_the_Beardy]

I've seen people stealing these out of letterboxes before now on our estate. I can't personally think of any other useful reason to pinch a gas bill, unless you've been dumpster diving ot have bought a laptop for £50 with 11 million acount numbers on it.... Since the postie doesn't deliver until midday in many locations, and since it's easy to stick your fingers in a floor level letterbox and fish the mail back out again it's amazing anyone accepts a utility bill as proof of ID. All it is proof you h

TFA

[Chris_Keene]

TFA does not say that the laptop had infomation on "their entire customer base" (not saying the submitter is wrong, but the BBC article certainly doesn't say this). It seems that it included names and account numbers but not pins, balances or passwords.

More infomation
http://www.nationwide.co.uk/security/news_and_aler ts/ [nationwide.co.uk]

This was a domestic burglary, there's a chance that the theif has no idea this laptop was special, and has already sold it cash in hand down the pub. It's probably being used right now by someone browsing for porn or doing 'ebay' unaware of what sits of that disk.

Not to say they should not presume the worse and react accordingly of course.

I guess the coverage will help..

[cheros]

If the guy doesn't know by now he's not very world aware (story on BBC and probably in newspapers). I think his price just went up..

why was it even there?

[v1]

What does any employee of that bank need with the entire customer database? If he is doing work, he should be doing it at work not at home.

How many of this business's employees have full access to the entire customer database with account numbers?

Is it company policy to allow empoyees to take business records home at all? Or for that matter, is it even within company policy to bring your own personal laptop into the building?

So, what policies were broken, what policies are being changed, and what's not go

Re:

[caluml]

What does any employee of that bank need with the entire customer database?

Agreed.

If he is doing work, he should be doing it at work not at home.

Why? Stop thinking like an employer from the 50s. I work at home sometimes and it's better because: a. No commute. b. No interruptions. c. I can have a decent meal for lunch. d. I can listen to my music via speakers rather than headphones. e. I can be in to sign for parcels etc.
Sounds like you're the suspicious never-trust-people-you-can't-see type.

Re:

[v1]

One poster raises the point that the employee was working from home and that's why he had the data off site. I find that hard to believe for a bank to have people that "work from home". I still want to know what he was doing with the laptop full of personal information outside the walls of that bank in the first place.

Yes, access to the data is completely understandable. On company computers. On site. In a room out of sight of customers. But if you're out sitting at a keosk eating your lunch while bro

Re:

[v1]

there is also a difference from sitting in a public place analyzing customer information, and having it at your house

The most important difference being a false sense of security you get in being at home. Little consolation to the millions of people that you will be making have a "very bad day" for the next several months. Does it really matter if it gets stolen from your house, or forgotten at a rest stop on the way home, left on the roof of the car as you drive off, or forgotten in your car when you get

UK banking laws will protect customers, but...

[AmiMoJo]

In this regard, UK banking laws are actually quite good. Customers of the building society will not loose out financially if any fraudulent activity happens on their account. However, it's the secondary effects that are the problem.

Someone takes out a loan with your bank account details. Problem is discovered. You waste time and effort fixing it. Bank and loan company waste time. Loan amount is lost to criminal. Loss results in higher rates and charges for everyone. Who will pick up the bill? Not the bank,

Probably the same gig as in the u.s.

[unity100]

some sources get the confidential information about some people, then they will use this to entice these people to do their bidding. election fraud maybe ? politics ?

How is it

[JustNiz]

That this is even possible?
Its very worrying that even banks don't seem to understand the very basics about security, especially after other financial companies have already experienced the same kinds of security breaches. Don't they ever read the news? or learn for others mistakes?

Interesting indeed...

[SeaFox]

This story raises a number of worrying questions: The theft happened three months ago, why has the news only just been made public? Why was it possible (indeed, why was it necessary at all) to put data relating to their entire customer base on an employee's laptop stored at an employee's home? Why was the information on the laptop not encrypted?

I'm so happy my bank uses high-tech data security on it's computer systems: they talk about it in this little pamphlet I got when I opened my checking account... It

Oblig. Seinfeld

[SeaFox]

JERRY: So the door was wide open?

KRAMER: Wide open!

JERRY: [Elaine enters the living-room] And where were you?

ELAINE: I was at Bloomingdale's...waiting for the shower to heat up.

KRAMER: Look, Jerry, I'm sorry, I'm uh, you have insurance, right buddy?

JERRY: No.

KRAMER: [looks shocked] How can you not have insurance?

JERRY: Because...I spent my money on the Clapgo D. 29, it's the most impenetrable lock on the market today...it has only one design flaw: the door...[shuts the door] must be CLOSED!

waiting 3 months

[teslar]

The theft happened three months ago, why has the news only just been made public?

Uhm... so the thief gets a chance to format the disk and sell the laptop on, not bothering about the data on it, before Nationwide tells him that he's stolen a potential goldmine?

This was a good decision, it probably stopped the data from actually being misused.

Profit!!

[RAMMS+EIN]

1. Withdraw all money from account

2. Write letter to bank, complaining that all money was stolen, and demanding compensation. The bank can't refute your claim, because your authentication data has been stolen, so they can never prove it was _really_ you who did the withdrawal.

3. Profit!!!

Re:

[thrillseeker]

Well, £100 fine per lost record would be a good first step.

Re:

[Dunbal]

We need to implement the death penalty for this sort of thing.

      Nahh, just 1 day in jail for the directors of the company, for each individual's information that was stolen.

      See you in 11000000/365 = about 30,000 years!!!

The directors *are* liable to a fine

[Colin Smith]

Up to £5000 per offence. With 11 million offences they should probably have taken security a bit more seriously.

 

Re:

[jimicus]

And if it only happens occasionally, then the cost of rolling out encryption to every laptop owner (it's not just software cost, you've got to train them in something which most people have no understanding of whatsoever) seems absurdly expensive.

Re:

[nuggz]

FYI
m - milli = 0.001
k - kilo = 1 000
M - mega = 1 000 000

I consider local namings/conventions a sort of slang that should not be used in a global forum.

Re:

[einar2]

Because some people conduct their business very incompetent.

I work for a Swiss bank. All notebook harddisks are encrypted by default. There is no way our employees could get access to the customer database to replicate data!!! The Swiss banking law is rather harsh on such issues. For the employee as well as the bank.
In the end, you have to severly punish enterprises for being lax with customer data. The loose of reputation is not incetive enough. It has to hurt so that execs decide to recognize the issu

You're wrong - AFAIK it's a criminal offence

[cheros]

Nationwide is a UK business and thus subject to the UK Data Protection Act 1998. In chapter 9.5 of the UK Data Protection Act 1998 it defines this specific data loss as unlawful, and AFAIK this is a criminal offence for which the Directors get hit unless they can prove some poor schlob didn't do his job properly.

However, that doesn't quite get them off the hook if it can be demonstrated that the directors were negligent in enforcing the rules.

So, it's not a la Microsoft, pay the fine and try again - a crim

Incorrect

[cheros]

As much as it pains me to defend MS, this has zero to do with the OS, and everything to do with process.

(1) those files hould have NEVER gotten out of the door. Full stop, no if, no but, no maybe. Should. Not. Have. Left. The. Building.

(2) the oink that had them should have no need to work with real data. Real data should be processed inhouse (see point 1) andor transported with protection. Real data is NOT a development/test tool.

Only after all of the above do you start thinking about the conditions un