[ISN] Stolen Nationwide laptop prompts FSA probe

From: InfoSec News (alerts@private)
Date: Mon Nov 13 2006 - 23:44:44 PST


http://news.zdnet.co.uk/security/0,1000000189,39284689,00.htm

By Tom Espiner
ZDNet UK
13 Nov 2006 

The theft of a laptop containing Nationwide Building Society customer 
information is being probed by the Financial Services Authority (FSA).

The laptop was stolen from an employee's house in a burglary in August. 
Both Nationwide and FSA have refused to say exactly what data was 
stolen. According to Alan Oliver, Nationwide's head of external affairs, 
the laptop contained "limited customer information for market research 
purposes".

The building society is willing to say what had not been stolen. No 
PINs, passwords or information about financial transactions were 
contained on the computer, and no account details such as customer 
names, account numbers or sort codes were compromised, Oliver told ZDNet 
UK on Monday.

However, there is a chance that the limited customer data stolen could 
be linked to other information about individuals and used for identity 
fraud.

Nationwide insists that victims of identity fraud would not suffer 
financial loss, as the building society has a policy of reimbursing 
money stolen. "There has been no loss of money, and no chance of any 
customers suffering financial loss. If they are the innocent victim of 
fraud they will not lose out," said Oliver. "The information on its own 
cannot be used for identity fraud."

Nationwide would not say how many customers' details were contained on 
the stolen laptop. It is in the process of writing to all of its 11 
million UK customers to outline the security measures they need to take 
as a result of the theft.

"It's important at times like this to reassure people their information 
is safe and protected  and that it's a good thing to take precautions 
themselves," said Oliver. "It's important people take all necessary 
steps to protect their information."

Authorities, including the police and the Information Commissioner, have 
been informed about the loss of the data. Nationwide said it could not 
give any details of the burglary as it could compromise the police 
investigation.

"The police have asked us not to give details of the theft as to do so 
would compromise their ongoing investigation," said Oliver.

However, the police have told Nationwide that the crime was not 
targeted, and probably opportunistic.

Following the incident, Nationwide has taken "a number of different 
steps to increase security", although it would not say what steps had 
been taken. The building society also refused to comment on what kind of 
security policy it has regarding laptops, and whether encryption was 
used to protect the data.

The employee who had the laptop stolen may not have been acting in 
accordance with Nationwide security policy, the building society said.

"We're looking at our procedures as we speak. It appears that all 
procedures may not have been complied with," said Oliver.

Although Nationwide was keen to play down the severity of its security 
lapse, the Financial Services Authority (FSA)  which regulates the 
banking industry  is currently investigating the incident.

"We're continuing to discuss with Nationwide the incidence of a loss of 
data," said an FSA spokesman. "Our principle concern is to minimise the 
risk to consumers."

"Along with other authorities including the Information Commissioner and 
the police we considered when and how Nationwide should communicate with 
customers on this issue in a way that minimises any potential misuse of 
the data. We discussed what Nationwide needs to do to alert customers of 
the fact that data had been stolen."

While the FSA refused to comment on the nature of the data stolen, it 
said that the very act of alerting affected customers could have further 
compromised their security. This indicates that the data stolen could be 
used by criminals if linked to customer names or addresses.


_________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Mon Nov 13 2006 - 23:49:48 PST