[ISN] U.K. company fined over laptop theft

From: InfoSec News (alerts@private)
Date: Thu Feb 15 2007 - 00:10:03 PST


By Graeme Wearden
Special to CNET News.com
February 14, 2007

Nationwide Building Society, a U.K. financial services provider, has 
been fined $1.9 million after a laptop containing sensitive customer 
data was stolen from an employee.

The Financial Services Authority (FSA) hit Nationwide with the fine on 
Wednesday, following an investigation into the theft, which occurred in 
November 2006 at the employee's house.

According to the FSA, Nationwide was guilty of failing to have effective 
systems and controls in place to manage its information security risks. 
The FSA also discovered that Nationwide was not aware that the laptop 
contained confidential customer information and did not start an 
investigation until three weeks after the theft.

"Firms' internal controls are fundamental in ensuring customers' details 
remain as secure as they can be and, as technology evolves, firms must 
keep their systems and controls up to date to prevent lapses in 
security," said Margaret Cole, director of enforcement at the FSA.

"The FSA took swift enforcement action in this case to send a clear, 
strong message to all firms about the importance of information 
security," Cole added.

Nationwide has apologized for the incident and said it has tightened its 
security procedures in an attempt to avoid a repeat of the incident.

"We have extensive security procedures in place, but in this isolated 
incident our systems of control were found wanting," Nationwide's chief 
executive, Philip Williamson, said in a statement. "We have made changes 
to fill the gap and improve our procedures further."

It's still unclear exactly what customer data was held on the laptop. 
Nationwide insists that the information couldn't have been used to 
commit identity theft and says that no customers have lost money as a 

Nationwide acknowledged that the employee in question had not been 
following its existing procedures at the time of the theft. Although 
it's unclear exactly how procedures weren't followed, it seems likely 
that the laptop should not have left the company's offices or that the 
data shouldn't have been stored there at all.

"We can't comment on any action that may have been taken against the 
employee," a Nationwide representative told ZDNet UK.

Graeme Wearden of ZDNet UK reported from London.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Thu Feb 15 2007 - 00:23:57 PST