Analysis: The case of the stolen Nationwide laptop should raise alarm bells

February 28, 2007

The Nationwide building society was fined a hefty £980,000 by the Financial Services Authority (FSA) last month, in the first case of its type in the UK.

A member of staff took home a laptop containing details of nearly 11million customers - essentially the entire customer database - and thenhad it stolen in a break-in. The employee then went on holiday, delayingthe official investigation for three weeks. Although Nationwide claimsthat no account details were on the laptop, customer data such asaddress seems to have been present. It has written to every customerapologising, according to chief executive Philip Williamson.

The FSA said in a statement: "Nationwide did not take reasonable care toensure that it had effective systems and controls to manage the risksrelating to information security, specifically the risk that customerinformation might be lost or stolen." Ironically, the FSA set up a newfinancial crime and intelligence division in January, designed to dealwith "low-tech breaches of security" such as this.

Industry observers will doubtless make comparisons with US disclosurelaws and encryption regulations, and mull the introduction of similarlaws in the UK, but the clearest message here for all is not to allowanyone to carry your entire customer database around on a laptop.

Beyond this basic security concept comes the well-travelled path ofencrypting data at rest, managing access to confidential data, andcontrolling the use of laptops on the corporate LAN.

Interestingly, with new PCI standards set to come into force in June,any company that handles even just credit card payments, pulling asimilar stunt to Nationwide will face fines and sanctions.

However, the society said it "would not be fair" if the directors paidthe fine. This means that, because Nationwide is owned by its members,customers will have to pay up, which works out at around nine penceeach.

prestitial ad