UK Bank Laptop Stolen With 11M Customer Records 184
daveewart writes "BBC News reports that the UK Building Society Nationwide has admitted that a laptop containing account records of more than 11 million customers has been stolen from an employee's home. This story raises a number of worrying questions: The theft happened three months ago, why has the news only just been made public? Why was it possible (indeed, why was it necessary at all) to put data relating to their entire customer base on an employee's laptop stored at an employee's home? Why was the information on the laptop not encrypted?"
worrying questions (Score:5, Insightful)
The worrying questions should be
Why should anyone be able to ruin your finances by just knowing some numbers?
Why should someone be able to borrow in your name by just quoting some number?
Why is my future dependent on whether some data entry operator in some company follows the proper security precautions?
I hate how everyone is using the term 'identity theft'. No one can steal someone else's identity (for now anyway).
What 'identity theft' really means is that the the methods the financial industry uses to identify people is broken.Whenever the govt holds hearing on 'identity theft' they are only legitimizing these methods and making the people responsible for the failures of the financial industry.
Why was the info. on the laptop not encrypted? (Score:5, Insightful)
That is the one question that doesn't step on internal business processes, data, or procedures.
With free "hard" encryption tools out there such as TrueCrypt and encfs, there is no excuse whatsoever for customer data to leave the data center without an encryption envelope/container.
Sounds like they should be prosecuted (Score:3, Insightful)
Re:Why was the info. on the laptop not encrypted? (Score:3, Insightful)
When did stupidity stop being a valid reason?
Re:worrying questions (Score:2, Insightful)
Anyway the parent is right on the money, but we could start by taking easy baby steps and we don't even do that.
Not a Huge Surprise (Score:5, Insightful)
People are asking various questions like "Why wasn't it encrypted?" That's a pointless question. I want to know how on Earth you get 11 million customer records on to a single laptop in the first place.
It's not that unusual at all sadly. All customer details are stored on mainframes or in big databases centrally, so no, there's no chance of stealing everything to do with a customer. This is where the disorganisation of UK banks' IT systems comes in handy. I'm wondering if this is perhaps a dirty great Access database or something used for mailing list or money laundering (ironic, I know) purposes. If so, this kind of thing happens all the time.
well its a good thing they don't..... (Score:3, Insightful)
Oh wait, Did I say "don't"?
Re:Death Penalty (Score:3, Insightful)
Nahh, just 1 day in jail for the directors of the company, for each individual's information that was stolen.
See you in 11000000/365 = about 30,000 years!!!
Re:Suck it up (Score:4, Insightful)
When the customers have low bargaining power due to a natural oligopoly market scenario with few large, powerful competitors, the government needs to provide some protections from this sort of abusive behavior.
Re:worrying questions (Score:5, Insightful)
One of the databases I was working on had hundreds of thousands of credit card numbers in it. I deleted it, of course, but it was trivial to bring it home... at that time, to me, it wasn't a collection of credit card numbers, it was just "the database I needed to have present to finish my work".
It's SOO easy to be trivial about these types of things when you're an overworked IT pro. Security procedures exist BECAUSE it's so easy to forget that the stuff that you deal with in such a routine fashion is sensitive. It's just like reality tv stars forgetting about the cameras.
Re:a reason to SMILE (Score:2, Insightful)
And hey - how many other banks have two rabid fans that are prepared to stand up and say 'Hey, my bank's great!' for no reason at all other than they've had a great customer experience? Yeah, so I guess it's very nearly off-topic, but there you go. Online banking is a valid alternative to places like Nationwide, and because they're on the internet security seems to be more of a concern for these banks.
What they're doing is breaking the law. (Score:5, Insightful)
From the UK Data Protection Act 1998.
If this hasn't been followed then the law has been broken and the perpetrators should suffer the consequences. Which is currently a fine of up to £5,000 per offence. Directors being liable. With potentially 11 million offences that could add up to a lot of money.
Re:worrying questions (Score:4, Insightful)
Excellent question.
One big problem is that in the U.S., at least, we've generally conflated identification with authentication. But they're two very different problems.
If, for example, Social Security numbers were only ever used for identification -- telling two different John Smiths apart, for example -- it wouldn't matter if they were public. In fact I've heard that one of the Scandanavian countries publishes a freely-available database of everyone's identification numbers. Besides being convenient, this ensures that nobody ever sets up a scheme that stupidly uses an identification number as an authenticator.
The big problems arise when the same number that's widely used for identification -- e.g. a SSN -- is also used for authentication.
It wouldn't be so bad if all it took to pove to my bank that I'm me was a number or word, as long as that number or word is secret, and only used for that purpose, so that it has a decent chance of staying secret.
Re:a reason to SMILE (Score:1, Insightful)
His post is basically an advertisement. Hence, accusing this person of being a shill (not saying that he was indeed one) is a valid accusation.
You're pathetic for trying to reduce everything down to "isms".
I have had similar experiences (Score:1, Insightful)
Security theater is the present norm. Businesses insist that they take reasonable precautions, but they in fact do not. I have seen the weakness of "reasonable precautions" first-hand, over and over again. It is a bad situation, and it will only get worse.
Actual effective "reasonable precautions" are just too expensive, too time-consuming, and too cumbersome. They will not be implemented so long as the people in a position to implement them are not outright forced to do so.
I didn't used to be a cynic. Really I didn't. But then I saw the industry from the inside.
Re:Probably not enough ID.. (Score:2, Insightful)
Re:worrying questions (Score:3, Insightful)
Right. It's interesting to see how, in the USA, where (more) people are (more) paranoid about "them" watching them, you need SSNs for nearly every transaction beyond every day stuff, whereas in Canada and the EU, where people are, generally, much more trusting, the local equivalents of SSNs are much more closely guarded and restricted in their purpose.
Having said that, mine is printed on my passport, so, I suppose, everyone who has ever seen my passport could have my SSN...but that's not a whole lot of people, actually. In fact, there are probably more people who know whatever number I used as an SSN when I lived in the US for half a year than there are people who know my actual, Dutch, SoFi number.