UK Bank Laptop Stolen With 11M Customer Records 184
daveewart writes "BBC News reports that the UK Building Society Nationwide has admitted that a laptop containing account records of more than 11 million customers has been stolen from an employee's home. This story raises a number of worrying questions: The theft happened three months ago, why has the news only just been made public? Why was it possible (indeed, why was it necessary at all) to put data relating to their entire customer base on an employee's laptop stored at an employee's home? Why was the information on the laptop not encrypted?"
worrying questions (Score:5, Insightful)
The worrying questions should be
Why should anyone be able to ruin your finances by just knowing some numbers?
Why should someone be able to borrow in your name by just quoting some number?
Why is my future dependent on whether some data entry operator in some company follows the proper security precautions?
I hate how everyone is using the term 'identity theft'. No one can steal someone else's identity (for now anyway).
What 'identity theft' really means is that the the methods the financial industry uses to identify people is broken.Whenever the govt holds hearing on 'identity theft' they are only legitimizing these methods and making the people responsible for the failures of the financial industry.
Re: (Score:2, Insightful)
Anyway the parent is right on the money, but we could start by taking easy b
Re: (Score:3, Insightful)
Right. It's interesting to see how, in the USA, where (more) people are (
Re: (Score:2, Interesting)
Re: (Score:2)
say 500 bytes per record - plenty to store name, address, phone number, account number, balance, ID number.
11M * 500 = 5500MB or about 5.5 GB. There's still plenty of room.
Re: (Score:2)
Re: (Score:2)
Hehehe. It happens! There's nothing wrong with critical thought.
with banking details which I would consider more sensitive
Ugh, you should try dealing with all the niceties HIPAA provides...
Re: (Score:2)
Ok, consider this. Let's assume that each record is, say, a couple of kilobytes (that's much more than it probably is) of just text, as you say.
11,000,000 * 2kb = 22,000,000 kbytes.
22,000,000Kb = 21484.375 MB = 20.98 GB.
If it's in a raw database format, that is.
Last time I checked, laptops aren't exactly being sold with 20GB of HD space.
Re: (Score:2)
I'm not sure, do you mean "aren't exactly being sold with 20GB of HD space anymore"? Because last time I checked, the usual size was around 60 GB
Re: (Score:2)
On another note, what kind of *MORONIC* company allows sensitive customer data on portable media in unencrypted form? I mean hell, it's not like there haven't been plenty of cautionary tales, and it's not like it even costs any damn money, just run truecrypt if you're too cheap to buy anything, it works well.
I'm guessing that they think that the possibility that somebody might forget a password is more important than actually safegua
Re: (Score:2)
The latest models of laptops have not one but two slots for the 2.5" hard disk drives, which are accessible from a side panel (rather than being mounted deep inside the system). And 20 GB is at the lower end of the memory capacity for this size of drive, with 100GB at the high end. So it's easy for a laptop to have 200GB of storage if you really wanted to. For design engineers having a workstation that they can take into meetings o
Re: (Score:2)
Re:worrying questions (Score:5, Insightful)
One of the databases I was working on had hundreds of thousands of credit card numbers in it. I deleted it, of course, but it was trivial to bring it home... at that time, to me, it wasn't a collection of credit card numbers, it was just "the database I needed to have present to finish my work".
It's SOO easy to be trivial about these types of things when you're an overworked IT pro. Security procedures exist BECAUSE it's so easy to forget that the stuff that you deal with in such a routine fashion is sensitive. It's just like reality tv stars forgetting about the cameras.
Re: (Score:3, Interesting)
I can understand, though, how some smaller companies may not have the resources to do things like this properly, but for the benefit of other read
Re: (Score:2)
I can understand, though, how some smaller companies may not have the resources to do things like this properly
Rubbish. Even if they have to develo
Re: (Score:3, Funny)
The idea of not using "live data" in that particular case was a bit of a joke.
What they're doing is breaking the law. (Score:5, Insightful)
From the UK Data Protection Act 1998.
If this hasn't been followed then the law has been broken and the perpetrators should suffer the consequences. Which is currently a fine of up to £5,000 per offence. Directors being liable. With potentially 11 million offences that could add up to a lot of money.
Re: (Score:2)
Not that they would - the DPA isn't that heavily enforced - but I don't want them facing a fine that size. My mortgage is with them and the last thing I need is for them to foreclose everyone's mortgages to pay off a fine.
Re: (Score:2)
Simple. They are feeling Important, so that they can also feel Virile (or Fertile, depending on their gender). PHB's always do stupid shit like this. That's one of the many reasons this world is so fucked up!
Re: (Score:2)
The information was being used for marketing purposes (according to Sky News. Presumably, this list of names and addresses was going to be used to send out mail shots. At 11 million records, that covers well over 10% of the entire UK population.
Re: (Score:2, Funny)
Re: (Score:2)
Why should anyone be able to ruin your finances by just knowing some numbers?
Because otherwise you would not be able to use all these nifty on-line things, and would need to go to the bank everytime you wanted to transfer money. The problem is not in the use of numbers, but in recklessness.
Re: (Score:2)
That raises the question of how the bank authenticates you. I'm confident a web interface can be at least as secure as whatever you get when you're physically at the bank (note that I did not say "what you _could_ get when you're at the bank"). Of course, this case is about a leak in the back end; a front end is never going to protect against that, no mat
Re: (Score:2)
Since the device is a black box, I have no idea how good the security is (it particularly worries me
Re: (Score:2)
Re:worrying questions (Score:4, Informative)
If people could actually claim ownership of their data and have it released only when they specifically agreed to the release with proper notification, the identity theft problems would go away (but so would the business model of the credit agencies).
Re: (Score:2)
Now, hold on just a second. Aren't there laws against that in the EU? Laws that detail consumers' right to privacy and specify what companies can and can't do with personal information? I can certainly imagine a few companies getting away with breaking these laws, but not a whole industry being founded on it. Besides, it seems to me banks make money b
Re: (Score:2)
As far as banks go, they tell you that they are releasing your personal bank inf
Re:worrying questions (Score:4, Insightful)
Excellent question.
One big problem is that in the U.S., at least, we've generally conflated identification with authentication. But they're two very different problems.
If, for example, Social Security numbers were only ever used for identification -- telling two different John Smiths apart, for example -- it wouldn't matter if they were public. In fact I've heard that one of the Scandanavian countries publishes a freely-available database of everyone's identification numbers. Besides being convenient, this ensures that nobody ever sets up a scheme that stupidly uses an identification number as an authenticator.
The big problems arise when the same number that's widely used for identification -- e.g. a SSN -- is also used for authentication.
It wouldn't be so bad if all it took to pove to my bank that I'm me was a number or word, as long as that number or word is secret, and only used for that purpose, so that it has a decent chance of staying secret.
Re: (Score:3, Informative)
[1] - Everyone who's been issued an ID Card; that is, about 90% of the population.
Re: (Score:2)
And, more importantly, could be changed if it ever became compromised. If you didn't have the ability to change that "secret number", it would be no better than a biometric authentication system that depends upon some supposedly unique aspect of your body.
Social Security numbers wouldn't be s
Re: (Score:2)
Re: (Score:2)
For example, I live in Russia. Stolen databases of passport data are freely sold on black market. But it's impossible to do anything with them, because _every_ business where identity is important requires your physical presence with your passport. And it's a common practice to attach photocopied passport pages to documents (in banks, etc.).
Of course, there's a downside to this: you need national ID system AND you are going to lose a lot o
Re: (Score:2)
I'd say not ever. But then, I understand identity to mean a relation that holds for p and q, if and only if p and q denote the same object. Like eq in Common Lisp. What is "stolen" is not the identity, but the traits that we look at when trying to verify identity. The checks we perform are more like eql or equal than eq.
Also, many cases of identity "theft" don't actually remove credentials (let alone identity) from the victim: very often they cop
Re: (Score:2)
Surely there has to come a time when the issue of identiry theft has to be tackled in some reasonably effective way, not simply buck-passing from bank to customer to insurance provider to government, as is the case right now?
Re: (Score:2)
I wouldn't be so sure. Security and privacy often go hand in hand. In this case, for example, a security problem caused private information to be leaked. Privacy was lost, because of bad security. Also, if these records contain enough information to actually impersonate the customers, then the privacy leak causes a breach of security: banks' authent
Why was the info. on the laptop not encrypted? (Score:5, Insightful)
That is the one question that doesn't step on internal business processes, data, or procedures.
With free "hard" encryption tools out there such as TrueCrypt and encfs, there is no excuse whatsoever for customer data to leave the data center without an encryption envelope/container.
Re: (Score:3, Insightful)
When did stupidity stop being a valid reason?
Re: (Score:2)
I've always been told that "ignorance is no excuse under the law"; so, the answer is "a long time ago"!
Re: (Score:2)
I know a few companies (although really small) which have the same mentality. One is a photographer who uses a laptop without a firewall, IE6, without antivirus and without any updates. They say that they don't need any updates or nothing because he only uses the laptop to check emails and go on eBay. Sigh.
Re: (Score:2)
A more secure policy does not good unless policies regarding data are strictly enforced at every step. As soon as the data was copied in an unauthorized manner, the bank lost the power to control its subsequent use.
More leniant policies, more strictly enforced would do better. If it is necessary for
Re: (Score:2)
I agree. Where I work, we actually take things further. Any customer information like this, even if it's stored on internal systems, must still be stored encrypted. It is also unlikely our developers would have ever needed live production customer data to test with, so it would be odd (suspicio
Re: (Score:2)
If an employee needs regular access to sensitive data and password entries with TrueCrypt or encfs are too much work, the company could always spend a few hundred extra on laptops preconfigured to use drive encryption, with or without biometric drive security. Several companies including IBM/Lenovo sell such hardware.
The point is that the usual excuse of budget constraints don't wash -- there are free options that require little work.
Double click TrueCrypt container. Select virtual drive letter. Cli
Why, why, why? (Score:4, Funny)
It is not often I say . . . (Score:4, Funny)
Re: (Score:3, Funny)
Or is that *had* in your account?
a reason to SMILE (Score:4, Interesting)
It amazes me that people still use high street banks. I haven't set foot in a bank in 5 years.
Re: (Score:2, Interesting)
Seems like you're nothing but a petty shill.
Re: (Score:2)
Pathetic.
Re: (Score:2, Insightful)
And hey - how many other banks have two rabid fans that are prep
Re: (Score:2)
"We're the only UK online bank with the BS7799 Information Security certification from the BSI. That means we have an extremely secure Internet Banking service"
wikipedia entry:
http://en.wikipedia.org/wiki/BS_7799 [wikipedia.org]
Plus every newspaper that ever runs a story on the most / least secure banks seems to always rank smile #1. I'm not a 'shill', I dont work for smile, I run my own games company. I'm just a
Re: (Score:2)
I also have an account with Lloyds TSB. With them, the computer asks 3 questions which the phone bank person relays to you. They punch the answers in, computer either says "no" or "yes". It doesn't say which questions were wrong if access is denied. In any case, the person in the call centre can't get at your bank details until such time as the questions are answered.
Not so with Smile. With Smile, as soon as the
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
On the two occasions I have had trouble with another company, I was refunded the money without question right away.
They also promise NEVER to email customers because of the inherent problems.
Reading the article, it does not say that all 11 million customers' information was even on the laptop, and the only information on there was account numbers and names.
I have n
Re: (Score:2)
Sounds like they should be prosecuted (Score:3, Insightful)
Re: (Score:2)
Banking competition... (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
Bought. As in "to buy". Brought is as in "to bring".
Re: (Score:2)
Suck it up (Score:4, Interesting)
However, we all carry on using their services because we're stuffed if we don't - if your university loses your details, what are you going to do? quit? if your morgage is with your bank and they lose your account information, are you going to change bank?
Because there is basically, when all is said and done, no *real* pain for organisations, for loosing information, there is no *real* need for them to understand security enough for these data losses to stop.
So suck it up!
Personally, I'm trying to get out from under. I gave up my mobile phone last week - I do not accept having my mobile phone calls logged for a year. I'm moving over to Tor, because I do not accept having my browsing logged for four days (current UK retention). I'm thinking about getting rid of the phone, too, and moving over purely to encrypted email which will be sent/receieved from my own home-run POP/SMTP server.
Re:Suck it up (Score:4, Insightful)
When the customers have low bargaining power due to a natural oligopoly market scenario with few large, powerful competitors, the government needs to provide some protections from this sort of abusive behavior.
Re: (Score:2)
Unfortunately, the State is not independent of these corporations - their lobbies are effective and well funded. In other words, the mechanism which we, as individuals, have collectively agreeded to bring into existance (the State) is not functioning; it has been compromised by the entities it was created to constrain.
There *is* a penalty (Score:2)
Re: (Score:2)
Still you guys over in the UK seem to be a bit ahead of us here in the US on this issue...
Not a Huge Surprise (Score:5, Insightful)
People are asking various questions like "Why wasn't it encrypted?" That's a pointless question. I want to know how on Earth you get 11 million customer records on to a single laptop in the first place.
It's not that unusual at all sadly. All customer details are stored on mainframes or in big databases centrally, so no, there's no chance of stealing everything to do with a customer. This is where the disorganisation of UK banks' IT systems comes in handy. I'm wondering if this is perhaps a dirty great Access database or something used for mailing list or money laundering (ironic, I know) purposes. If so, this kind of thing happens all the time.
Utter tosh (Score:4, Informative)
Ah, the 'I know everything better than you do' type of genius. Tell us, oh great one, of how your towering intellect dwarfs the mere minnows you have dealt with in the past.
I too have contracted around various UK and foreign-owned but UK-based banks. Some of the people I met there were fools. Some were amongst the brightest people I've known. As ever, and particularly in organisations that huge, there's a large mix of people involved. There are also a number of bright people in banks who's area of expertise isn't computing - they're banks remember?
There may well be an issue of education, and also I'd like to know why these things didn't have full-drive encryption installed. Then again, we don't know that it didn't - despite the article summary, Nationwide have refused to give any details. That's any details, whether positive or negative, nor have they confirmed any numbers. 11 million is just the number of customers they have, not necessarily the ones on the laptop.
Cheers,
Ian
Re: (Score:2)
Thinking mainly ;-). "Should I take this money laundering database home with me on my laptop, that contains details on hundreds of thousands of customers? Errrr, no. I don't think I will." That sort of thing.
Som
Re: (Score:2)
Just wanted to let you know that I haven't contracted for any UK or USA financial institution whatsoever, directly or indirectly.
Thought ya might want to know, you know...
Re: (Score:2)
There's no evidence that there were 11 million customer records on the laptop. That's just a 'fact' made up by the submitter and swallowed hook, line and sinker by the editors.
Yes, Nationwide has 11 million customers. There's nothing to suggest that the laptop had information about all of them on it.
The page on Nationwide's site simply says that "The laptop contained some customer information to be used
Re: (Score:2)
Re: (Score:2)
well its a good thing they don't..... (Score:3, Insightful)
Oh wait, Did I say "don't"?
why? why? why? (Score:2)
Probably not enough ID.. (Score:2)
Re: (Score:2, Insightful)
TFA (Score:3, Informative)
More infomation
http://www.nationwide.co.uk/security/news_and_ale
This was a domestic burglary, there's a chance that the theif has no idea this laptop was special, and has already sold it cash in hand down the pub. It's probably being used right now by someone browsing for porn or doing 'ebay' unaware of what sits of that disk.
Not to say they should not presume the worse and react accordingly of course.
I guess the coverage will help.. (Score:2)
why was it even there? (Score:2, Interesting)
How many of this business's employees have full access to the entire customer database with account numbers?
Is it company policy to allow empoyees to take business records home at all? Or for that matter, is it even within company policy to bring your own personal laptop into the building?
So, what policies were broken, what policies are being changed, and what's not go
Re: (Score:2)
Agreed.
If he is doing work, he should be doing it at work not at home.
Why? Stop thinking like an employer from the 50s. I work at home sometimes and it's better because: a. No commute. b. No interruptions. c. I can have a decent meal for lunch. d. I can listen to my music via speakers rather than headphones. e. I can be in to sign for parcels etc.
Sounds like you're the suspicious never-trust-people-you-can't-see type.
Re: (Score:2)
Yes, access to the data is completely understandable. On company computers. On site. In a room out of sight of customers. But if you're out sitting at a keosk eating your lunch while bro
Re: (Score:2)
The most important difference being a false sense of security you get in being at home. Little consolation to the millions of people that you will be making have a "very bad day" for the next several months. Does it really matter if it gets stolen from your house, or forgotten at a rest stop on the way home, left on the roof of the car as you drive off, or forgotten in your car when you get
UK banking laws will protect customers, but... (Score:2)
Someone takes out a loan with your bank account details. Problem is discovered. You waste time and effort fixing it. Bank and loan company waste time. Loan amount is lost to criminal. Loss results in higher rates and charges for everyone. Who will pick up the bill? Not the bank,
Probably the same gig as in the u.s. (Score:2)
How is it (Score:2)
Its very worrying that even banks don't seem to understand the very basics about security, especially after other financial companies have already experienced the same kinds of security breaches. Don't they ever read the news? or learn for others mistakes?
Interesting indeed... (Score:2)
I'm so happy my bank uses high-tech data security on it's computer systems: they talk about it in this little pamphlet I got when I opened my checking account... It
Oblig. Seinfeld (Score:2)
JERRY: So the door was wide open?
KRAMER: Wide open!
JERRY: [Elaine enters the living-room] And where were you?
ELAINE: I was at Bloomingdale's...waiting for the shower to heat up.
KRAMER: Look, Jerry, I'm sorry, I'm uh, you have insurance, right buddy?
JERRY: No.
KRAMER: [looks shocked] How can you not have insurance?
JERRY: Because...I spent my money on the Clapgo D. 29, it's the most impenetrable lock on the market today...it has only one design flaw: the door...[shuts the door] must be CLOSED!
waiting 3 months (Score:2)
Uhm... so the thief gets a chance to format the disk and sell the laptop on, not bothering about the data on it, before Nationwide tells him that he's stolen a potential goldmine?
This was a good decision, it probably stopped the data from actually being misused.
Profit!! (Score:3, Interesting)
2. Write letter to bank, complaining that all money was stolen, and demanding compensation. The bank can't refute your claim, because your authentication data has been stolen, so they can never prove it was _really_ you who did the withdrawal.
3. Profit!!!
Re: (Score:2)
Re: (Score:3, Insightful)
Nahh, just 1 day in jail for the directors of the company, for each individual's information that was stolen.
See you in 11000000/365 = about 30,000 years!!!
The directors *are* liable to a fine (Score:2)
Re: (Score:2)
Re: (Score:2)
m - milli = 0.001
k - kilo = 1 000
M - mega = 1 000 000
I consider local namings/conventions a sort of slang that should not be used in a global forum.
Re: (Score:2, Informative)
I work for a Swiss bank. All notebook harddisks are encrypted by default. There is no way our employees could get access to the customer database to replicate data!!! The Swiss banking law is rather harsh on such issues. For the employee as well as the bank.
In the end, you have to severly punish enterprises for being lax with customer data. The loose of reputation is not incetive enough. It has to hurt so that execs decide to recognize the issu
You're wrong - AFAIK it's a criminal offence (Score:2)
However, that doesn't quite get them off the hook if it can be demonstrated that the directors were negligent in enforcing the rules.
So, it's not a la Microsoft, pay the fine and try again - a crim
Incorrect (Score:2)
(1) those files hould have NEVER gotten out of the door. Full stop, no if, no but, no maybe. Should. Not. Have. Left. The. Building.
(2) the oink that had them should have no need to work with real data. Real data should be processed inhouse (see point 1) andor transported with protection. Real data is NOT a development/test tool.
Only after all of the above do you start thinking about the conditions un