ArcSight top 10
Breyer Company - Information Security Management

Nationwide fine for stolen laptop 

BBC News 14th February 2007

The Nationwide Building Society has been fined £980,000 by the City watchdog over security breaches.

The fine follows the theft of a laptop from a Nationwide employee's home which contained confidential customer data.

The Financial Services Authority (FSA) found security was not up to scratch after the man had put details of nearly 11 million customers on his computer. The FSA also found that the Nationwide did not start an investigation until three weeks after the theft occurred.

Financial crime

The FSA will not reveal exactly what was on the laptop as it has still not been recovered. The Nationwide claimed that the information on it could not have been used for identity fraud as there were no PIN numbers, passwords or account balance information on it. However, it appears the laptop may have contained names, addresses and account numbers. As a result, the building society's customers had been exposed to the risk of financial crime.

"Nationwide is the UK's largest building society and holds confidential information for over 11 million customers," said Margaret Cole, director of enforcement at the FSA. "Nationwide's customers were entitled to rely upon it to take reasonable steps to make sure their personal information was secure," she added.

The theft

The FSA's investigation showed that the building society had not known that the laptop contained any confidential customer information at all. The laptop was stolen from the home of a long-standing and trusted employee of the Nationwide who needed access to the data. However, despite reporting the theft of the laptop promptly, he did not tell his employer what was on it and then went on holiday abroad. It was only three weeks later that he told the building society that customer information had been lost, prompting its investigation.

"The failure to manage or monitor downloads of very large amounts of data onto portable storage devices meant that Nationwide had limited control over information held in this way or how it was used, " said the FSA.

The theft became public last November. The Nationwide then wrote to all its customers apologising for the security breach.

Its chief executive, Philip Williamson, repeated that apology. "I wish to emphasise that there has been no loss of money from our customers' accounts as a result of this incident," he said.

The building society would not say if the employee in question had been sacked or otherwise disciplined.