BBC News
Launch consoleBBC NEWS CHANNEL
Page last updated at 11:36 GMT, Saturday, 18 November 2006

Have your say: Security lapses

Nationwide branch

Eleven million Nationwide customers may have been put at risk of identity crime after an employee's laptop was stolen.

The computer with customer information on it was stolen during a domestic burglary three months ago.

But details of the serious security lapse are only just emerging.

Nationwide has apologised to customers and reassured them that they will not become identity-theft victims.

Should financial firms be made to inform customers immediately after any security lapse?

Are you a Nationwide customer? What do you think about the security lapse?

Read a selection of your comments below.


The theft of laptops, either from cars or properties, has been rife for several years now, so it seems rather irresponsible for such extensive customer information to be stored on one. The Nationwide has a lot of questions to answer and has let its members down badly in every respect.
Roger Drew, Portsmouth

As well as the potential for identity fraud, I'm also very concerned about exactly what data was held on there. It seems there may have been names and account numbers, but what about people's credit ratings, current balance, and salary information? I wouldn't want all this information about me to be known publicly.
Tim, Norwich

I have been with Nationwide for almost 45 years, and have every faith in its security. I also worked for 36 years in the IT Industry and believe that, based on its statements, it has done everything necessary to protect its customers. This appears to be a media hype. The media should be warning the public more about phishing which is more likely to be the way criminals will get any security data needed.
Mike Young, Barnham

No-one has yet asked the question, how many other Nationwide employees are carrying their laptops around with them, potentially leaving them on buses or in taxis? I am a Nationwide customer and am angry that this has been kept from me and that the boss of Nationwide is hiding behind some police "advice" not to divulge some pretty basic facts, such as, are our names and addresses on that laptop? I'm in two minds at the moment as to whether to pull my account.
Mike, Spalding

I do not think it is fair of the media to be publishing reports without collecting proper facts
Shashi G, Loughborough

I do not think this incident is as serious as the media makes it out to be. If people read the statement given out by Nationwide properly they say there is nothing to worry about. I do not think it is fair of the media to be publishing reports without collecting proper facts. It is not fair to worry people for no reason. Think about the vulnerable people who are not likely to understand the situation and worry for no apparent reason. I am a proud customer of Nationwide and they have helped me out over the years so much when no other institution would.
Shashi G, Loughborough

I am a Nationwide customer and have always found them good. But they should be made to advise customers immediately something like this happens so at least we change details or just be more vigilant with our accounts. I'm disgusted they deemed it a good idea to keep it under wraps. At the end of the day it's our money and financial security at risk - how dare they keep it quiet? A press release should have aired with in 24 hours.
Paul Pettifer, Slough

I have been a Nationwide customer for what must be nearly 20 years. In all that time the service has been excellent. I am not worried about this hyped-up scare story.
Joe Lou, Manchester

We can hope that the data will never see the light of day - with the PC being recycled by the culprits. If it does transpire that all this confidential data is in the hands of malicious thieves, then Nationwide faces damage to its reputation of incalculable consequences.
Mike Forster, Horsham

There should be stricter rules on data protection
Malcolm Gardner, Shropshire

I am a Nationwide customer and feel I should have been informed a lot earlier. There should be stricter rules on data protection and fines imposed when necessary.
Malcolm Gardner, Shropshire

I thought that your comments were foolish. It seems at least possible that the thief felt he had just stolen a laptop. The policy of first trying to ensure that potential harm is minimised, by replacing card numbers for example, seems exactly the correct one. My security takes greater priority than your wish to publish. Otherwise, I have to say, you run a generally excellent programme.
Neville Cramer, Cambridge

The person who mentions that it's all scaremongering has really lost the plot. If they had their ID stolen they wouldn't say that. I also think that the person who took the laptop home and the person that authorised it (if someone had authorised it) should be dismissed immediately for gross negligence.
Barbra Smith, Harrow

I am surprised at the amount of people who don't see this as an issue. In IT, we spend millions of pounds trying to stop people accessing personal data and here Nationwide has handed it to someone on a plate. You cannot assume that it was merely "flogged for £20 in the pub". As someone with a daughter who has had her details stolen, the dismay, inconvenience, aggravation and tears that follow cannot be trivialised. I recommend that these people break out of their bubble and join me in the real world in 2006!
Pen

The way in which Nationwide has dealt with this incident actually makes me feel more secure
Lucy Bailey, Hay-on-Wye

As a Nationwide customer, I fully support its reasons (although not explicitly given) for not informing the public of the stolen laptop. Had the laptop been stolen from a branch, the situation might have been different (although the thief would have been on CCTV). However, because it was an employee's home, informing the public immediately would have certainly let the thief know the potential value of what they had stolen. Given the three month delay, it is more than likely that the laptop would have been wiped and sold on. It's all very well to say that wiped data can be retrieved, but if no-one knows it is there, who is going to want to retrieve it? The way in which Nationwide has dealt with this incident actually makes me feel more secure.
Lucy Bailey, Hay-on-Wye

Accounts seem to suggest that the taking of the laptop home was a breach of policy. One would like to think that this would be an act of "gross misconduct" and the employee sacked. The Nationwide's comments about the laptop being "password protected" are totally lame. It is clear from his comments that encryption was not used. Nationwide claim that no customer has been or will be the victim of ID fraud. How does one prove that fraud was a result of data gained from the laptop - information may be of use with other organisations that have fewer security measures in place. Nationwide's refusal to indicate exactly what data was stolen simply fosters the thought that rather more information was stolen than it is letting on - they are protecting themselves, not the customer.
Andrew Hana, Bristol

Most thieves wouldn't guess who owned the laptop nor would they take the time to attempt to gain data from it. If Nationwide has been negligent enough to not encrypt its laptop drives then it should be reprimanded. The Data Protection Act states that every possible measure must be taken to secure important customer information.
Mark D, London

I am a Nationwide fan and have been for over 10 years. I have no problem with what I understand the situation to be at present and I am very content to leave it in the hands of those that know best as to the full extent of the issues - Nationwide. My anger is directed towards those that feel the need to break into property to steal from others.
Nec, Midlands

Events like this highlight the threat to innocent people in this electronic age. It is naive to think that when we give our information to others it is completely secure. It raises bigger questions that need to be addressed for example the government's identity cards. I'm not against them in principle, but I disagree with government's or other institutions holding my information on secure servers when this illustrates how easy it is to misplace the information.
Jon, Southampton

This seems to me to be the grossest negligence, even if the risk of fraudulent use of the data is slight
Michael Collett, France

If the negligent employee really needed information about a customer or customers when away from his office, surely he could have downloaded that information from Nationwide as and when he needed it, deleting it immediately after. Alternatively, he could have had the information on an external hard drive, other than with his laptop, but in an encrypted form. This seems to me to be the grossest negligence, even if the risk of fraudulent use of the data is slight.
Michael Collett, France

I am a relaxed Nationwide customer
John Schultz, Stockport

I believe your programme is guilty of appallingly irresponsible scaremongering, and an outrageously unjustified accusation of indifference against Nationwide. Every time I give someone a cheque, it reveals my name and account number. And my address is in the phone book. I use my e-mail address widely - I've even given it to you below! This is all readily available information about most people. And how can you justify abusing your position by making a cheap jibe of indifference against those who merely follow police advice? I am a relaxed Nationwide customer, am not an employee, and don't know anybody who works for it.
John Schultz, Stockport

Thank you Nationwide for not disclosing the theft quickly. If they had the thief would have known the value of what he had and used it. Instead the thief almost certainly reformatted the disk to make it saleable.
David Llewellyn, Huddersfield

I won't leave Nationwide in regards to this incident. Nationwide has been so generous to me in several occasions. I have been with them for the past seven years. I will continue to be with them for the rest of my life. I love my bank.
Bashkim Krasniqi, Lewisham, London

I take reasonable steps to protect my myself from identity theft. I am therefore more than disappointed that Nationwide may have compromised my efforts through a very basic data security failure. It should be of great concern to customers that an error of judgement as fundamental as this can be made by the custodian of so much confidential data, and that Nationwide do not see fit to explain exactly what information was on the laptop. The story that the police have advised them not to release more detail strikes me as rather hollow. Previous comments mentioning "scaremongering" reflect a head in the sand outlook and I am grateful that the media have brought this issue to my attention. I have started moving some funds out from my Nationwide accounts as I have been able to find better rates elsewhere. I think that this occurrence will accelerate the process.
Rbel, Devon

Those who claim that the report is scaremongering do have a point but I doubt whether they would be equally relaxed if one day they discovered their identity had been stolen, their bank account emptied or huge debts run up in their name. Would they then also not expect the institution to make good the financial loss incurred, so that I don't have to indirectly fund their loss? Any of my employers would have regarded taking data, encrypted or otherwise, offsite to be a dismissible offence.
Helen K, Kent

Could Nationwide be prosecuted under the Data Protection Act? I have a loan with Nationwide and am concerned that my personal details will become available to fraudsters.
Francine Paluch, Northampton

The information could be used for any number of fraudulent activities
W Payne

Nationwide says customers will not be liable for fraud on their Nationwide accounts as a result of this lapse but what will it do if someone steals an identity and uses it for purposes other than defrauding the Nationwide accounts? If what we hear about identity fraud is true, the information could be used for any number of fraudulent activities not necessarily only defrauding a Nationwide account. These uses may be more difficult for customers to keep track of.
W Payne

Obviously there is a concern as a customer and I hope that Nationwide will at least send statements soon after there has been an activity in an account.
Claire Medder, Barking

I can't think of any possible reason for holding the details of 11m customers on a laptop, and I'd guess that if it was strongly encrypted the Nationwide would have made this clear. A bigger issue is how many times this has previously happened to other banks (or any other company). I'd hazard a guess that it frequently happens but we're never told about most breaches. Perhaps a law compelling companies to inform customers affected by a security breach should be introduced.
Sas, Oxford

As a Nationwide customer, I have only just learnt of this appalling situation by tuning into Money Box today. As for some comments regarding your scaremongering - absolute rubbish, without free press and programmes such as Money Box we would all be in the dark, as I was before listening to your item. There should be a full and open investigation into this situation, not least why this computer was allowed out of a secure bank and more importantly why we customers were not, and have still not, been informed of this incredible lax of security, putting us and our money at risk.
Peggy Brazil, Birkenhead

Even after reformatting a large amount of data can be recovered so the security risk remains potentially high
Marc Thomas, Oxford

If the laptop was stolen with the intent of getting customer data the security risk is already very high. If it has been stolen for the usual motive of sale for cash, it has probably been disposed of via a boot sale by now. It is quite probable that if the machine is now being used it has been reformatted and the data will be hidden. However, even after reformatting a large amount of data can be recovered so the security risk remains potentially high. Those organised criminals have probably started to look quite hard for the laptop in question. Maybe they have a good chance of finding it, then what? Perhaps your efforts to reveal this to the world have only made things worse. By all means alert customers that they should be more vigilant, but don't give criminals information that may help them to get our data. Do chastise business for lax data security, but for goodness sake don't increase the risk by distributing useful information.
Marc Thomas, Oxford

Surely it's about time that we had free access to our credit history
Richard, Birmingham

There are so many avenues of attack for criminals these days, and we are being constantly reminded to carefully protect our details. Yet we still have to pay to check one of the most important records held about us - our credit histories. Surely it's about time that we had free access to our credit history. As someone who's had to investigate a suspicious entry on my history, I would welcome the ability to keep track of what's happening in my name.
Richard, Birmingham

How dare a banking organisation allow its data to go to the relatively insecure location of an employee's home? Surely this is a matter for the Information Commissioner? Is this practice outlawed by other financial institutions? Unfortunately, I suspect not.
Richard, Reading

I worked for years in the security team of a major banking group and no-one in that bank was allowed to use real customer data for testing or such purposes and no-one could take a copy of customer data to be used on their own computer (desktop or laptop). Customer data is protected by the Data Protection Act and is only allowed to be used by authorised users for legitimate purposes. What could be the legitimate purpose be for an employee to have the details of 11m customers on a computer in their home? In any other organisation I have ever worked for, this would be seen as negligent at best if not actively flouting the DPA.
Peter Buck, Dartford

It's most likely that the stolen PC was flogged down the pub on the night it was stolen for about £50
Simon, Northamptonshire

What a ridiculous sensationalising of this story. It's most likely that the stolen PC was flogged down the pub on the night it was stolen for about £50, and the people who stole it wouldn't have the skills or interest to interrogate the data. We can almost certainly find more information about people on the internet by collecting the information that they've willingly given to various websites. So please stop being so sanctimonious and sensationalist in your reporting.
Simon, Northamptonshire

Surely the fundamental lapse in security is that an employee was allowed to take critical information into an insecure environment. If the employee needed to do work at home, it seems improbable that they would have needed access to every customer's account details.
Graham Williams, Whittington, Lancs

Oh dear, what a fuss! I've always trusted the Nationwide and I don't see any reason to not trust them now - do you think they've not been doing anything? Do you think they're lying to us?
Stephen Bould, Folkestone

I think it is absolutely disgusting that an employee was allowed to have this sort of information on a laptop
Michael Hardy, Swindon

I think it is absolutely disgusting that an employee was allowed to have this sort of information on a laptop. As a Nationwide customer I would assume this data was held on a secured network protected by numerous firewalls and encryptions. Much more needs to be done to make identity theft a serious crime and more to protect the victims of identity theft from being prosecuted for other people's debts. I hope the FSA conducts an immediate and comprehensive inquiry into this whole sorry affair.
Michael Hardy, Swindon


The comments we publish are not necessarily the views of the BBC but will reflect the balance of views we have received. It is helpful if contributors state if they work for any organisation relevant to an issue discussed. Readers should form their own views on whether messages published represent undeclared interests, or views prompted by a common source.

BBC Radio 4's Money Box was broadcast on Saturday, 18 November at 1204 GMT and repeated on Sunday, 19 November at 2102 GMT.



SEE ALSO
Millions at risk in laptop theft
18 Nov 06 |  Moneybox


FEATURES, VIEWS, ANALYSIS
Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit

banner watch listen bbc sport Americas Africa Europe Middle East South Asia Asia Pacific