The lessons of Nationwide's lost laptop

gallery

Your security plan should not assume that all defences will work as intended. So, no matter how thorough your security defences, you still need to have a proper incident response plan in place to cover those unforeseen circumstances.

The recent experience of the Nationwide Building Society serves as an example of how not to react. To recap, an executive of the company took his laptop computer home one night last August, and was burgled with the laptop among the goods taken.

The machine held details on several million customers (possibly all 11 million), but no details that would have allowed the thief to extract money from their accounts, even if he knew what he was looking at.

The assumption, probably true, was that this was an opportunistic crime, and the burglar had taken the laptop for its resale value. Nothing really to worry about, apparently.

Events after that are a bit murky, but by November, the Financial Services Authority had announced it was investigating what had happened, and in February 2007, it slapped a £980,000 fine on the Nationwide as a punishment.

In its judgement, the FSA took the Nationwide to task for delaying a full three weeks before conducting any internal investigation, and it also criticised the Society's poor approach to information security. For example, the data held on the laptop was not encrypted.

The fine was meant to send out a message to the rest of the financial services industry that lapses of security would not be tolerated. And it seems to have worked - the boardrooms of the major banks have reportedly all been ringing with the same question: "Could this happen to us?"

So what could Nationwide have done differently, and was the company right to take such an apparently casual view of the theft? Marcus Alldrick, a principal advisor at KPMG, is in no doubt that any loss personal data need to be taken seriously. "It s not a case of whether it could be used for direct fraud, but whether it could be used for fraud perpetrated by other means," he says.

Identity theft often relies on assembling small snippets of information until they build into a larger picture, so the bank's initial pubic statements when the theft came to light, reassuring everyone that no harm would come to them, gave an impression of complacency.

Other observers have leapt on the fact that there appeared to be no policy (or technology) to allow sensitive data to be encrypted on laptops.

"It really is very easy and economical for companies to protect data on their laptops using encryption software," says Ian Kilpatrick, chairman of security company Wick Hill. "This can cost as little as £75 per device protected and will make it impossible for anyone stealing a laptop to decipher what is on it."

It is understood that, in the wake of the enquiry, Nationwide has indeed introduced encryption software from Utimaco for all its laptops. So the stable door is now bolted to stop any more horses bolting.

But true security doesn't come with £75-worth of encryption software alone. It needs to be seen in the context of a much broader picture if it is to anticipate every eventuality.

For instance, encryption can create problems of its own. What if someone loses their key to files and no-one has a copy, for example?

Email to a friend

Print this page