Saturday, November 18, 2006

Nationwide Laptop Theft

Apparently in August a Nationwide employee had a laptop stolen. No problem there. Just buy another one. However according to this report from the BBC there is data on 11 million customers on there.

Here is where I have a huge issue. We have large data centers storing masses of information on customers behind carefully constructed security barriers and some pratt can simply take all the data out on their laptop where it is fundamentally insecure.

This is also not the first time this sort of thing has happened. Laptops have been lost and stolen containing all sorts of sensitive information.

This should NEVER EVER happen as the laptops need never have such information on them. If you need to work from home as well as work, fine, you can get a desktop in the company behind all the security via secure VPN's and a terminal server type session.

There is no excuse for this sort of lax security. Nationwide are not alone in being this stupid with OUR data. Government has form on this sort of stupidity as well.

Looking on the bright side the laptop may have been formated and sold for peanuts so the data may have been shredded already.

6 comments:

Anonymous said...

I was with a Nationwide press officer and we discussed this. It seems the laptop was stolen, along with loads of other stuff, from his home, so his desktop could easily have been stolen too. We have to hope that any sensitive and confidential data is so secure that a third person can't access it, though I'm not sure that was the case here.

Benedict White said...

The data should not have been at his house at all. It is not secure enough.

If you get physical access to a machine with data on it, it is only a matter of time before you get the data.

That said perhaps this was just a theft to feed a drug habit, in which case I suspect the laptop may well have been wiped.

Robert Campbell said...

The trouble is these days the thief may have stolen the laptop to feed his habit but categorically it will not have been wiped. He, or She, will not have the time or the inclination. Their priority is to offload the thing for cash. The 'fence' on the otherhand may in the past have 'wiped it' and sold it on but icreasingly they recognise the value of the data that may be on the laptop and seek to sell it on to someone who'll pay for it.

Laptops can be protected, encryption can make the data inaccessible to all but the rightful user, but overall people don't take it seriously enough untill it hits the headlines or are faced with a bill for sending out 11M letters!

We need a law, as they have in some states in the USA, which would oblige companies to disclose such security breaches. Then Directors and Chief Executives like Philip Williamson will see it as the strategic risk management problem it really is.

You can read more opinion on my web
http://www.ecommnet.co.uk/news/blogger/2006/11/nationwide-laptop-stolen-customer.asp

Robert

Benedict White said...

I agree with you that laptops can and will go missing. I also agree that disposal is important.

On the laptops being stolen issue, encryption only buys you time, though some times quite a lot.It tends tohave a weakness in that some times poeople use weak passwords.

I still take the view that sensitive data should not leave a company's premesis. (As your blog calls it, the thin client solution)

When we want to wipe a hard disk, we use DBAN which writes randon data all over it 3 times. If we need to be more certain we take the disk apart and wipe it with a magnet then use the discs as coasters.

Anonymous said...

A laptop tracking and security system is used by my company. When our laptps were stolen, we tracked them down to IP address and the police recovered them. We also had the option of remote data deletion.

Granted, this kind of sensitive data should not have been taken off company site in the first instance but you cannot stop these thefts from occuring.

For reference, the company we use is www.eurotracking.eu.com

Anonymous said...

"Beyond this Complaints that the life lock is lose “ID theft protection service” ,Life lock always improve protection quality, improve protection services each and every time, if you getting more knowledge visit this site it is updated and information site I hope you getting good knowledge. IDENTITY THEFT PROTECTION
"