The Nationwide Building Society has been fined almost 1m after a laptop containing customer account details was stolen from an employee's home.
The Financial Services Authority (FSA) fined Nationwide, the UK's biggest building society, 980,000 following the theft from a Nationwide worker's home that potentially risked exposing the society's 11m customers to identity theft and other fraud. The fine was imposed as the authority found that the building society did not have adequate information security procedures and controls in place.
The FSA said the building society had not realised that the laptop contained confidential customer information on it and didn't even start investigating the loss until three weeks after the theft.
According to the authority, Nationwide's failings occurred at a time of "heightened awareness of information security issues" as a result of government initiatives, increasing media coverage and an FSA campaign about the importance of information security.
"Nationwide's customers were entitled to rely upon it to take reasonable steps to make sure their personal information was secure," said Margaret Cole, director of enforcement at the FSA.
"Firms' internal controls are fundamental in ensuring customers' details remain as secure as they can be and, as technology evolves, firms must keep their systems and controls up-to-date to prevent lapses in security," she said.
The FSA acknowledged that the building society fully co-operated with the investigation and has since undertaken a number of actions to fix flaws in its security policy. The FSA said it took a range of additional measures to increase security around accounts and inform customers of the loss of information.
The Nationwide has now commissioned a comprehensive review of its information security procedures and controls.
Philip Williamson, Nationwide's chief executive said in a statement: "We have extensive security procedures in place, but in this isolated incident our systems of control were found wanting. We have made changes to fill the gap and improve our procedures further."
Security experts said the fine highlighted ongoing security problems faced by organisations today.
Gary Clark, vice president of information security company SafeNet said that a survey carried out by his company showed that only 44 per cent of the data on laptops is encrypted. The research also showed that only 12 per cent of the data on handheld devices, such as BlackBerries is encrypted.
"Organisations must take steps to protect the growing amount of sensitive data, which is floating around outside the corporate network in executives' pockets and bags," said Clark. "Encrypting the data and using a smart card or a USB token to 'unlock' the laptop and subsequent information, which can be held separately from the machine, will reduce the risk of data falling into the wrong hands."
Clark added that random thefts and losses of laptops and other physical assets inevitably occur. But "if unauthorised access to the data on these items is prevented via the use of encryption, organisations and their customers can rest easy."
