Nationwide Looses 11m Customers information

Meatballs

steady__eddie wrote:

As a technothicky myself, would anyone care to hazard a guess at what size the hard drive was in the aforementioned stolen laptop as I am contemplating updating my own machine in the very near future and one capable of storing that amount of data would probably satisfy my requirements ?

You could probably fit 11 million customers details on a 15gb harddisk if it is stored in a basic format. Text is extremely cheap to store, compared to sound/video etc.

whambamboo

There are a lot people that should be sacked for this.

What kind of f***ing idiot allows an entire database to be stored on a laptop?

There are just so many controls that they should have had in place to stop this.

The banks IT security staff should be sacked, as should the head of IT.

I am a Nationwide customer, and I insist that heads should roll.

I also think they should get a large fine from the FSA for being f***ing morons.

A_Nice_Englishman

Meatballs wrote:

You could probably fit 11 million customers details on a 15gb harddisk if it is stored in a basic format. Text is extremely cheap to store, compared to sound/video etc.

.. or a very substantial number on a 1GB USB flash drive, especially if the data was compressed.

whambamboo

A_Nice_Englishman wrote:

The only reason I can think of for having 11 million customers' (sorry, members') information is that the employee was doing some sort of analysis using an extract from the corporate database. In this case the data should have been 'anonymised' so that it could not be linked to particular people.

Exactly. I work for a bank, and we sent a database (a minor one, with no customer data or trading/transactional data) to a third party, and everything was anonymised, and all stored procedures were deleted.

[Deleted User]

ReportInvestor wrote:

Or if anyone is free on 26th November 2006

Book your place at the next "Members meet the directors" forum in the Emirates Stadium in London where you can put the question to Stuart Bernau and Jeremy Wood

They may have changed the day since you last looked as the link gives the 23rd November.


I couldn't agree more with Lorian and others here. I'm also an outraged nationwide customer. One of the reason I've stayed with Nationwide for so many years was because I thought their site was safer to use than many others. However I'm horrified to hear Cypher's recent experience:

Cypher wrote:

I have just this minute received my initial paper work through from Nationwide. I am absolutely amazed to find on one of the forms the password I used when applying for the account. It is clearly written on the sheet in plain text for all to see :eek:
What are they playing at. :mad:

What are they playing at indeed sending a password on a form through the post when there was no need to do so. Anyone could have intercepted it! It would have be slightly less worrying, but still not entirely secure, if the password had to be sent at all, for it to have been sent separately.

I'm livid that they've known about this for THREE MONTHS and not informed it's customers! I'm livid that there is nothing on their website today about it!
If the fear is that fraudsters could use our details to set up other accounts they should be giving out details to customers of how to go about getting their credit status checked.

Interestingly while I've been typing this they have just made an announcement at the site

Their promise says:

Nationwide wrote:

Our promise


"We're so confident of our site's security that we take full responsibility for it: if you ever innocently suffer any fraud as a result of our Internet Banking service, we'll refund any money taken from your account. That's a promise."

Trouble is how could you prove that any identity theft was as a result of the loss of this laptop!! :mad:

Lorian

The problem with this data theft is that the information could be used for fraud that is never attributable to information used from the theft, so Nationwide won't be liable as the connection will not be drawn;

The data could be used years from now;

My only small hope is that the theft was by someone who didn't realise what they had stolen and the thing was reformatted an hour later for their personal use.

[Deleted User]

Lorian wrote:

The problem with this data theft is that the information could be used for fraud that is never attributable to information used from the theft, so Nationwide won't be liable as the connection will not be drawn;

The data could be used years from now;

Exactly!!

In this instance their "Our promise" amounts to empty words and provides their customers with no comfort at all! :mad:

anniecave

In fairness though, I can see where they are coming from. I work for a company, and on my laptop there is some customer information relating to the job I do. In my case, it is just an information dump of customer information because I have been doing some work at home on the data. Mine are business customers relating to electricity accounts. Now my computer is password protected, and I don't know what use that information would be, but it would be a similar issue if someone nicked my laptop, or if I had a desktop and someone nicked that.

If they are assuring customers that "no PIN numbers, account passwords or memorable information was on the laptop" then it would be quite hard work for anyone to actually do much damage or obtain money fraudulently. Sure someone could send out scam emails or postal circulars or put the details on a mailing list, but they can get the same information from the phone book or random generation of email addresses, so it's not really such a big issue I wouldn't say.

Yeah it shouldn't have happened, but hey there you go.

mustrum_ridcully

Lorian wrote:

My only small hope is that the theft was by someone who didn't realise what they had stolen and the thing was reformatted an hour later for their personal use.

Indeed that's why Nationwide didn't inform the public for 3 months so as not to alert the attention of the thief to what was on the laptop or to watch for any odd behaviour that could show that the information is being used.

I am slightly concerned by people who've apparently said customers should of been told immediately. Don't know if they're naive or silly as they don't realise that could of tipped off the thief to what he's got or made it more difficult to spot if the information was being used.

Lorian

mustrum_ridcully wrote:

I am slightly concerned by people who've apparently said customers should of been told immediately. Don't know if they're naive or silly as they don't realise that could of tipped off the thief to what he's got or made it more difficult to spot if the information was being used.

Yes, there is a tricky balance there though. Two weeks I could understand, but 3 months seems inappropriate.

If the letter to customers is the same as they just posted on their website then it leaves many questions unanswered.

http://www.nationwide.co.uk/security/news_and_alerts/