Information Security News: Skipton Building Society loses customer data

[InfoSec News <alerts () infosecnews org>]

http://business.timesonline.co.uk/tol/business/industry_sectors/banking_and_finance/article3083560.ece

By Rhys Blakely
Times Online
December 21, 2007

Thousands of building society customers are at risk of ID fraud after a 
laptop containing their details was stolen.

Skipton Financial Services (SFS), a subsiduary of Skipton Building 
Society, said that details of 14,000 customers had been lost after a 
computer was stolen from Moore Stephens Consulting, a London-based IT 
contractor.

The information belonged to customers with funds administered by 
Fidelity FundsNetwork and included names, addresses, National Insurance 
numbers and fund investment details.

It was loaded on a laptop stolen from a workers locker in "a locked 
facility" along with other personal items on December 11, forcing the 
accounts to be frozen.

Jamie Cowper, of PGP Corporation, a data protection specialist, said 
that it was worrying that no mention had been made by SFS of the data 
being encrypted but merely password protected.

The risk is that the information is used to assume fraudulent 
identities, he said.

The data breach the latest in a slew of similar incidents hands further 
ammunition to the Information Commissioners Office, which is calling for 
a radical shake-up of the UKs data laws that would make careless 
handling of data a criminal offence and hold company bosses directly 
responsible.

Police are investigating the theft.

The Yorkshire-based lender could face sanctions from the Financial 
Services Authority.

In February, Nationwide was fined 980,000 by the City watchdog after a 
laptop holding customer details was stolen from an employee's house.

However, it is thought that Skipton's decision to reveal the breach to 
the FSA promptly will work in its favour.

Nationwide, by contrast, was not aware of the wealth of information 
carried on its stolen computer and did not give an alert for three weeks 
after the theft.

The data lost by Skipton does not include bank or building society 
account details.

However, SFS was forced to block affected accounts and has written to 
customers to assure them that their investments were safe.

It is issuing them with new account numbers and has offered 12 months 
free credit checks and alert services through the credit reference 
agency, Callcredit.

The latest lapse follows the loss of two discs containing information on 
about 25 million people by HM Revenue & Customs last month and comes 
only days after the details of three million learner drivers were lost 
in Iowa, in the United States, by Pearson Driving Assessments, a private 
contractor working for the Driving Standards Agency.

It emerged this week that the loss by HMRC of details of more than 6,500 
customers of Countrywide Assured, the life assurance and pensions 
company, had gone unnoticed for more than a month.

While neither SFS nor Fidelity FundsNetwork were responsible for the 
loss of this laptop, both have taken all steps they can to mitigate any 
risk to their clients, Skipton said in a statement.

Customers will also be offered free access to the Cifas Protective 
Registration Scheme, which is designed to alert financial organisations 
to the need to undertake further checks before completing any 
transaction on an account.

Simon Holt, managing director of SFS, said that the company was not 
aware of any fraudulent activity.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/