Earlier this year, Nationwide, the UK’s largest building society, suffered a massive data theft when a notebook computer was taken from an employee’s home.
At the time, questions were asked about how such things could be allowed to occur but, to be fair to Nationwide, it is common practice for unencrypted data to be stored on company laptops away from the office (I have never been required to encrypt my data and I work from home routinely). Furthermore, the laptop was stolen in a domestic burglary – we are all told not to leave our laptops in the car (which in my case is another company-owned asset) so within the home is probably the safest place for the computer to be stored when away from the office.
To my mind, the biggest issue is how it took so long for the issue to be disclosed, with millions of customers’ identities potentially compromised (although Nationwide stresses that the data was “to be used mainly for marketing purposes” and “did not include any PINs, passwords, account balance information or memorable data”).
Two of my family members are Nationwide customers and earlier this month we received letters warning us of the potential issues, along with advice from the UK Government Home Office and Nationwide on protecting our identities; however, I was very amused by the letter to my two-year-old son, which began as follows:
“Dear Mr Wilson
THIS IS IMPORTANT – PLEASE READ CAREFULLY AND SHOW THIS LETTER TO YOUR PARENT OR GUARDIAN
Earlier this year a laptop computer belonging to the society was stolen…”
The letter was sent to a toddler! How many 2-year-olds do you know who can read a letter and follow the advice to show it to a parent of guardian? All the other communications from Nationwide about his account are addressed to my wife – so why write directly to my son this time? They noted that he was a minor and warned him to show the letter to his parent or guardian but surely their software can cope with a simple date of birth check and establish that this customer may be considered too young to read!
Leaving aside Nationwide’s lack of business intelligence, let’s hope that they have learnt from this massively public loss of data (and the expensive clean-up operation); however as computer users we can all benefit from their unfortunate experience and make sure that our data is secured by more than just a username and password (which provides no protection at all if the operating system can be bypassed and the disk accessed directly). Windows XP and Vista both support disk encryption (as do many Linux distributions and Mac OS X) and it’s worth investigating the use of this technology, although there are complications around key recovery that need to be considered before jumping straight in.