Stolen laptop leaves Nationwide red-faced

The theft of a laptop containing Nationwide Building Society customer information is being probed by the Financial Services Authority (FSA).

The laptop was stolen from an employee's house in a burglary in August. Both the FSA and Nationwide have refused to say exactly what data was stolen. According to Alan Oliver, Nationwide's head of external affairs, the laptop contained "limited customer information for market research purposes".

The building society is willing to say what has not been stolen. No PINs, passwords or information about financial transactions were contained on the computer, and no account details such as customer names, account numbers or sort codes were compromised, according to Oliver.

However, there is a chance the limited customer data stolen could be linked to other information about individuals and used for identity fraud.

The building society would not say how many customers' details were contained on the stolen laptop. It is in the process of writing to all of its 11 million UK customers to outline the security measures they need to take as a result of the theft.

Nationwide insists any victims of identity fraud will not suffer financial loss as it has a policy of reimbursing money stolen.

Authorities, including the police and the Information Commissioner, have been informed about the loss of the data. The building society said it could not give any details of the burglary as that could compromise the police investigation. However, it said the police believe the crime was not targeted and was probably opportunistic.

Following the incident, Nationwide has taken "a number of different steps to increase security", although it would not provide details of these steps. It also refused to comment on its security policy regarding laptops, and whether encryption was used to protect the data.

Got two seconds?

Make your voice heard - take our latest poll.

The employee who had the laptop stolen may not have been acting in accordance with Nationwide security policy, according to Oliver. "We're looking at our procedures as we speak. It appears that all procedures may not have been complied with," he said.

Although Nationwide was keen to play down the severity of its security lapse, the FSA - which regulates the banking industry - is currently investigating the incident.

An FSA spokesman said: "We're continuing to discuss with Nationwide the incidence of a loss of data. Our principle concern is to minimise the risk to consumers.

"Along with other authorities including the Information Commissioner and the police we considered when and how Nationwide should communicate with customers on this issue in a way that minimises any potential misuse of the data. We discussed what Nationwide needs to do to alert customers of the fact that data had been stolen."

While the FSA refused to comment on the nature of the data stolen, it said the very act of alerting affected customers could have further compromised their security. This indicates the data stolen could be used by criminals if linked to customer names or addresses.

Tom Espiner writes for ZDNet UK