Building Society Laptop Stolen Along With Passwords

Yorkshire Building Society has been criticised by the Information Commissioner’s Office after a unencrypted laptop loaded with part of the customer database and complete with passwords was stolen from a company office.

The Information Commissioner reprimanded the YBS this week for the incident which occurred in the Cheltenham head office of Chelsea Building Society (CBS) which was recently acquired by YBS.

An undertaking to improve its approach to data protection, signed by YBS chief executive Iain Cornish, revealed the details of the case. The computer was recovered within 48 hours after YBS hired a private investigator and analysis by computer forensics experts that confidential information on the machine had not bee accessed despite the passwords being written down and left in the laptop bag.

Under A Desk Overnight

According to the undertaking signed by Cornish, the laptop was being used at home by a CBS employee at home. The staff member was requested to bring the device back to the office by a manager who then copied down passwords and placing both under a desk where it was later stolen. “Contrary to policies and procedures, the manager had written down the passwords and, when his work was concluded, left these and the laptop in its bag under his desk overnight,” the undertaking stated.

The company was also criticised YBS for allowing an employee to take a section of the customer database home when it was not actually required. “The Commissioner also noted, however, that the employee had not required access to all the data held on the laptop in order to complete the analysis work,” the undertaking stated.

Commenting on the case, Mick Gorrill, head of enforcement at the ICO said it was concerned that passwords were left alongside the laptop. “It is extremely concerning that an unencrypted laptop containing large amounts of personal data was left unsecured overnight, together with details of its passwords,” he said. “What’s more, the fact that the employee did not require all the information to carry out the task in hand created an unnecessary risk which could easily have been avoided; employees should only have access to information that is absolutely vital to work which is being carried out.”

£2.28m Fine

Earlier this month, Zurich Insurance was hit with a record fine of £2.28 million, after its sister company Zurich South Africa lost an unencrypted backup tape containing the financial personal information of around 46,000 policy holders.

The ICO has warned that businesses that do not own up to data breaches will face tougher action than those that come forward of their volition. Companies that fall foul of data breach laws risk a maximum fine of £500,000 under new powers granted to the ICO in January.

However, the ICO has still issued no fines, despite naming and shaming a whole host of institutions and public service organisations that have been subject to data breach. In June, for example, the ICO published a list of all the data breaches reported since 2007. Of the 1,007 reported breaches, the NHS was responsible for 305.