The Nationwide Building Society has been fined £980,000 by the Financial Services Authority after an investigation into the theft of a company laptop from an employee's home last year exposed failings in its information security.
The laptop was stolen in a domestic burglary from an employee's home in August last year. Details of the theft only emerged after a tip-off to reporters.
The FSA says its investigation into the incident found that the Nationwide did not have adequate information security procedures and controls in place, potentially exposing the society's 11 million customers to an increased risk of financial crime.
Nationwide was not aware that the laptop contained confidential customer data and did not start an investigation until three weeks after the theft, says the FSA. During these three weeks the employee involved went abroad on holiday and Nationwide took no steps to investigate what data the stolen laptop contained.
Margaret Cole, director of enforcement, says Nationwide's customers were entitled to rely upon it to take reasonable steps to make sure their personal information was secure.
"Firms' internal controls are fundamental in ensuring customers' details remain as secure as they can be and, as technology evolves, firms must keep their systems and controls up-to-date to prevent lapses in security," says Cole. "The FSA took swift enforcement action in this case to send a clear, strong message to all firms about the importance of information security."
By agreeing to settle at an early stage of the FSA's investigation Nationwide qualified for a 30% discount to its fine under the regulator executive settlement procedures. Without the discount the penalty would have been £1.4 million.
In a statement Philip Williamson, Nationwide's chief executive, admitted that the company's systems of control "were found wanting" and says changes have been made to improve procedures.
Williamson says there has been no loss of money from customers' accounts as a result of this incident.
Nationwide says the data on the laptop was to be used for marketing purposes and there were no PINs or passwords stored, but has not disclosed how many account details were stored on the computer and has also failed to say if the data was encrypted.