Yorkshire Building Society censured over stolen unencrypted laptop

Yorkshire Building Society censured over stolen unencrypted laptop

The UK's Information Commissioner's Office (ICO) has found Yorkshire Building Society in breach of the Data Protection Act after an unencrypted laptop containing customer data was stolen.

The laptop was stolen from the Cheltenham premises of the former Chelsea Building Society, which recently merged with YBS, in April and contained "a substantial part of the CBS customer database".

It was found within 48 hours after YBS hired private investigators and forensic investigations show that none of the data had been accessed during that time, although there had been several attempts to do so.

Before it was stolen, the laptop was being used by a CBS employee who had been working from home and had given it, on request, to a manager who returned it to CBS's former head office in Cheltenham.

The manager wrote down the passwords to the computer and left these in a bag with the laptop under a desk overnight.

The building society has now agreed to take steps to improve security, ensuing all portable devices are encrypted and that staff know the firm's policies on storing personal data and only have access to information that they need.

Mick Gorrill, head, enforcement, ICO, says: "It is extremely concerning that an unencrypted laptop containing large amounts of personal data was left unsecured overnight, together with details of its passwords. What's more, the fact that the employee did not require all the information to carry out the task in hand created an unnecessary risk which could easily have been avoided; employees should only have access to information that is absolutely vital to work which is being carried out."

Earlier this week the FSA hit Zurich Insurance's UK arm with a record £2.275 million fine over the loss of a backup data tape containing the details of 46,000 customers.

Comments: (1)

A Finextra member
A Finextra member 26 August, 2010, 15:31Be the first to give this comment the thumbs up 0 likes

We keep hearing about issues like this and each time I think that they mask a deeper problem.

What is wrong with existing information access channels that users feel they have to take the risk of carrying data in this way?

Should they not have better access to the information they need to render such dangerous behaviour unnecessary?

The hidden cost of this sort of loss is also a further lock down of data access, meaning that the problem is actually compounded and business efficiency suffers.

And that's no good to anyone!