The theft of a laptop containing Nationwide Building Society customer information is being probed by the Financial Services Authority (FSA).
The laptop was stolen from an employee's house in a burglary in August. Both Nationwide and FSA have refused to say exactly what data was stolen. According to Alan Oliver, Nationwide's head of external affairs, the laptop contained "limited customer information for market research purposes".
The building society is willing to say what had not been stolen. No PINs, passwords or information about financial transactions were contained on the computer, and no account details such as customer names, account numbers or sort codes were compromised, Oliver told ZDNet UK on Monday.
However, there is a chance that the limited customer data stolen could be linked to other information about individuals and used for identity fraud.
Nationwide insists that victims of identity fraud would not suffer financial loss, as the building society has a policy of reimbursing money stolen. "There has been no loss of money, and no chance of any customers suffering financial loss. If they are the innocent victim of fraud they will not lose out," said Oliver. "The information on its own cannot be used for identity fraud."
Nationwide would not say how many customers' details were contained on the stolen laptop. It is in the process of writing to all of its 11 million UK customers to outline the security measures they need to take as a result of the theft.
"It's important at times like this to reassure people their information is safe and protected — and that it's a good thing to take precautions themselves," said Oliver. "It's important people take all necessary steps to protect their information."
Authorities, including the police and the Information Commissioner, have been informed about the loss of the data. Nationwide said it could not give any details of the burglary as it could compromise the police investigation.
"The police have asked us not to give details of the theft as to do so would compromise their ongoing investigation," said Oliver.
However, the police have told Nationwide that the crime was not targeted, and probably opportunistic.
Following the incident, Nationwide has taken "a number of different steps to increase security", although it would not say what steps had been taken. The building society also refused to comment on what kind of security policy it has regarding laptops, and whether encryption was used to protect the data.
The employee who had the laptop stolen may not have been acting in accordance with Nationwide security policy, the building society said.
"We're looking at our procedures as we speak. It appears that all procedures may not have been complied with," said Oliver.
Although Nationwide was keen to play down the severity of its security lapse, the Financial Services Authority (FSA) — which regulates the banking industry — is currently investigating the incident.
"We're continuing to discuss with Nationwide the incidence of a loss of data," said an FSA spokesman. "Our principle concern is to minimise the risk to consumers."
"Along with other authorities including the Information Commissioner and the police we considered when and how Nationwide should communicate with customers on this issue in a way that minimises any potential misuse of the data. We discussed what Nationwide needs to do to alert customers of the fact that data had been stolen."
While the FSA refused to comment on the nature of the data stolen, it said that the very act of alerting affected customers could have further compromised their security. This indicates that the data stolen could be used by criminals if linked to customer names or addresses.