Yorkshire Building Society has been found to be in breach of the Data Protection Act by the Information Commissioner's Office (ICO).
An unencrypted laptop, belonging to the former Chelsea Building Society that had recently merged with Yorkshire Building Society, was stolen from its Cheltenham premises. The laptop contained a substantial part of the CBS customer database and was recovered within 48 hours.
Forensic investigations revealed that none of the data had been accessed during that time, although there had been several attempts to do so. It belonged to a former Chelsea Building Society employee who had been working from home and had given it, on request, to a manager who returned it to the former head office in Cheltenham.
It was later discovered that the manager had written down the passwords to the computer and left these in a bag with the laptop under a desk overnight.
Iain Cornish, chief executive of Yorkshire Building Society, has agreed to take a series of remedial steps to ensure that such a data security breach does not happen again. This will include ensuring that all portable devices, including laptops, are encrypted and that all staff are made aware of the company's policies for the storage and use of personal data and that staff will only have access to the type and amount of personal data that is necessary for their work.
Mick Gorrill, head of enforcement at the ICO, said: “It is extremely concerning that an unencrypted laptop containing large amounts of personal data was left unsecured overnight, together with details of its passwords.
“What's more, the fact that the employee did not require all the information to carry out the task in hand created an unnecessary risk, which could easily have been avoided; employees should only have access to information that is absolutely vital to work which is being carried out.
“I am pleased that the Yorkshire Building Society took such prompt and effective action and am satisfied that steps are now in place to prevent this happening again.”
Nick Lowe, Check Point's head of Western Europe sales, said: "This is a key example of the types of security vulnerability that can emerge following a merger or acquisition. Yorkshire Building Society was already encrypting data on its laptops, but the Chelsea Building Society was not – which in turn put many customers' details at risk.
“It's vital that organisations roll out automated, always-on encryption to all their laptops and mobile computing devices, which means doing regular audits of all the devices in use in the organisation. It only needs one device to slip through the net, to risk a substantial data loss.”
The news follows an announcement yesterday that the customers' credit agreements of DSG Retail were found in or near a skip. The owner of high street brands Dixons and PC World has also been found to be in breach of the Data Protection Act by the ICO.
The ICO said that the discovery of eight completed credit agreements, containing customers' personal and financial data, was made by a local authority's environmental health department. The documents related to transactions made two years prior and had been kept beyond the period recommended by DSG's policies for holding personal data.
The company's normal procedure for destroying sensitive documents should have meant that they were transported in sealed containers to a central facility for secure shredding, but this did not occur in this instance.
John Browett, chief executive of DSG Retail, has signed a formal undertaking agreeing to take a number of steps to prevent a similar breach happening again. These include conducting a review of security procedures and providing appropriate training for staff on complying with the company's security policies.
Gorrill said: “Any organisation collecting and holding personal information needs to ensure that information is kept and disposed of safely and securely. This is an important principle of the Act.
“Making sure data is disposed of securely and not keeping information for longer than is necessary can help to prevent information falling into the wrong hands. Staff need to be aware of policies and it is essential they receive appropriate training to follow them.”
An ICO spokesperson told SC Magazine that there were no plans to fine the companies involved here, as it reviews every case individually, and that it was not about punishment about helping them take remedial action.