Building society fined over lax securityGaffe left customers open to identity theft

14 February 2007

Nationwide Building Society has been fined £980,000 for security breaches that left customers at increased risk of identity fraud.

The Financial Services Authority (FSA) imposed the fine after finding that  ‘information security procedures and controls’ at the UK’s biggest building society were not up to scratch.

The failings came to light following the theft of a laptop from a Nationwide employee's home which contained customers' confidential information.

The FSA also found that Nationwide wasn’t aware the laptop contained customer details and didn’t start an investigation until three weeks after the theft.

Increased awareness

Nationwide's failings come at a time of heightened awareness of information security issues.

Margaret Cole, director of enforcement, said: ‘Nationwide is the UK's largest building society and holds confidential information for over 11 million customers. Nationwide's customers were entitled to rely upon it to take reasonable steps to make sure their personal information was secure.

‘Firms' internal controls are fundamental in ensuring customers' details remain as secure as they can be and, as technology evolves, firms must keep their systems and controls up-to-date to prevent lapses in security.

FSA swift action

‘The FSA took swift enforcement action in this case to send a clear, strong message to all firms about the importance of information security.’

The fine imposed on Nationwide could have been as high as £1.4 million, but the building society qualified for a 30 per cent discount by agreeing to settle early.

Following today's announcement by the FSA, Philip Williamson, chief executive at Nationwide, said: ‘We have extensive security procedures in place, but in this isolated incident our systems of control were found wanting. We have made changes to fill the gap and improve our procedures further.

Apology

‘Towards the end of last year I sent a letter to every one of our members telling them about this matter and apologising for any concern it may have caused them. I would like to reiterate that apology to our members and assure them that we have taken action to tighten our already high security procedures.’

He added: ‘To set people's minds at rest, I wish to emphasise that there has been no loss of money from our customers' accounts as a result of this incident.’