FSA fines Nationwide £980,000 for information security lapses

The Financial Services Authority (FSA) has today fined Nationwide Building Society (Nationwide) £980,000 for failing to have effective systems and controls to manage its information security risks.

The failings came to light following the theft of a laptop from a Nationwide employee's home last year.

During its investigation, the FSA found that the building society did not have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime.

The FSA also discovered that Nationwide was not aware that the laptop contained confidential customer information and did not start an investigation until three weeks after the theft.

Nationwide's failings occurred at a time of heightened awareness of information security issues as a result of government initiatives, increasing media coverage and an FSA campaign about the importance of information security.

Margaret Cole, director of enforcement, said: "Nationwide is the UK's largest building society and holds confidential information for over 11 million customers. Nationwide's customers were entitled to rely upon it to take reasonable steps to make sure their personal information was secure.

"Firms' internal controls are fundamental in ensuring customers' details remain as secure as they can be and, as technology evolves, firms must keep their systems and controls up-to-date to prevent lapses in security.

"The FSA took swift enforcement action in this case to send a clear, strong message to all firms about the importance of information security."

The FSA acknowledges that Nationwide has co-operated fully in the course of the investigation and has undertaken a number of actions to address this failure, including: taking a range of additional measures to increase security around accounts; informing customers of the loss of information; affirming its existing policy to reimburse any customer that has suffered financial loss as a result of this incident; and commissioning a comprehensive review of its information security procedures and controls.

By agreeing to settle at an early stage of the FSA's investigation Nationwide qualified for a 30% discount under the FSA's executive settlement procedures – without the discount the fine would have been £1.4 million.

Statement from Nationwide Building Society regarding FSA fine

The FSA has today announced that it has imposed a fine on Nationwide as a result of an investigation following the theft of a laptop computer from an employee’s home in August last year.

Philip Williamson, Nationwide’s chief executive, said: “We have extensive security procedures in place, but in this isolated incident our systems of control were found wanting. We have made changes to fill the gap and improve our procedures further.

“Towards the end of last year I sent a letter to every one of our members telling them about this matter and apologising for any concern it may have caused them. I would like to reiterate that apology to our members and assure them that we have taken action to tighten our already high security procedures.

“To set people’s minds at rest I wish to emphasise that there has been no loss of money from our customers’ accounts as a result of this incident. Our customers have the additional assurance that they are protected by the Society’s customer promise that ‘If you are the innocent victim of fraud, you will not lose out.’”

The laptop was stolen in a domestic burglary from an employee’s home, in August of last year

We and the police believe it was stolen for its intrinsic value as a laptop, rather than for the information it contained

The laptop was security protected and the information on it, which was to be used for marketing purposes, cannot be used on its own to commit identity fraud

There were no PINs, passwords, account balance information or memorable data relating to any customers

The police, the FSA and the Information Commissioner were informed of the theft at the time and Nationwide has been co-operating with them since.

Nationwide welcomes the fact that the FSA acknowledges that the Society has:

Taken a range of additional measures to increase security around accounts

Informed customers of the loss of the information

Affirmed its existing policy of reimbursing customers who are innocent victims of fraud

Commissioned a comprehensive review of information security procedures and controls