View more on these topics

Yorkshire BS censured over laptop loss

The Information Commissioner’s Office has found Yorkshire Building Society in breach of the data protection act after an unencrypted laptop was stolen containing customers’ details.

The laptop belonged to Chelsea Building Society, which recently merged with Yorkshire, and was based at its Cheltenham premises.

The laptop, which contained a substantial part of the Chelsea customer base, was recovered within 48 hours after Yorkshire appointed private investigators and forensic investigations revealed that none of the data had been accessed during that time, although there had been several attempts to do so.

The laptop was being used by a CBS employee who had been working from home and had given it, on request, to a manager who returned it to CBS’s former head office in Cheltenham. It was later discovered that the manager had written down the passwords to the computer and left these in a bag with the laptop under a desk overnight.

Yorkshire says chief executive Iain Cornish has agreed to take a series of remedial steps to ensure that such a data security breach does not happen again. This will include ensuring that all portable devices including laptops are encrypted that all staff are made aware of the company’s policies for the storage and use of personal data and that staff will only have access to the type and amount of personal data that is necessary for their work.

ICO head of enforcement Mick Gorrill says: “It is extremely concerning that an unencrypted laptop containing large amounts of personal data was left unsecured overnight, together with details of its passwords.

“What’s more, the fact that the employee did not require all the information to carry out the task in hand created an unnecessary risk which could easily have been avoided; employees should only have access to information that is absolutely vital to work which is being carried out. I am pleased that the Yorkshire Building Society took such prompt and effective action and am satisfied that steps are now in place to prevent this happening again.”


News and expert analysis straight to your inbox

Sign up


There are 10 comments at the moment, we would love to hear your opinion too.

  1. This story is very contradicting! So was it encrypted or unencrypted??

  2. wasn’t zurich just fined (somewhat excessively) 2.2m for the same thing?

  3. Was the laptop encrypted or unencrypted? The first paragrah suggests it was but the penultimate one suggests it was not!

  4. why were they not fined £1,000.000 like Nationwide?

  5. What did the ICO do about the loss of those data-laden FSA laptops a few years back?

  6. Para 1: encrypted.
    Para 6: unencrypted.

    Which is correct?

  7. Don’t be silly Julian it’s do as we say not….
    Anyway you would not want them to get a fine which we would end up paying.

  8. I see no reason why the regulator should be any less accountable for its failures and wrongdoings than those it regulates.
    The present system of regulation is akin to the police force being above the law.

    Fines should be deducted from the salary roll, so that when all the FSA staff have to take a 5% pay cut, they’ll be told that if they don’t want the same to happen again next year, they’ll damned well have to do better.

    There should, by the way, be no bonus pot, as the FSA pays its staff and directors bonuses every year totally irrespective of how well or otherwise the regulator has fulfilled its statutory objectives. In fact, the bigger your screw up, the bigger your bonus, as Clive Briault will readily testify. What kind of bonus system is that? PDG if you’re part of the club, but rather less so for the rest of us who have to fund it under pain of confiscation of our livelihoods.

  9. There are a number of worrying issues raised with this news, demonstrating the importance of not only introducing IT security procedures to an organisation, but also effective education of employees.
    Fortunately in this case the information was not accessed, but that is a rarity from an unencrypted machine. As a Managed Security Services company (MSC247) we would advise the introduction of two key policies: 1) the use of 256 bit encryption for any information stored on company computers, and 2) the use of biometric technology, such as fingerprint recognition to provide an extra safeguard against information being accessed if the worst case scenario occurs.
    Any organisation should adopt the best possible technology in place to protect its, and its customers’ information, otherwise not only does it risk a hefty fine (as demonstrated by Zurich in the news yesterday), but more importantly its reputation. If there is no trust, then there will be no customers.
    Finally, whilst it is understandable that people cannot be expected to memorise numerous passwords, educating employees about security procedures should also be part of company policy, otherwise encryption will be made redundant if the password is next to the computer stolen.

  10. Jennifer Nicholls 26th August 2010 at 3:38 pm

    Well I know a bank that gets at least 1 a month stolen, so the laptop engineers told me.

Leave a comment


Why register with Money Marketing ?

Providing trusted insight for professional advisers.  Since 1985 Money Marketing has helped promote and analyse the financial adviser community in the UK and continues to be the trusted industry brand for independent insight and advice.

News & analysis delivered directly to your inbox
Register today to receive our range of news alerts including daily and weekly briefings

Money Marketing Events
Be the first to hear about our industry leading conferences, awards, roundtables and more.

Research and insight
Take part in and see the results of Money Marketing's flagship investigations into industry trends.

Have your say
Only registered users can post comments. As the voice of the adviser community, our content generates robust debate. Sign up today and make your voice heard.

Register now

Having problems?

Contact us on +44 (0)20 7292 3712

Lines are open Monday to Friday 9:00am -5.00pm