http://securityratty.com/tag/skipton Fri, 04 Jan 2008 19:21:58 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/c0527c011e51afeb9dc52bc4f5239096 http://securityratty.com/article/c0527c011e51afeb9dc52bc4f5239096 Security Breach

Date Reported:
12/21/07 (backdated from writing of 1/4/08)

Organization:
Skipton Building Society

Contractor/Consultant/Branch:
Skipton Financial Services (SFS)
Moore Stephens Consulting

Victims:
Skipton clients with money invested in the Fidelity FundsNetwork

Number Affected:
Up to 14,000

Types of Data:
Names, addresses, dates of birth, National Insurance numbers*, and fund investment details including how much was invested.

*~equivalent to Social Security numbers in US

Breach Description:
A laptop computer was stolen from a locker being used by a Moore Stevens Consulting employee that contained sensitive personal information belonging to as many as 14,000 Skipton Financial Services (SFS) clients who had invested money in the Fidelity FundsNetwork.  Moore Stevens Consulting was on contract with SFS at the time of the theft.

Reference URL:
Yorkshire Post Story
The Register
Attrition.org Data Loss Archive

Report Credit:
Rowena Mason, Yorkshire Post via Attrition.org

Response:
From the online sources cited above:

Up to 14,000 customers of the financial giant Skipton have been left open to identity fraud, after the company admitted that a laptop containing customers' personal details was stolen

Investors with money in the Fidelity FundsNetwork were told yesterday that the stolen information includes names, addresses, date of birth, National Insurance numbers, fund investment details – and even how much each person had invested.

the laptop was taken from a locker being used by a staff member of an information technology (IT) consultancy employed by Skipton Financial Services.

Moore Stephens Consulting was carrying out work on an IT system for the Yorkshire-based investment company when the theft took place
[Evan] An IT consultant should know better than to store confidential information on a laptop without encryption.

Last night a Skipton spokesman stressed that the laptop was password-protected and all affected accounts with Skipton Financial Services had been immediately suspended.
[Evan] Password protection is NOT adequate protection, and suspending the account does nothing to protect victims against identity theft.  Does suspending the account provide any protection?

Managing director Simon Holt wrote to all 14,000 customers apologising for the breach of security and assuring them that an investigation had been launched.

Mr Holt yesterday denied that his company had any responsibility for the loss of the laptop and said every possible step had been taken to reduce risk to clients.
[Evan] I respectfully disagree with Mr. Holt.  Organizations must hold their vendors, consultants, and contractors to the same security standards as those used within the organization.  Customers (data owners) gave Skipton the information and Skipton is responsible for it until it is destroyed.  No passing the buck allowed.

Skipton Financial Services told their customers about the missing data after advice from the Information Commissioner's Office

The managing partner of Moore Stephens, Colin Moore, said his firm was doing everything it could to protect data and review security procedures.
[Evan] Moore Stephens did not do "everything it could to protect data".

A helpline for people whose details might have been taken is open from 8am to 8pm Monday to Friday on 0800 137832.

Commentary:
More stolen laptops with confidential information without protection equals more victims.  What torques me more about this breach is the fact that an IT consultant was partly to blame.  An organization pays a consultant because they believe that the consultant is an expert and knows how to do work at a high-level.

I am a consultant and look, my laptop is encrypted...



Organizations that employ consultants which access confidential information resources MUST ensure that the consultants follow proper information security policies and procedures.  This is accomplished through the creation of a Vendor/Third-Party Security Policy, thorough evaluation before a contract is signed, adding information security language to the contract, and regular reviews of the consultant's information security practices throughout the life of the contract.

Past Breaches:
Unknown



]]> Fri, 04 Jan 2008 19:21:58 +0000 skipton information includes names information information security practices skipton financial services financial giant skipton store confidential information skipton spokesman security Skipton Financial Services personal customer data on stolen laptop