The Financial Services Authority (FSA) commented that, during its investigation, it found that Nationwide did not have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime. It added that it had taken swift enforcement action to send a clear message to all firms about the importance of information security.
According to the FSA, Nationwide worryingly did not realize that the laptop contained confidential customer information or start an investigation until three weeks after the theft. According to the BBC, the computer has still not been recovered.
Margaret Cole, FSA director of enforcement, said: Nationwide is the UK’s largest building society and holds confidential information for over 11 million customers. Nationwide’s customers were entitled to rely upon it to take reasonable steps to make sure their personal information was secure.
Philip Williamson, Nationwide’s chief executive, commented on the fine saying: We have extensive security procedures in place, but in this isolated incident our systems of control were found wanting. We have made changes to fill the gap and improve our procedures further. He apologized to customers and said that no money had been lost as a result of the incident.
In its statement, the FSA acknowledged that Nationwide had co-operated fully in the course of the investigation and has undertaken a number of actions to address this failure, including increasing security around accounts, informing customers of the loss of information and commissioning a comprehensive review of its information security procedures and controls. It added that Nationwide had qualified for a 30% discount by agreeing to settle at an early stage of the investigations.