Nationwide laptop theft offers data safety lessons

The theft of a laptop computer from the home of a Nationwide employee has raised questions about how much data staff need to carry on mobile devices and what IT directors can do to protect sensitive information.

The theft, which occurred over the summer, only came to light this month. A spokesman for the building society said customer data on the password-protected laptop was used for market research.

Phil Cracknell, UK president of the Information Systems Security Association, said that even with a password-protected laptop, it was still possible to remove a drive and install it on another machine to get at the data. The best way to secure data on a laptop is to deploy hard drive encryption, he said.

Another option is for IT security chiefs to determine what data end-users need to carry with them.

David Lacey, a founding member of IT security user group the Jericho Forum, said, "There is a trend today for criminals to infiltrate organisations or to work with people on the inside. This is a growing problembecause all this data is easy to make money out of."

For certain tasks there should be no need for an end-user to carry customer data on a laptop.

Lacey, former chief information security officer at Royal Mail, said, "If you are doing market research, one would have thought that you do not need to know names and addresses."

To perform tasks such as trend and market analysis it is often not necessary to identify individual customers. "If you deal with sensitive personal data, it can be made anonymous by separating the names from the personal information so you cannot identify any individual," Lacey said.

Such a technique is not new to IT departments.

Graham Titterington, principal analyst at Ovum, said, "The 'anonymisation' or 'randomisation' of data has been used in software testing for years."

Beyond making the information anonymous, he suggested that one way that an organisation could protect its data against theft would be to use digital rights management - the technique the recording industry has adopted to prevent MP3 and CD-based music from being ­pirated.

David Lacey's security blog

www.computerweekly.com/blogs/david_lacey