National Bank of Canada, Canada’s sixth-largest lender by assets, according to Bloomberg, has publicly announced that a laptop computer was stolen from its headquarters in Montreal. Although not expressly stated, it seems to me that this particular laptop was not protected with data security software like laptop encryption from AlertBoot. A shame since there was customer data on that laptop—a “high percentage” of their mortgage clients, according to the bank.
The sensitive information included names, addresses, bank reference numbers, and account numbers. Other information such as social insurance numbers (Canada’s SSN), birth dates, or signatures were not included. Due to the limited information found on the stolen computer, the bank is maintaining that the risk of using the information for fraud is minimal.
And yet, the bank is asking its clients to keep an eye out for suspicious activity on their accounts. Makes you wonder why, if the risk is so minimal. Plus, wouldn’t the bank be in a better position to monitor fraud? I know I get a call whenever something weird pops up on their screens regarding a large purchase.
The thing about the stolen information is that it can still be used to carry out fraud. For example, this article from the washingtonpost.com shows how such “minimal risk” information was used in an attempt to scam $12 million from 90,000 accounts. That translates to roughly $130 per account. Depending on the bank, such paltry amounts may not raise flags in the bank’s system, and it would be up to people calling in to complain to shine a light on any attempted fraud.
Unlike some people commenting at cbc.ca, I don’t think that the issue is that the data was stored on a laptop computer. This equipment was stolen from the bank’s headquarters. Bank headquarters generally tend to have security in place. Now, since the laptop was stolen despite security, it stands to reason that anything else would or could have been stolen as well: it could have been a hard disk drive used as a back up; a bundle of printouts with the same sensitive information found on the laptop; a small desktop computer (sans monitor, of course). Heck, one could have installed one of those keystroke loggers with a wireless transmitter. If I were to believe some of the comments, getting rid of laptops would clear up any future data breaches. But as the small number of examples I’ve given illustrate, this is not so.
Let’s not forget the nature of the thing that is being stolen: data is a metaphysical object. You can burn a piece of paper with sensitive data on it, but if I’ve read it prior to your burning, it’s not going to do you much good (unless you’re trying to hide evidence from a trial or something). You have to have the right kind of protection. And when it comes to data protection, you want to use what the pros are using: encryption software. If the bank had used laptop encryption to protect all of their notebook computers, they wouldn’t have to ask their customers to keep an eye out, nor have their employee keep an eye out for irregular activity as well.