A Wolverhampton-based bank has come under fire after thieves stole PCs containing the personal details of tens of thousands of customers, exposing them to identity theft.
Some 25,000 current and former Charter Savings Bank (CSB) customers and mortgage applicants with the lender are potentially at risk.
As a notice on the bank's site states, it has written to those affected to inform them that, while no customer passwords, security question data or bank account details were saved on the computers, "some of their personal data may have been saved on some of the stolen personal computers."
The statement continued:
"While we have no evidence to suggest any personal customer data has in fact been disclosed as a result of this incident and it is unlikely that the data will be discovered, there could be an increased risk of misuse of personal data or identity theft for these customers.
Charter Savings Bank takes security issues very seriously and we apologise to customers for this incident."
CSB has also offered those affected fraud checks free of charge to see if the burglars have indeed sold on their details after the October heist.
However, it is believed that card details are required as proof of ID to register for the Experian service. This has caused some customers concern that the letter sent out by CSB to inform them of the incident may itself be a scam, as reported by The Daily Telegraph.
Becrypt CEO, Bernard Parsons, argued that high risk data at rest on endpoint devices should always be encrypted to mitigate risk in these circumstances.
“Strong external security is rendered useless if the device itself is simply stolen and accessed directly,” he added.
“While in this instance Charter Savings Bank has taken pains to assure its customers that the risk is very low, having this additional line of defense will enable any organization hit by the theft of devices to guarantee customers that any lost data will be protected from misuse by criminals. A central management system will also enable organizations to quickly assess the risk posed by any missing devices.”