HSBC fined £3.2 million for data lost in the post

by Graham Cluley on July 23, 2009 | Comments Off

Filed Under: Data loss, Video

CD ROM
HSBC has found itself on the receiving end of a record fine of over £3 million, after it was found by the the Financial Services Authority (FSA) to have carelessly handled the data of thousands of customers.

Last year it was revealed that a CD ROM containing confidential details of 369,000 insurance policies was lost in the post. The data included names, ages, sex, dates of birth, smoker status and other details of more than 180,000 people.

The personal information was lost after HSBC staff used the Royal Mail to deliver it to an office of Swiss Re in Folkestone. HSBC admitted that the sensitive information had been sent by post because their usual electronic transfer system was unavailable.

Although the disc was password-protected, the data contained upon it was not encrypted, and a search at both the HSBC and Swiss Re office failed to find it.

An earlier incident in April 2007 saw an unencrypted floppy disk, containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers, lost after staff at HSBC Actuaries put it in the post.

The FSA also uncovered evidence that HSBC Life was keeping unencrypted electronic copies of more than 740,000 "live" policies and over 1 million "non-live" policies in unlocked filing cabinets, and that HSBC was routinely sending data through the post without paying for recorded delivery.

"Keeping our customers' data confidential and secure is vitally important to everyone at HSBC... but it is clear that in these instances we have fallen short, which we sincerely regret," said Clive Bannister, group managing director of HSBC Insurance.

News of the lax data security and the hefty fine has understandably made the headlines in the UK.

Here's a TV report from ITN:

The financial penalties levied against the three HSBC firms are as follows: HSBC Life UK was fined £1,610,000, HSBC Actuaries and Consultants was fined £875,000, and HSBC Insurance Brokers was fined £700,000.

Financial rivals would be wise not to be smug about HSBC's misfortune. All companies handling the personal private information of customers need to ensure that they are treating the security of that data as a priority, and not risking putting the identities of innocent people at risk.

Tags: ,

About the author

Graham Cluley is senior technology consultant at Sophos. The readers of Computer Weekly voted him security blogger of the year in 2009 and 2010, and he pipped Stephen Fry to the title of "Twitter user of the year" too. Which was nice. He was also named "Best Security Blogger" by the readers of SC Magazine in 2011. You can subscribe to Graham's updates on Facebook, follow him on Twitter and circle him on Google Plus for regular updates.