HSBC fined £3.2 million for data loss
HSBC, Europe's largest bank, has been fined a record total of £3.2 million by the Financial Services Authority (FSA) after the FSA discovered that HSBC had carelessly lost data on thousands of its customers. According to Graham Cluely of UK based security company Sophos, in February 2008 HSBC lost a CD that contained the confidential details of 369,000 insurance policies, including information such as names, ages, sex, dates of birth and smoker status.
In total, the details of over 180,000 customers were reportedly affected when HSBC used the Royal Mail to deliver the information to a Swiss Re insurance office in Folkestone, Kent. The CD containing the policyholders' details was password protected, however, it was not encrypted.
This isn't the first time such a data loss has occurred at HSBC. In April of 2007, HSBC lost an unencrypted floppy disk that contained the personal information of 1,917 pension scheme members. Data on the misplaced disk included addresses, national insurance numbers and dates of birth.
During the investigation, the FSA found that "large amounts of unencrypted customer details had been sent via post or courier to third parties". Confidential customer information was also left in unlocked cabinets and on open shelves. Additionally, the FSA found that HSBC's staff were not given enough training to prevent identity theft risks.
Three of HSBC's firms have been named by the FSA for the data loss and fined. HSBC Life UK was fined £1,610,000, HSBC Actuaries and Consultants was fined £875,000, and HSBC Insurance Brokers was fined £700,000. "All three firms failed their customers by being careless with personal details, which could have ended up in the hands of criminals," said Margaret Cole, director of enforcement at the FSA.
- HSBC firms fined over £3m for information security failings, press release from the FSA.