HSBC joins the list of personal data losses
HSBC has become the latest organisation to lose customer data in the post. A disk containing the insurance details of 370,000 HSBC customers was dispatched on January 31 by Royal Mail Business Post from the bank's Southampton office to insurers Swiss Re in Folkestone. It disappeared, and it is still unknown whether it was ever delivered. Sources differ on the date the loss was discovered. The earliest date, according to the Daily Telegraph, was 11th February, but other sources suggest the bank did not find out about the loss until early March.
The bank has stated that it has detected no fraudulent activity associated with the loss and assured the press that the data are unlikely to compromise its customers, as they include no addresses or banking information. However, the disk did include names, birth dates, policy numbers and levels of insurance cover. According to the The Times, the electronic transfer system that would normally have been used had failed, so the data, which were required urgently by the insurers, were dispatched by post on a disk.
Numerous procedural failings have emerged. The disk – or more probably the file on it – was "password protected" but not encrypted. It was not sent by Registered Post, so no tracking data were available. At a minimum 12 days apparently elapsed between its dispatch and any check of its whereabouts. The Financial Services Authority (FSA) was only informed of the loss last week.
This loss comes to light at a critical time. A cascade of similar losses by both government and business has focused attention on the scale of the problem. In November 2007 the Information Commissioner demanded extended powers to deal with such incidents. At this year’s e-Crime Congress, a quarter of the respondents to a Websense survey stated that Board members responsible for major data breaches should face a custodial sentence, 79 per cent agreed those responsible should be fined, and 59 per cent believed that compensation should be awarded to affected data subjects.