The UK's financial watchdog, the Financial Services Authority (FSA), has fined three companies - HSBC Life, HSBC Actuaries, and HSBC Insurance Brokers - which are part of the banking group HSBC, one of the world's largest, a total of £3 million for repeatedly "being careless with personal details" of its customers, it announced today.
The FSA said that even though HSBC was well aware of its duty to protect customer information, the watchdog had found that:
"large amounts of unencrypted customer details had been sent via post or courier to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets and could have been lost or stolen. In addition, staff were not given sufficient training on how to identify and manage risks like identity theft."
The FSA said it was fining HSBC for two major violations of data protection. The first was in April 2007 when HSBC Actuaries lost an unencrypted floppy disk in the post, containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers.
In July 2007, all three firms were warned by HSBC Group Insurance's compliance team about the need for robust data security controls.
Yet, the FSA said, in February 2008, HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders in the post.
When I blogged about this breach last year, the story was that 370,000 records had been lost. There was no explanation why this number was reduced to less than half that number.
HSBC agreed to settle with the FSA early - otherwise, it could have faced a fine amounting to £4.55 million.
HSBC said that it "regretted the breaches," but as far as it knew, no one had been harmed by its carelessness.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.