HSBC fined £3.2 million for data lost in the post

CD ROM
HSBC has found itself on the receiving end of a record fine of over £3 million, after it was found by the the Financial Services Authority (FSA) to have carelessly handled the data of thousands of customers.

Last year it was revealed that a CD ROM containing confidential details of 369,000 insurance policies was lost in the post. The data included names, ages, sex, dates of birth, smoker status and other details of more than 180,000 people.

The personal information was lost after HSBC staff used the Royal Mail to deliver it to an office of Swiss Re in Folkestone. HSBC admitted that the sensitive information had been sent by post because their usual electronic transfer system was unavailable.

Although the disc was password-protected, the data contained upon it was not encrypted, and a search at both the HSBC and Swiss Re office failed to find it.

Sign up to our free newsletter.
Security news, advice, and tips.

An earlier incident in April 2007 saw an unencrypted floppy disk, containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers, lost after staff at HSBC Actuaries put it in the post.

The FSA also uncovered evidence that HSBC Life was keeping unencrypted electronic copies of more than 740,000 “live” policies and over 1 million “non-live” policies in unlocked filing cabinets, and that HSBC was routinely sending data through the post without paying for recorded delivery.

“Keeping our customers’ data confidential and secure is vitally important to everyone at HSBC… but it is clear that in these instances we have fallen short, which we sincerely regret,” said Clive Bannister, group managing director of HSBC Insurance.

News of the lax data security and the hefty fine has understandably made the headlines in the UK.

Here’s a TV report from ITN:

[youtube=http://www.youtube.com/watch?v=by-ZxrvP9OU&hl=en&fs=1&]

The financial penalties levied against the three HSBC firms are as follows: HSBC Life UK was fined £1,610,000, HSBC Actuaries and Consultants was fined £875,000, and HSBC Insurance Brokers was fined £700,000.

Financial rivals would be wise not to be smug about HSBC’s misfortune. All companies handling the personal private information of customers need to ensure that they are treating the security of that data as a priority, and not risking putting the identities of innocent people at risk.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.