HSBC has found itself on the receiving end of a record fine of over £3 million, after it was found by the the Financial Services Authority (FSA) to have carelessly handled the data of thousands of customers.
Last year it was revealed that a CD ROM containing confidential details of 369,000 insurance policies was lost in the post. The data included names, ages, sex, dates of birth, smoker status and other details of more than 180,000 people.
The personal information was lost after HSBC staff used the Royal Mail to deliver it to an office of Swiss Re in Folkestone. HSBC admitted that the sensitive information had been sent by post because their usual electronic transfer system was unavailable.
Although the disc was password-protected, the data contained upon it was not encrypted, and a search at both the HSBC and Swiss Re office failed to find it.
An earlier incident in April 2007 saw an unencrypted floppy disk, containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers, lost after staff at HSBC Actuaries put it in the post.
The FSA also uncovered evidence that HSBC Life was keeping unencrypted electronic copies of more than 740,000 “live” policies and over 1 million “non-live” policies in unlocked filing cabinets, and that HSBC was routinely sending data through the post without paying for recorded delivery.
“Keeping our customers’ data confidential and secure is vitally important to everyone at HSBC… but it is clear that in these instances we have fallen short, which we sincerely regret,” said Clive Bannister, group managing director of HSBC Insurance.
News of the lax data security and the hefty fine has understandably made the headlines in the UK.
Here’s a TV report from ITN:
The financial penalties levied against the three HSBC firms are as follows: HSBC Life UK was fined £1,610,000, HSBC Actuaries and Consultants was fined £875,000, and HSBC Insurance Brokers was fined £700,000.
Financial rivals would be wise not to be smug about HSBC’s misfortune. All companies handling the personal private information of customers need to ensure that they are treating the security of that data as a priority, and not risking putting the identities of innocent people at risk.