HSBC fined £3m for data losses

HSBC, Britain’s biggest bank, has been fined £3m by the financial regulator for failing to protect customers’ confidential details after data was lost in the post on two occasions. Three companies belonging to the bank’s insurance division have been fined by the Financial Services Authority after it found that large amounts of unencrypted customer details had been sent via post or courier to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets and could have been lost or stolen.

The failings date back to April 2007, when HSBC Actuaries, a division of the bank, lost an unencrypted floppy disk in the post, containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers. Later in February 2008, HSBC Life, another division, lost an unencrypted CD containing the details of 180,000 policyholders in the post. The confidential information on both disks could have helped criminals to steal customers’ identities and commit financial crime. The FSA fined HSBC Life £1.61m, HSBC Actuaries was fined £875,000 and HSBC Insurance Brokers was fined £700,000.

Margaret Cole, director of enforcement at the FSA, said:“These breaches are very disappointing. All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals.

“It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers’ details.

Clive Bannister, group managing director of HSBC Insurance, said the group regretted the incident:

“Keeping our customers’ data confidential and secure is vitally important to everyone at HSBC,” he said.

“We have implemented even more rigorous systems, better checks and more training for our people. We believe our customers can have confidence that we are doing everything we can to protect their privacy.”

The data loss by HSBC is not the first time that data have gone missing from financial institutions and government departments. In November 2007, the government admitted that it had lost two CDs containing details of 25m child benefit records.

Another bank, HBOS, now owned by Lloyds, apologised to more than 60,000 mortgage customers in June 2007 after private information about them was lost in the post. The FSA takes any loss of data seriously.

In the past it has fined Nationwide, the building society, £980,000 for lapses in information security procedures after a laptop containing sensitive customer information was stolen from an employee’s home.

Norwich Union, part of Aviva, was fined £1.26m for not having effective controls in place, enabling fraudsters to obtain customers’ details and cash in £3.3m of policies.

A report issued by the regulator last year found that many financial services firms still had lax attitudes toward their customers’ private information, despite the series of high-profile incidents.