Banking giant HSBC has been fined more than £3 million for failing to protect its customers from fraud - and for losing the details of nearly 200,000 people in the post.
Three HSBC firms - HSBC Life UK, HSBC Actuaries and Consultants, and HSBC Insurance Brokers - were fined for sending large amounts of unencrypted customer details through the post or by courier to third parties. In addition, confidential information about customers was left on open shelves or in unlocked cabinets - putting it at risk of being lost or stolen.
On two occasions customer data was lost in the post. In April 2007, HSBC Actuaries lost an unencrypted floppy disk in the post, which contained the personal information of just under 2,000 pension scheme members, including addresses, dates of birth and national insurance numbers.
Following the incident, all three firms were warned by HSBC Group Insurance’s compliance team about the need for robust data security controls in July 2007.
However, in February 2008 HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders in the post.
The confidential information on both disks could have helped criminals to steal customers’ identities and commit financial crime, says the Financial Services Authority (FSA). As a result, it has fined the banking giant's firms a collective £3.2 million for security failings.
Margaret Cole, director of enforcement at the FSA, says: “These breaches are very disappointing. All three [HSBC] firms failed their customers by being careless with personal details which could have ended up in the hands of criminals."
She adds: “It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect customers’ details.”
HSBC Life UK was fined £1.61 million, HSBC Actuaries and Consultants was hit with a £875,000 fine and HSBC Insurance Brokers had to pay £700,000.
However, as all three firms co-operated fully with the FSA during its investigation and agreed to settle at an early stage, they qualified for a 30% discount on the fines.
The firms say they have now taken a number of steps to address the issues, including contacting the customers concerned, improving staff training and requiring that all electronic data in transit is encrypted.
Clive Bannister, group managing director of HSBC Insurance, says: "While this is a serious matter, no customer reported any loss from these failures and we are doing everything possible to prevent a recurrence. We believe our customers can have confidence that we are doing everything we can to protect their privacy."
Over the past four years, the FSA has fined five firms for data security lapses and fraud, including Nationwide (£980,000), Norwich Union (£1.2 million) and BNP Paribus Private Bank (£350,000).