HSBC fined £3.2m for losing customer data

HSBC sent unencrypted customer data in the post on two separate occasions

Banking giant HSBC has been fined nearly £3.2m by the Financial Services Authority (FSA) after losing unencrypted customer details in the post.

HSBC Life was fined £1.6m, HSBC Actuaries was fined £875,000 and HSBC Insurance Brokers was fined £700,000 after an FSA investigation found that the bank lost customer data in the post on two separate occasions in April 2007 and February 2008.

The FSA discovered that large amounts of confidential unencrypted customer details had been sent via the post or courier to third parties, or had been left on open shelves or in unlocked cabinets. The financial regulator also concluded that staff had not been given sufficient security training.

"These breaches are very disappointing. All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals," said Margaret Cole, head of enforcement at the FSA.

"It is also worrying that increasing awareness around the importance of keeping personal information safe, and the dangers of fraud, did not prompt the firms to do more to protect their customers' details."

HSBC has now taken a number of measures to address the problems, including improving staff training and encrypting all data in transit, said the FSA.

John Redeyoff, director of consulting at security testing firm NCC Group, said that the case shows the importance of staff training, and ensuring that employees are fully aware of corporate security strategies.

"I hope every risk manager in every organisation which handles customer data is trying to put this on the next board agenda," he said.

"You can spend as much as you like on technology, but it comes down to human awareness and people taking responsibility at an individual level for information security."

Redeyoff added that security managers should promote such campaigns as a way to differentiate their organisations in their marketplace.