HSBC hit by £3 million fine by FSA for losing personal data
Three HSBC business units have been fined more than £3 million by the Financial Services Authority (FSA) for security failings that led to the loss of customers' sensitive personal details, exposing them to the risk of identity theft and fraud
The FSA said that HSBC customer data had been lost in the post on two separate occasions, necessitating the £3,185,000 million fine. The firms concerned are HSBC Life UK, HSBC Actuaries and Consultants and HSBC Insurance Brokers, who were each respectively fined £1,610,000; £875,000; and £700,000. A 30 per cent reduction in the fine was enacted because all three HSBC units agreed to settle at an early stage of the investigation.
The first incident dates back to April 2007 when HSBC Actuaries lost an unencrypted disk in the post with the personal details of almost 2,000 pension scheme members, including their dates of birth, addresses, and national insurance details. Despite apologies and a warning to staff from the bank about the need for effective security procedures, another unencrypted disk was lost in the post in February last year by HSBC Life, containing the personal details of 180,000 policy holders. The confidential information on both disks could have helped criminals to steal customers' identities and commit financial crime.
During its subsequent investigation into the firms' data security systems and controls, the FSA found that large amounts of unencrypted customer details had been sent via the post or courier to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets and could have been lost or stolen. In addition, staff were not given sufficient training on how to identify and manage risks like identity theft. These lax procedures were what ultimately led to the large fine.
Margaret Cole, director of enforcement at the FSA, said: "These breaches are very disappointing. All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details.
"Fraud, particularly identity theft, is a major concern to everyone and firms must ensure that their data security systems and controls are constantly reviewed and updated to tackle this growing threat. In areas where we have previously warned firms of the need to improve, people can expect to see fines increase to deter others and change behaviour in the industry."
The HSBC business units say they have taken a number of remedial actions to address the concerns raised, including contacting the customers concerned, improving their staff training and requiring that all electronic data in transit is encrypted.