HSBC fined £3 million by FSA over data security

Data breaches lead to massive fines for three HSBC firms after disks were lost in the post.

disc

Three HSBC firms have been fined more than 3 million by the Financial Services Authority (FSA) for failing to secure customer data.

The FSA claimed the three firms sent large amounts of unencrypted data - often on discs sent via the post - and staff were untrained on the issue of identity theft.

The FSA said that, in April 2007, HSBC Acutaries lost a floppy disk in the post that contained 1,917 pension numbers and addresses. And, in February 2008, HSBC Life lost an unencrypted disk holding data on 180,000 policy holders - also in the post.

In 2007, HSBC's own compliance team warned all three firms to shape up, but clearly the message didn't get through.

Margaret Cole, director of enforcement at the FSA, called the breaches "disappointing."

"All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals," she said in a statement.

"It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details."

She warned other firms to learn from HSBC's example or face fines. "In areas where we have previously warned firms of the need to improve, people can expect to see fines increase to deter others and change behaviour in the industry."

HSBC Life was fined 1,610,000, HSBC Actuaries was fined 875,000, and HSBC Insurance Brokers was fined 700,000. All three firms agreed to early settlements, so the fines are actually a 30 per cent discount on what they could have been.

Fixing the problem

Clive Bannister, group managing director of HSBC Insurance, stressed that no customers had been hurt by the breaches. "While this is a serious matter, no customer reported any loss from these failures and we are doing everything possible to prevent a recurrence," he said in a statement.

"We have implemented even more rigorous systems, better checks and more training for our people. We believe our customers can have confidence that we are doing everything we can to protect their privacy," he added.

The FSA agreed that the three firms had taken "remedial" action to deal with the breaches, alerting customers to the lost data, increasing staff training, and encrypting data.

Bannister added that 33,500 staff had since been trained in data security, while HSBC was running a business-wide awareness campaign. He also said that the downloading data to portable devices was now "restricted."

It's not the first big data breach fine from the FSA - it fined Norwich Union Life 1.26 million in 2007.

Indeed, the financial sector faces bigger sanctions than most when it comes to data security, because the FSA can issue fines. The Information Commissioner's Office, which polices the rest of UK organisations on data issues, can not yet issue fines, despite being approved by the government last year to do so.

Click here for the data breach lessons we all should have learned by now.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021