Winter 2011: Password security standards and trendsThe Financial Services Authority (FSA) has fined HSBC Holdings, Europe's largest bank, £3.2m for a series of data breaches at three of its subsidiary companies in 2007 and 2008.
The punishment is by far the largest data loss fine the FSA has imposed for an information security breach. The most significant previous penalty was a £1.3m fine against insurance provider Norwich Union Life Insurance Co. in 2007, and before that, a fine of £980,000 against Nationwide Building Society that same year.
In a statement, the FSA said it found inadequate systems and controls in place to protect customers' confidential details from being lost or stolen. These failings contributed to customer data being lost in the post on two occasions.
The three companies fined were HSBC Life U.K. Ltd., HSBC Actuaries and Consultants Ltd. and HSBC Insurance Brokers Ltd.
The FSA said it discovered that large amounts of unencrypted customer details had been sent via post or courier to third parties. In addition, confidential customer information was also left on shelves or in unlocked cabinets and could have been lost or stolen. Also, according to the Financial Services Authority, staff was not given sufficient training on how to identify and manage risks like identity theft.
The report states that in April 2007, HSBC Actuaries lost an unencrypted
Requires Free Membership to View
SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!
Michael S. Mimoso, Editorial Director
floppy disk in the post
containing the personal information of 1,917 pension scheme members. Following that event, HSBC
Group Insurance's compliance team warned all three companies about the need for robust data
security controls. In February 2008, however, HSBC Life lost through the post an unencrypted CD
containing the details of 180,000 policy holders.
"All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals," said Margaret Cole, director of enforcement at the FSA. "It is also worrying that increasing awareness around the importance of keeping personal information safe, and the dangers of fraud did not prompt the firms to do more to protect their customers' details."
The report says the companies have now improved their staff training and require that all electronic data in transit is encrypted.