Three HSBC companies have been hit with fines after the financial services watchdog found they weren't doing enough to protect customers' data.
The U.K. Financial Services Authority (FSA) fined HSBC Life 1.6 million pounds (US$2.6 million), HSBC Actuaries 875,000 pounds (US$1.4 million) and HSBC Insurance Brokers 700,000 pounds (US$1.1 million)--making a total of 3.1 million pounds (US$5.1 million) in penalties between them.
Due to the fact the three firms settled with the FSA, their fines were discounted by 30 percent--the original charges totaled 4.55 million pounds (US$7.47 million).
The FSA handed down the fines after an investigation found customer data was sent without encryption to third parties and via couriers, and left in unlocked cabinets and shelves openly.
Staff were also not given proper training over how to spot and deal with risks like identity theft, the FSA found.
Clive Bannister, group managing director of HSBC Insurance, said the company regrets falling short in dealing with customers' data.
"While this is a serious matter, no customer reported any loss from these failures. We are doing everything possible to prevent a recurrence. We have implemented even more rigorous systems, better checks and more training for our people. We believe our customers can have confidence that we are doing everything we can to protect their privacy," he said in a statement.
Two of the HSBC companies recorded losses of data: in 2007, HSBC Actuaries lost an unencrypted floppy disk in the post, containing the details of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers; while 2008 saw HSBC Life lose an unencrypted CD containing the details of 180,000 policy holders in the post. Those affected have been alerted to the losses by the companies.
Margaret Cole, director of enforcement at the FSA, described the losses as "disappointing".
"All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details," she said in a statement.
The three companies have now improved staff training and use encryption when data is being moved.
Jo Best of Silicon.com has reported from London.
Play video
Why hasn't TD Ameritrade been slapped with fines over data breaches
6 million social security numbers (or the equivalent) were not just not properly secured, as in this HSBC case, but were actually compromised by criminals. Yet there has been no regulatory action by US, UK, or other regulators!
datalossdb.org...
caringaboutsecurity.wordpress.com...
Posted by anonymous on Sunday, July 26 2009 03:46 AM