The Financial Services Authority has hit HSBC with fines totalling £3.2 million for security failings at three units that led to the loss of sensitive customer data, putting thousands at risk of identity theft.
In April 2007, HSBC Actuaries lost an unencrypted floppy disk in the post, containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers.
Despite a July 2007 warning by the bank's insurance compliance team about the need for robust data security controls, in February 2008 HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders in the post.
The FSA says the units did not have adequate systems and controls in place to protect their customers' confidential details from being lost or stolen.
An investigation by the watchdog revealed that large amounts of unencrypted customer details had been sent via post or courier to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets and could have been lost or stolen. In addition, staff were not given sufficient training on how to identify and manage risks like identity theft.
Margaret Cole, director, enforcement, FSA, says: "All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details."
HSBC Life was fined £1,610,000, HSBC Actuaries and Consultants £875,000 and HSBC Insurance Brokers £700,000. All three firms agreed to settle at the early stage of the investigation and qualified for a 30% discount.