HSBC loses customer data

Details of over 350,000 customers go missing in the post

HSBC has lost a disc containing details of 370,000 of its customers, in an incident which will raise further questions about firms' data security policies.

The loss occurred four weeks ago when HSBC used the Royal Mail to transport its disc between the bank’s offices in Southampton and Folkestone, an HSBC spokesman told IT Week.

The disc was password protected and contained names, life insurance cover levels, dates of birth and whether or not a customer smokes, said HSBC in a statement. “There is nothing else that could in any way compromise a customer and there is no reason to suppose that the disk has fallen into the wrong hands. "

However this is the latest in a large number of security breaches, ranging from the HM Revenue and Customs loss of computer discs to the loss of patient records and government laptops. Questions are increasingly being asked about why organisations are not learning from each other’s high profile mistakes.

Paul Vlissidis, technical director of IT consultancy NCC, said the losses indicate “basic stupidity”.

“Organisations need to wake up to the fact that their data is precious and enforce its protection properly at all levels," he said. “This means no more storing hundreds of thousands of sensitive records on unencrypted media, bans on taking critical information off-site and not giving single users access to millions of personal records.”

Vlissidis argued that although it is tempting for managers to take the easy option, they should not entrust courier services with sensitive information. “In the case of customer data, out of sight is most certainly not out of mind,” he said.

Matt Fisher, vice president of security firm, Centennial Software, listed t hree major contributing factors to data loss incidents. “First, there is an institutionalised lax approach to data security, where staff do not fully understand how to handle sensitive data,” he said. “Second, there is no technology in place to manage which computer users are able to copy confidential data to removable media devices like CDs or UB sticks.”

Fisher added that full data encryption is eseential. “On the rare occasion there is a real business need to transfer data of this nature to a third party, I would insist on the data being encrypted with a 256-bit cipher and that it was sent by a private courier (or preferably an employee) direct to its destination.”

Brain Spector, general manager of the content protection group at Workshare, said that the incident would undermine HSBC's attempts to build and maintain customer loyalty.

“Considering the current climate of economic uncertainty HSBC’s loss of sensitive data is unacceptable," he added. "This blunder will cause significant damage to the bank’s reputation and is another example of the lax approach to data security that major organisations continue to take."

But Eldar Tuvey, chief executive of web security firm ScanSafe, said he has seen an increase in data protection activity among the banking industry. "There has been a growing interest in our Anywhere+ services in order to prevent data loss from laptops and make it possible for companies to protect their roaming employees wherever they are working," he added.

The Financial Services Authority (FSA) has been informed of the HSBC’s data loss and HSBC has apologised to all its life assurance customers. The bank plans to contact them shortly, it said.