HSBC pops thousands of customer details in the post
Guess what happened next?
Posted in Management, 7th April 2008 11:06 GMT
Free whitepaper – Hands on with Hyper-V 3.0 and virtual machine movement
HSBC has admitted that it has misplaced 370,000 customer details, which were put in the post a month ago on an unencrypted disc.
The envelope has not arrived at its intended destination - a reinsurance firm.
A spokesman for HSBC told the Reg: "We have sent a disc to our reinsurers which they never received. The disc was not encrypted but was password-protected. Our normal method is to use electronic transfer but on the day this happened the system was down so it was sent by disc instead." The disc was sent using ordinary Royal Mail services.
Nick Lowe, regional director for Northern Europe at security firm Check Point said: “The disc was apparently password-protected, but this can be overcome fairly easily by an IT-literate person.
“In this sector, where information is highly sensitive, always-on strong encryption of data is the minimum protection that should be applied to laptops, discs and USB storage devices."
The customer files did not contain account information or addresses but life insurance details, dates of birth and smoking habits.
HSBC has told the Financial Services Authority what happened. The FSA fined Nationwide £980,000 for breaching customer privacy last year by losing a laptop containing customer information. ®
Free whitepaper – Hands on with Hyper-V 3.0 and virtual machine movement
COMMENTS
Re: I put this on the e-crime thread but figured it was pertinent here too
AC wrote:
"We've set them up password protected HTTPS upload functionality and SFTP connections but apprarently it's not covered in their current security documentation"
opening port 22 in a firewall for sftp leaves them vulnerable to bypassing the firewall using ssh port forwarding.
Also any encrypted traffic passing out of a network can't be monitored by the network admins so I'm not surprised that it's not allowed.
@ clovis
Also included was addresses, phone records and even medical details.
Hang them all, hang them all, hang them all!
... wait. Was this a big deal? Some names and dates of birth and smoker status? This matters... why? No use for identity theft. No use for an invasion of privacy - if you know anyone on the list you already know roughly how old they are, and smoker status isn't a secret (for any smokers labouring under the misapprehension that we don't know you smoke, I'm afraid the smell betrays you at first introduction).
@wize - a list of names and ages of kids is a 'pedo's goldmine'? WTF? Like the presence of children in a household is a mysterious secret which strangers can't uncover?
Please gentlemen, let's try to keep a sense of perspective here.
There's never a rolling eyes smilie when you need one.
Re: How many times
It happens all the time. A recently closed ice rink round here has dumped all their customer details in a skip. Names, ages, etc of kids. One guy referred to it as a "pedo's goldmine" or something similar.
How many times?
Interesting to note that there's been a rash of these stories recently. They're obviously newsworthy since the Revenooers lost all the Child Benefit data last November, but considering the number of times these disks have gone missing since, we must presume this sort of stuff happens all the time.
IT infrastructure monitoring strategies
The new Office Garage series:
Top 10 SIEM implementer’s checklist
