Bank fined £3m for data loss
Still not taking it seriously
Posted in Management, 22nd July 2009 10:36 GMT
Watch Now : Virtual Machine Movement with Hyper-V
The Financial Services Authority has fined HSBC £3m for failing to properly look after its customers' information and private data.
These failures to follow proper processes led to at least two losses of customer data.
The FSA investigated the bank and found unencrypted customer details on open shelves and unlocked cabinets. Customer details were also sent via the post or couriers to third parties, and staff were not trained in dealing with risks associated with identity theft.
In April 2007 HSBC Actuaries lost details on 1,917 pension scheme members. In July HSBC Actuaries, along with two other subsidiaries, were warned by HSBC Group Insurance's compliance department to sort out data security. But in February 2008 HSBC Life sent an unencrypted CD through the post containing details of 180,000 customers. The CD was lost.
HSBC Life UK Limited (HSBC Life) was fined £1,610,000, HSBC Actuaries and Consultants Limited (HSBC Actuaries) was fined £875,000 and HSBC Insurance Brokers Limited (HSBC Insurance Brokers) was fined £700,000.
Margaret Cole, director of enforcement at the FSA, said: "These breaches are very disappointing. All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals.
"It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details."
Since HSBC cooperated with the FSA investigation, it had its fine discounted by a third. ®
Watch Now : Virtual Machine Movement with Hyper-V
COMMENTS
Really now
Ultimately it's up to the bank's costumers to demand fair and competent treatment. And that's the *only* way you're ever going to get better banks. If instead you demand that your government does all your thinking and decisionmaking for you, you'll only ever get f'd in the a by incompetent bureaucrats and opportunistic businessmen.
HSBC is awful at protecting their customers because HSBC's customers haven't been nearly skeptical enough about their protection. Yes, it's the sort of thing you don't want to think about because it means you have to "get involved" and "think" and "be a conscious consumer", and clearly there is a role for government in preventing criminal behaviour (like selling non-existent security), but in the end supply can only converge on actual demand. Which means we get what we deserve.
@ steogede
You lightly suggest a couple of weeks' gaol as adequate punishment - perhaps it would be, because it would then give the careless blighters a criminal record, which would ensure that they were no longer in a position to vote themselves pay rises or bonuses.
This would, like the famous case of Admiral Byng, definitely encourage the others.
@ Scott Broukell
There are a couple of databases that could do the job... HR and payroll.
Re: Thanks
> The FSA have just ensured HSBC pass bigger fees onto customers...
That's what I thought at first, but then again; if HSBC pass on bigger fees, that makes them less competive, which means fewer customers - so if they are wise, they may decide to take it out of the profits, which means less for the shareholders.
No, I don't believe it either. We'll end up paying for their loss of our data. I would have preferred jail time for the execs, even it was only a couple of weeks. Or personal fines (but they'd probably just give themselves a pay rise to cover it).
Inexcusable
These fines are far to low, there are no prison sentences for the owners and therefore there is no incentive for other banks or financial organisations to clean up their acts.
The least any business that finds it necessary to store the financial records of their customers should be required to do in this event is offer proper compensation to every customer affected.
That doesn't mean a year of credit monitoring and an email providing links to Equifax and Transunion. That means paying the penalties these customers now face when they try to get loans or have their credit card interest rates jacked up because their credit is trashed.
If the cost of a mortgage goes up 300 quid because a customer's credit rating is wrecked, then the bank should be forced to pay that customer 300 quid a month until they fix the problem.
If the interest rate of a credit card goes up 10% the bank should be forced to pay the credit card bill for as long as it takes for the credit card bank to restore the previous rate.
Prison sentences should match these time frames and should be handed out to everyone who sits in the board room or is a partner of the business that fails to secure the information of their customers.
Suspension from being able to offer any sort of financial service to new customers until they've fixed the problems of their existing customers.
Tell me this is too much and I'll say fuck you, if it was too much then we wouldn't see 100s of thousands of people put at risk every week by banks and other companies operating like cowboys in the financial industry.
If they don't want to employ the people necessary to secure the data, they should be forced to pay the real penalty of losing it. Farming out tech to the lowest overseas bidder is fine as long as they are willing to face real consequences when it all goes to shit.
Tell me why they should be free to keep operating when they just cost anything from 100,000 to 1000,000 people hundreds of pounds a month in interest rate costs, not to mention losing the ability to get new loans and stopping them from being able to buy a house.
Alternatively we can just shut down any bank or pension company that violates simple data protection laws and move their customers to the banks or pension companies that know how to secure their data.
Top 10 SIEM implementer’s checklist
The new Office Garage series:
IT infrastructure monitoring strategies
