Halifax Bank of Scotland's loss of an unencrypted
computer disc containing the details of 62,000 customers has
highlighted the need for stronger data security in departmental
processes where IT has little control over end-users.
The bank admitted last week that it had lost confidential
customer details after accidentally sending a CD to a credit
reference agency by insecure post without going through the normal
encryption process.
"This was a failure of two processes: the disc not being
encrypted by the mortgage team, and not being sent by secure post,"
said a spokesman for HBOS. "Due to human error, on this occasion
the usual policies were not followed."
In the wake of the incident, experts said that organisations
should develop risk mitigation strategies to protect data that
moves outside of the IT department's control.
"If the data is going to go outside the building, the process
needs to allow for that - and something needs to be in place to
mitigate the risk," said Guy Bunker, chief scientist at security
firm Symantec.
Mike Lardschneider, chief information security officer at
insurer Munich Re Group, said IT security must be
instilled in employees as part of a wider security ethic, and at
all user levels.
The Information Commissioner's Office and the
Financial Services
Authority were alerted by HBOS last week and are in the process
of carrying out investigations. The bank believes the disc has been
"mislaid in the post" rather than stolen.
Bank customers face ID theft risk>>
Card firms ease back on security demands>>
HBOS' storage strategy>>