More than 16.5 million people were placed at risk
ofidentity theft, after their details
werelost or stolen from financial services
firms, Computer Weekly has
learned.
The figures, obtained by Computer Weekly under the Freedom of
Information Act, show more than one in four
UK consumers have been placed at risk by financial firms last
year.
The disclosure has sparked calls from opposition MPs for
legislation to force financial services companies to report
incidents to the
Financial Services Authority.
Financial services companies reported 56 incidents of lost or
stolen data to the
Financial Services Authority (FSA) last year, Computer Weekly
has learned.
Investigations by the watchdog revealed the firms had lost 16.57
million customer records in a total of 39 security breaches.
But the number of customers affected may be even greater. The
FSA identified another 14 incidents where it was unable to
determine the number of compromised records. And experts warned
there is no guarantee firms always come clean to the regulator.
"If consumers find their banking information or identity is lost
then the costs are high," said security consutant Graham Cluley of
Sophos. "If identity thieves get hold of the information then
consumers' financial circumstances could be in a state of
crisis."
Shadow Home Affairs Minister James Brokenshire called for
greater controls on the security of personal data.
"With more and more people becoming the victims of identity
fraud and other scams using personal information, we need to raise
the bar on data security risk management," he said.
The data protection watchdog, the
Office of the Information Commissioner, said it was
disappointing some firms were still failing to adequately protect
their data.
"It is disappointing that some organisations are still failing
to take their data protection responsibilities seriously," said a
spokesman.
"We have repeatedly called on chief executives to ensure that
the security of individuals' details is taken very seriously."
An FSA spokeswoman said: "We expect firms to tell us about
significant data loss and would take a dim view if we found out
later that a firm had failed to notify us. We said in our data
security report that it is possible that some data losses go
unreported."
The regulator refused to name the companies involved but has
advised them to notify customers.
Security consultant Matthew Pemble, a former incident response
manager at a major high street bank, said: "This figure is
startling but we need to concentrate, not necessarily on the
number, but on whether this is a high risk. A lot of high-scale
losses of data occur when data has just gone missing rather than
ending up in the hands of fraudsters."
| Fifty six data loss cases were investigated by the Financial
Crime Operations team at the FSA in 2007, according to FOI
statistics obtained by Computer Weekly. | |
|---|
| Incident | Number of occurences |
| Lost or stolen laptops containing customer data | 19 |
| External attack on computer system or database containing
customer data | 2 |
| Customer data sent to wrong recipient | 7 |
| Lost CD or other media (USB stick, microfiche, back-up tapes
etc) containing customer data | 14 |
| Multiple customers' statements or credit cards lost or stolen
in the post | 4 |
| Stolen briefcase containing customer data | 1 |
| Stolen filing cabinet containing customer data | 1 |
| Multiple customer data stolen or removed from firm without
authorisation by an employee or contractor | 4 |
| Hardware disposed of without being adequately cleaned of
customer data | 1 |
| Stolen server containing customer data | 1 |
| Investigation of general data security systems and controls
weakness | 1 |
| Insecure disposal of confidential paper | 1 |