The Financial Services Authority (FSA) has fined HSBC Holdings, Europe's largest bank, £3.2m for a series of data breaches at three of its subsidiary companies in 2007 and 2008.
The punishment is by far the largest data loss fine the FSA has imposed for an information security breach. The most significant previous penalty was a £1.3m fine against insurance provider Norwich Union Life Insurance Co. in 2007, and before that, a fine of £980,000 against Nationwide Building Society that same year.
In a statement, the FSA said it found inadequate systems and controls in place to protect customers' confidential details from being lost or stolen. These failings contributed to customer data being lost in the post on two occasions.
The three companies fined were HSBC Life U.K. Ltd., HSBC Actuaries and Consultants Ltd. and HSBC Insurance Brokers Ltd.
The FSA said it discovered that large amounts of unencrypted customer details had been sent via post or courier to third parties. In addition, confidential customer information was also left on shelves or in unlocked cabinets and could have been lost or stolen. Also, according to the Financial Services Authority, staff was not given sufficient training on how to identify and manage risks like identity theft.
The report states that in April 2007, HSBC Actuaries lost an unencrypted floppy disk in the post containing the personal information of 1,917 pension scheme members. Following that event, HSBC Group Insurance's compliance team warned all three companies about the need for robust data security controls. In February 2008, however, HSBC Life lost through the post an unencrypted CD containing the details of 180,000 policy holders.
"All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals," said Margaret Cole, director of enforcement at the FSA. "It is also worrying that increasing awareness around the importance of keeping personal information safe, and the dangers of fraud did not prompt the firms to do more to protect their customers' details."
The report says the companies have now improved their staff training and require that all electronic data in transit is encrypted.