Halifax Bank of Scotland's loss of an unencrypted computer disc containing the details of 62,000 customers has highlighted the need for stronger data security in departmental processes where IT has little control over end-users.
The bank admitted last week that it had lost confidential customer details after accidentally sending a CD to a credit reference agency by insecure post without going through the normal encryption process.
"This was a failure of two processes: the disc not being encrypted by the mortgage team, and not being sent by secure post," said a spokesman for HBOS. "Due to human error, on this occasion the usual policies were not followed."
In the wake of the incident, experts said that organisations should develop risk mitigation strategies to protect data that moves outside of the IT department's control.
"If the data is going to go outside the building, the process needs to allow for that - and something needs to be in place to mitigate the risk," said Guy Bunker, chief scientist at security firm Symantec.
Mike Lardschneider, chief information security officer at insurer Munich Re Group, said IT security must be instilled in employees as part of a wider security ethic, and at all user levels.
The Information Commissioner's Office and the Financial Services Authority were alerted by HBOS last week and are in the process of carrying out investigations. The bank believes the disc has been "mislaid in the post" rather than stolen.
Card firms ease back on security demands>>HBOS' storage strategy>>