HSBC Holdings, Europe's biggest bank, was fined 3.2 million pounds ($5.2 million) on Wednesday for information security breaches, the biggest fine Britain's financial regulator has ever imposed for data security lapses.
The lapses include sending confidential data of 180,000 insurance policy holders through the post by unrecorded delivery and leaving customer data in open sacks in a reception area.
The Financial Services Authority (FSA) said three of the bank's units — HSBC Life, HSBC Actuaries and HSBC Insurance Brokers — had failed to put in place adequate systems and controls to protect customers' details from being lost or stolen. The three units were fined 1.6 million pounds, 875,000 and 700,000, respectively.
In February 2008, HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders in the post. The disk was sent by unrecorded delivery and contained names, ages, sex, dates of birth and policy numbers.
The incident occurred during a period of heightened awareness about financial crime. There were a series of high-profile data security breaches in 2007 and 2008, including Britain's HM Revenue and Customs losing two unencrypted computer disks that contained the personal details of 25 million people.
The regulator said HSBC firms were "careless" with personal data "which could have ended up in the hands of criminals".
"It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details," said Margaret Cole, director of enforcement at the FSA.
The FSA said that in December 2006, staff at HSBC Insurance Brokers, which has about 65,000 corporate customers, were routinely disposing of customer data, such as bank account details, as regular waste paper. The details were left in open sacks in the head office's reception area awaiting refuse collection, the FSA said.
FSA also said that HSBC Actuaries lost an unencrypted floppy disk, containing data relating to almost 2,000 pension scheme members, in April 2007. Another disk was potentially lost the same month, and neither disk was ever recovered.
HSBC said that it had taken a number of measures to address the problems raised by the FSA, such as ramping up its data protection awareness training for staff and ensuring that all confidential data is encrypted.
"While this is a serious matter, no customer reported any loss from these failures and we are doing everything possible to prevent a recurrence," HSBC Insurance Managing Director Clive Bannister said.
The FSA has fined five other companies for data security lapses or fraud in recent years. The previous biggest fine was 1.3 million pounds for Norwich Union, which is owned by Aviva.
