HSBC fined £3.2m for lax data security

The biggest ever fine from Britain's financial watchdog - £3.2million – has been imposed on HSBC, for its "careless" handling of customers' confidential details.



Three of the bank's insurance arms had lax data security controls and systems, the FSA found, which would have landed it a bigger fine - £4.5million - had it not settled early.



The security failings, which occurred over an 11-month period, led to customers' unencrypted data being lost in the post, first by HSBC Actuaries and then by HSBC Life.



Actuaries, fined £875,000, lost a computer disk containing 2,000 pension customers' details, including addresses, dates of birth and national insurance numbers, in April 2007.



Life, fined £1.6m, made the same mistake in February 2008, when it admitted a CD that it posted loaded with the details of 180,000 policy-holders had also gone missing.



The Financial Services Authority said both losses put people at risk from identity theft and fraud, which HSBC Life, Actuaries and Insurance Brokers were warned about in July 2007.



At all three units, the FSA concluded that increasing awareness at HSBC of the need to protect customers' confidential details failed to inspire "adequate" actions to do the job.



Evidencing its findings, the regulator said HSBC staff were not sufficiently trained to spot or tackle identity theft, and that customer's confidential details were left on open shelves.



"These breaches are very disappointing," said Margaret Cole, director of enforcement at the FSA. All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals."



"Fraud, particularly identity theft, is a major concern to everyone and firms must ensure that their data security systems and controls are constantly reviewed and updated to tackle this growing threat.



"In areas where we have previously warned firms of the need to improve, people can expect to see fines increase to deter others and change behaviour in the industry."



HSBC said it has taken a number of remedial actions since the FSA's investigation, including improving staff training and requiring that all electronic data in transit is encrypted.



The bank co-operated fully with the regulator's inquiry and qualified for a 30 per cent discount on the proposed penalty because all three firms agreed to pay out at early stage.