UK high street bank Halifax has admitted stolen documents from one of its employees contained data on 13,000 mortgage customers.
The documents were in a briefcase stolen from the locked car of an employee last week and the bank yesterday started writing to affected customers, after first reporting the breach to the Financial Services Authority (FSA) and the police.
Around 1,800 of the 13,000 customer records exposed by the theft included name, address, mortgage account number and account balance. The remainder included name, mortgage account number and approval status.
According to a spokesman for Halifax: "It would be almost impossible for any fraud to be committed with the information on the printout."
However, the bank, part of the HBOS Group, has promised: "No customer will be left out of pocket in the very unlikely event of fraudulent activity on their account following this unfortunate theft."
The theft further highlights the risk of taking data outside the organisation — whether in a digital or hard-copy format. In this instance the employee was intending to use the data during meetings with mortgage intermediaries.
Proponents of encryption have argued any sensitive data should travel in an encrypted format from point to point and a spokesman for encryption experts PGP said he found the decision to cart around printouts of 13,000 customer records — protected by "nothing more than a briefcase lock" — a strange one.
He said: "When people set up a security policy there are many steps to it and one of them will be the physical aspect in terms of what form you carry data in. Nowadays with the ability to manage this information much more easily on removable media with encryption whether that is on a USB or a hard drive or whatever makes sense, why would you take this as a hard copy?"
Shane O'Riordan, general manager of group communications at Halifax, said lessons have been learned, adding: "We are reviewing our procedures as a matter of urgency."
However, the PGP spokesman said Halifax should be praised for "doing the decent thing and notifying people" — despite no requirement on UK companies to do so.
Earlier this year the Nationwide building society was fined nearly £1m by the FSA after the theft of a laptop exposed customer data.