HSBC, the UK's largest bank, lost an unencrypted data disc containing the names and insurance information of 370,000 customers. HSBC sent the disc via unregistered postal mail because its usual method of secure electronic data transmission "wasn't working."
Network World reports the bank's response:
"The data, which was password-protected, includes names, life insurance cover levels, dates of birth and whether or not a customer smokes. There is nothing else that could in any way compromise a customer and there is no reason to suppose that the disc has fallen into the wrong hands," the bank said in a statement.
"We don't normally send information on hard copy, but usually send electronically through this secure network. But the system wasn't working the day this information needed to be sent to the reinsurer."
THE PROJECT FAILURES ANALYSIS
According to Forbes, HSBC is the world's largest company, meaning it has the resources needed to properly secure customer data. As an axiom, unencrypted confidential data should never be sent through the mail.
The situation is particularly disturbing in light of a similar, and extremely well-publicized, incident at the UK Revenue & Customs (HMRC). In that case, 25 million names were lost when discs were also sent through the mail.
HSBC has demonstrated complete lack of regard for handling secure, confidential, and private customer data. I urge the Information Commissioner's Office (ICO) to take swift and appropriate action against HSBC.