Three HSBC companies have been hit with fines after the financial services watchdog found they were not doing enough to protect customers' data.
The Financial Services Authority (FSA) fined HSBC Life £1,610,000, HSBC Actuaries £875,000 and HSBC Insurance Brokers £700,000 — making a total of £3m in penalties between them.
Due to the fact the three firms settled with the FSA, their fines were discounted by 30 percent — the original charges totalled £4.55m.
The FSA handed down the fines after an investigation found customer data was sent without encryption to third parties and via couriers, and left in unlocked cabinets and shelves openly.
Staff were also not given proper training over how to spot and deal with risks like identity theft, the FSA found.
Clive Bannister, group managing director of HSBC Insurance, said the company regrets falling short in dealing with customers' data.
"While this is a serious matter, no customer reported any loss from these failures and we are doing everything possible to prevent a recurrence. We have implemented even more rigorous systems, better checks and more training for our people. We believe our customers can have confidence that we are doing everything we can to protect their privacy," he said in a statement.
Two of the HSBC companies recorded losses of data: in 2007, HSBC Actuaries lost an unencrypted floppy disk in the post, containing the details of 1,917 pension-scheme members, including addresses, dates of birth and national insurance numbers; while 2008 saw HSBC Life lose an unencrypted CD containing the details of 180,000 policy holders in the post. Those affected have been alerted to the losses by the companies.
Margaret Cole, director of enforcement at the FSA, described the losses as "disappointing".
"All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details," she said in a statement.
The three companies have now improved staff training and use encryption when data is being moved.