HSBC has received an almost £3.2 million fine from the Financial Services Authority (FSA) after three of its firms lost computer discs and posted unencrypted customer details.
The UK's biggest bank was fined for the "careless" handling and loss of confidential details of tens of thousands of its customers.
Three parts of the group were targetted in the fine. HSBC Life lost an unencrypted CD with the details of 180,000 policy holders, and was fined £1,610,000. HSBC Actuaries lost a disc with data on 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers, which lead to a £875,000 penalty. HSBC Insurance Brokers was hit with a fine of £700,000.
During its investigation, the FSA also found that confidential information about customers was often left on open shelves or in unlocked cabinets that could easily be lost or stolen.
Margaret Cole, director of enforcement at the FSA, said: “These breaches are very disappointing. All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals."
"It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers’ details."
“Fraud, particularly identity theft, is a major concern to everyone and firms must ensure that their data security systems and controls are constantly reviewed and updated to tackle this growing threat.
Cole also warned that banks could expect to see FSA issue more fines in cases where firms have been previously warned about lax information security practices.
Clive Bannister, HSBC Insurance's group managing director said: “Keeping our customers’ data confidential and secure is vitally important to everyone at HSBC. We hold ourselves to the highest standards, but it is clear that in these instances we have fallen short, which we sincerely regret."
Bannister added that HSBC has taken remedial action to address the problems that FSA identified, including stronger processes to ensure all confidential data that is electronically transmitted or stored and transported on CDs and laptops is encrypted, better training for staff and restricting the ability to download data to portable devices.