The Information Commissioner's Office and security analysts have slammed the HSBC bank for losing a disc containing "sensitive information" on 370,000 of its customers.
HSBC told Computerworld UK that the disc was password-protected, but not encrypted, and included names, life insurance cover levels and dates of birth.
The bank said that this sort of information was normally sent over a secure electronic channel, the system had not been working and the information was needed quickly, so it was sent by disc.
The case is reminiscent of HM Revenue and Custom's loss of two discs last November that contained the details of 25 million UK citizens. The discs have still not been found.
Responding to this latest break, the Information Commissioner’s Office (ICO) said the HSBC case demonstrates that data protection for the private sector must be regulated and enforced.
"Organisations which process personal information must ensure it is held securely. This is an important principle of the Data Protection Act. If banks and building societies fail to treat people’s personal information securely, they risk losing the confidence and trust of their customers. Our research shows that over half of individuals no longer have confidence in the way organisations such as banks, local authorities and government departments handle their personal information."
The ICO reiterated calls for stronger powers to enable the office to carry out inspections without prior warning to ensure effective compliance with the Data Protection Act. "It is important that these powers extend to the private sector as well as to government departments."
Graham Titterington, an analyst at Ovum said: "This incident is serious because of the large number of people whose information has been lost, and the level of personal information involved.
“While it may not include banking details, this is sensitive information that goes well beyond the level of personal information in the public domain. The incident demonstrates that this kind of event is just as prevalent in the financial services sector as it is in the public sector. In particular it is disappointing to see that organisations are still posting unencrypted CDs containing sensitive information."
Security vendors lined up to condemn the latest data loss incident.
Nick Lowe, Check Point’s regional director for Northern Europe said even a password-protected disc can be overcome fairly easily by an IT-literate person.
"In this sector, where information is highly sensitive, always-on strong encryption of data is the minimum protection that should be applied to laptops, discs and USB storage devices. Yet less than half of UK public and private companies have any data encryption deployed," said Lowe.
Brian Spector from document control specialist Workshare, said: "This blunder will cause significant damage to the bank’s reputation and is another example of the lax approach to data security that major organisations continue to take. Building and maintaining customer loyalty is a key concern for all banks given that customer churn is rife within the industry."
Matt Fisher, vice president, Centennial Software said: "On the rare occasion there is a real business need to transfer data of this nature to a third party, I would insist on the data being encrypted with a 256-bit cipher and that it was sent by a private courier (or preferably an employee) direct to its destination."