HSBC loses customers' data disc

HSBC says no bank account details have been lost

The HSBC banking group has admitted losing a computer disc with the details of 370,000 customers.

The disc was lost four weeks ago after being sent by courier from the bank's life insurance offices in Southampton.

The customers' details included their names, dates of birth, and their levels of insurance cover.

However, there were no addresses or bank account details and HSBC said the customers' exposure to potential fraud was limited.

"We are looking into it and basically it has got lost from A to B," said an HSBC spokesman.

"The reinsurer we sent it to is doing a thorough search for the disc. We will do anything we can to find it."

"There are no financial details there in terms of banking details. There are no address details or anything like that," he added.

As well as name, date of birth and value of the cover, the documents revealed only the customer's policy number and whether or nor the customer was a smoker.

Fines

The Financial Services Authority (FSA) has been informed of the data loss and is likely to mount an investigation.

In the past year, both the Nationwide building society and the Norwich Union insurance company have suffered heavy fines and public reprimands for not looking after customer details properly.

We hold up our hands and say it wasn't good enough HSBC spokesman

In the most spectacular example yet of data loss, last year the HM Revenue and Customs (HMRC) lost some computer discs while in transit between London and Newcastle.

These contained the entire child benefit data base, covering 25 million claimants, including full bank and building society details.

The discs have not yet been recovered.

Last month a committee of MPs, the Joint Committee on Human Rights, said the government had "persistently failed" to take data protection sufficiently seriously.

No encryption

Despite the reassurances from HSBC, the bank admitted that although the data on the disc was protected by a password it had not been encrypted.

A bank spokesman explained that normally the data on its life insurance customers was sent to its reinsurance firm in Folkestone by an electronic link.

On this occasion, in the middle of February, this link was not working, so instead the data was downloaded onto a disc and sent by the bank's normal postal service operated by the Royal Mail.

"We hold up our hands and say it wasn't good enough," said the spokesman.

"The documents should have been encrypted," he added.

The bank will shortly be writing to all the customers while it investigates the loss along with the reinsurance firm.

Similar losses

The HSBC incident is just the latest example of careless behaviour by a big organisation regarding personal information.

Since the loss of the child benefit data by the HMRC last November, similar losses have been happening every month.

Recent failings include:

• Laptop computer with the personal details of more than 200 children was stolen from a medical centre in Shropshire.
• The Courts Service lost four CDs in the post with personal details from court cases.
• Information about nearly 600,000 people went missing when a Royal Navy officer had his laptop stolen from a car in Birmingham.
• Hundreds of documents from the Department of Work and Pensions containing sensitive personal data were found dumped on a roundabout in Devon.
• Nine NHS trusts in England admitted losing patient records covering hundreds of thousands of adults.
• Details of 14,000 customer records were lost by the Skipton building society.
• Ministers revealed in December that, earlier in 2007, details of three million candidates for the driving theory test had gone missing while being processed in the US.

The Information Commissioner's Office (ICO) took a dim view of this latest data loss.

"Organisations which process personal information must ensure it is held securely. This is an important principle of the Data Protection Act," it said.

"In recent months there have been a number of incidents of data losses in the public sector. This case demonstrates that data protection must also be a priority for the private sector.

"Once the ICO has heard from HSBC about the outcome of their investigation we will decide what, if any, further action is needed on our part," it added.