Three companies of the world banking giant HSBC have been fined nearly ₤3.2 m for failing to ensure proper protection of their customers’ personal data.

The Federal Services Authority (the FSA) reported repeated cases of HSBC’s sending “large amounts“ of unencrypted confidential customer data by post or courier with some information left on open shelves or in unlocked cabinets. The FSA qualified keeping and transmitting data on unencrypted media as a careless treatment of personal information of customers and absence of a due identity protection system.

As the FSA reports, the first case (April 2007) involved a lost floppy disk with unencrypted personal data of 1,917 pension scheme members including their addresses, dates of birth and national insurance numbers. The second case was a lost CD that contained personal details of 180,000 policyholders. In both instances the confidential data were found stored on unencrypted media.

The three companies immediately responded to the raised concern, expressed their strong regret of the case and promised to take all the necessary corrective and preventive actions to tackle the issue. Although HSBC stated there had been no complaints coming from the customers associated with losses due to this failure, the FSA believes this could have brought out much more adverse consequences if the information got into the wrong hands.

The FSA describes such cases as a disturbing lack of the companies’ awareness of the importance to ensure adequate safekeeping and protection of personal information. This case is illustrative of the necessity to assure information security not only at the level of human responsibility but also at that of technology.