Banks and Your Data: Why it's Still Getting Lost
There have been several recent examples of data breaches in bank security, which is one of the areas of online security that you would expect data control to be paramount. The loss and misdirection of customer account information has not been due to anything that the users of online baking websites could have done, it’s simply down the banks’ own systems perhaps not being as robust as they ought to be, and of course that old chestnut ‘human error’.
Which Banks Have Been in the News?The most talked-about recent faux pas in data security has to be that of Santander – who were in trouble for sending out sensitive account information to the wrong addresses at the end of 2010 – after being caught out for the very same thing before. It was discovered that 22,000 of the bank’s customers had received bank statements that contained personal information relating to another person’s account. The banking giant has also been accused in the past of sending cash cards out to the wrong customers, following mistakes in sending out statements to the same recipients back in August 2010.
Santander blamed the mass bank account errors on printer problems and insisted that a breach of this magnitude was a one-off.
What Will Happen to Santander?The bank is likely to face some pretty hefty fines for this total lapse of security, with an investigation currently underway and the likelihood of a multi-million pound fine for these Data Protection Act breaches.
The Information Commissioner's Office (ICO), the organisation in charge of regulating the handling of personal data, along with the Financial Services Authority (FSA), are both said to be looking into the leak of 22,000 customers' details, and the FSA has historically been very strict when it comes to organisations not taking enough care with their customers personal data. Insurer Zurich was fined £2.28m in August 2010 after it lost 46,000 of its policyholders' details. HSBC has also been hit hard with fines from the FSA, being ordered to pay £3m for losing a disk containing 180,000 policy holders details in 2009. On the other hand, the maximum fine the ICO can give out is just £500,000.
Other Major Banking Security BreachesHSBC, the UK’s largest bank, are no stranger to data security problems. Unlike Santander who managed to blame their problems on hardware, HSBC fell foul of the regulators in 2008 after a decision to send an unencrypted disk which contained insurance information relating to 370,000 of its customers by unregistered postal mail led to those very same details getting lost in the post.
HSBC blamed the lapse on the fact that its usual method of secure electronic data transmission not working, although it would be more accurate to say that it was just a really bad idea.
HSBC played it down at the time, saying that all the lost data was password-protected, and just included customers’ names, details about their levels of life insurance cover, their dates of birth and whether they smoked. The bank added that there was nothing on the disk which could have in any way compromised customers and that they had no reason to believe that the disc had ‘fallen into the wrong hands.’
The Financial Services Authority (FSA) said in 2009 that this had not been an isolated case, and that customer data had been lost by HSBC companies in this way on two occasions. The three firms involved in the FSA investigation agreed to settle at an early stage in proceedings which meant that they qualified for a 30 per cent discount on the fines they received – without which they would have been punished with fines which would have come to more than £4.5m.