The City watchdog has hit three HSBC firms with fines totalling £3.2 million after losing the details of thousands of customers in the post and putting them at risk of identity fraud.
HSBC Life lost an unencrypted CD with the details of 180,000 policy holders, while HSBC Actuaries lost a disc with data on almost 2,000 pension scheme members, the Financial Services Authority (FSA) said.
HSBC Insurance was also fined by the FSA.
The regulator's enforcement director Margaret Cole said: "All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals."
Confidential information on customers was also left on open shelves and unlocked cabinets and could have been lost or stolen, while staff were not given enough training on the threat of identity theft, the FSA added.
The security breaches came despite a warning from HSBC Insurance's compliance team over the need for robust data controls in July 2007.
The details of the pension scheme members were lost in April 2007, while the second mishap involving 180,000 policy holders happened in February 2008.
Ms Cole added: "It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details.
"Fraud, particularly identity theft, is a major concern to everyone and firms must ensure that their data security systems and controls are constantly reviewed and updated to tackle this growing threat."
HSBC co-operated with the FSA investigation and received a 30 per cent discount from the potential maximum fine of £4.55 million.