HSBC hit with big fine after losing thousands of customers' details

The company twice lost unencrypted discs containing confidential information on policyholders. The second, more serious loss, came despite a warning from the bank's own compliance department of the need for robust data security controls.

In that incident a CD that contained details of 369,000 policies, putting at risk the personal information of 180,000 people, was lost in the post. The data included names, ages, sex, dates of birth, smoker status and policy numbers, along with the same details for joint policy holders, as well as premiums and sums assured.

The earlier failure saw a floppy disc – again unencrypted – containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers, going missing after being put in the post by HSBC Actuaries.

The losses, in April 2007 and February 2008, came at a time of mounting public concern over data security after a series of failings by the Government. In the worst incident HM Revenue and Customers lost the details of 25 million child benefit recipients in 2007.

The FSA found that HSBC routinely sent such discs through the post without paying for recorded delivery.

It also found that unencrypted electronic copies of more than 740,000 "live" policies and over 1 million "non-live" policies at HSBC Life were kept in unlocked filing cabinets. Similar failures were found at HSBC Actuaries and HSBC Insurance Brokers.

The watchdog said HSBC's failings represented "a material risk" to its objective of reducing financial crime.

Margaret Cole, director of enforcement at the FSA, sharply criticised the company, saying: "These breaches are very disappointing. All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals.

"It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details."

She warned other firms that if they fail to act in areas where the FSA wants to see improvement they too can expect heavy fines.

HSBC agreed to settle early otherwise it would have paid more.

Clive Bannister, group managing director of HSBC Insurance, said: "We hold ourselves to the highest standards, but it is clear that in these instances we have fallen short, which we sincerely regret. While this is a serious matter, no customer reported any loss from these failures and we are doing everything possible to prevent a recurrence."