In the latest of a series of examples of lack of care of personal data by governments and the private sector, British banking giant HSBC has admitted losing a computer disc with the details of 370,000 customers, according to a BBC News report.
The disc was lost in March after being sent by courier from the bank’s life insurance offices in Southampton, to a reinsurer’s office in Folkestone, Kent.
As well as name, date of birth and value of the insurance cover held by each customer, the disc also apparently revealed the customer’s policy number and whether or nor the customer was a smoker.
Despite the reassurances from HSBC, it admitted that although the data on the disc had not been encrypted, just controlled with simple password access which is easily bypassed.
“We hold up our hands and say it wasn’t good enough,” the bank’s spokesman is quoted as saying. “The documents should have been encrypted.”
“The HSBC incident is just the latest example of careless behaviour by a big organisation regarding personal information.” says the BBC article, which goes on to quote other examples from recent news:
- A laptop computer with the personal details of more than 200 children was stolen from a medical centre in Shropshire.
- The Courts Service lost four CDs in the post with personal details from court cases.
- Information about nearly 600,000 people went missing when a Royal Navy officer had his laptop stolen from a car in Birmingham.
- Hundreds of documents from the Department of Work and Pensions containing sensitive personal data were found dumped on a roundabout in Devon.
- Nine NHS trusts in England admitted losing patient records covering hundreds of thousands of adults.
- 14,000 customer records were lost by the Skipton building society.
- Ministers revealed in December that, earlier in 2007, details of three million candidates for the British driving theory test had gone missing while being processed… in the USA!
“Organisations which process personal information must ensure it is held securely. This is an important principle of the Data Protection Act,” said the office of the Information Commissioner’s Office.