back to article Bank fined £3m for data loss

The Financial Services Authority has fined HSBC £3m for failing to properly look after its customers' information and private data. These failures to follow proper processes led to at least two losses of customer data. The FSA investigated the bank and found unencrypted customer details on open shelves and unlocked cabinets. …

COMMENTS

This topic is closed for new posts.
  1. James 5
    Big Brother

    Perhaps it's time...

    .. that large companies were legally required to state all of their convictions/fines etc. (for the previous 5 years) at the start of any advert in any media.

    They'd clean up their acts pretty damn quick then I guess.

  2. Anonymous Coward
    WTF?

    Thanks!

    The FSA have just ensured HSBC pass bigger fees onto customers...

  3. Anonymous Coward
    FAIL

    They are a joke

    Here is classic HSBC security.

    Ring Ring...

    Wife: Hello

    HSBC: Hello I'm calling from HSBC, is that Mrs X

    Wife: Yes.

    HSBC: OK: we need to confirm a few details before we continue

    Wife: Ok

    HSBC: Can you tell me your mother maiden name.

    Wife: How do I know you are from HSBC

    HSBC: I am

    Wife: So you want be to give out personal information to a complete stranger on the phone.

    HSBC: Well I can't continue without this.

    Wife: we'll I'm not going to twell you that sort of info over the phone.

    HSBC: Well if you give me the long number on your card that will suffice.

    Wife: No. I'm not telling acomplete stranger that.

    HSBC: (same crap as before)

    and so on and so on.

    Wife lodges official complaint with HSBC.

    turns out it was F**KING markweting call!

    Useless bunch of f**kwits!

  4. dunncha
    FAIL

    Hardly surprising with HSBC

    I recently had my card cloned and money stolen using a machine in Eastern Europe. When speaking to the Bank they of course blamed me for being careless with my card or using it obvious way.

    When I pointed out that my card had never been used in any cash machine or shop (its the bills account all of which are paid by standing order) they where rather stuck for words. Of course they would lanch a full investigation into how my details go into the wild and get back to me.

    Haven't heard anything since.

  5. Rob Clive
    Happy

    Next?

    Ha, ha!

    They (the FSA) going to do HMRC next? After all £3M for 180,000 customers details lost translates to £416M for the loss of 25 million details earlier this year. Oh I forgot: it's the government: they can do no wrong in IT, can they? Neither can they be fined; there's probably some terribly good reason.

  6. EvilGav 1

    At least . . .

    . . . it's not one of the banks we'd bailed out with government money.

    I'd hate to think that a fine from one part of government was beign paid by another.

  7. Scott Broukell
    Alert

    Bank staff database

    if there was a database, with the personal details of each and every member of staff on it, such that in the event of a customer data security mash-up, said staff data would be posted up on on the web for all to see. Maybe keeping that secure would provide the incentive to protect customer data ?

  8. Anonymous Coward
    Happy

    @AC 22 Jul 09 10:56

    What would you propose instead then AC? HSBC may try to pass on their costs but are unlikely to keep customers if they do so.

  9. spezzer
    Thumb Down

    why am i not surprised?

    Ive worked at various banks as a techie and still their control over data is non-existant. I would have thought after all the scandal a year or 2 ago they would have tightened up their acts but once employees have access to the data they can do absolutely anything they like with it. Its about time they introduced some kind of boundary that stops the data leaving the confines of the office. but no, it goes into email, onto sticks, it goes out on laptop, and i'm sure mostly for kosher purposes like working from home. But its out the office and no longer under control. Time for change i would say!

  10. Anonymous Coward
    Grenade

    Yet another reason

    ...That I feel no sympathy for HSBC regarding the £36k mortgage they're never gonna see again. If they hadn't been such a bunch of pricks when I was in arrears I wouldn't be deliberately trashing the flat when I leave the country in a couple of months, and therefore might even have got their money back on it.

  11. Ken 16 Silver badge
    Pirate

    As a bank?

    ...can they get a government bail out for that or does the fine need to be bigger before that happens?

  12. Anonymous Coward
    Anonymous Coward

    And who pays....?

    And who pays the fine? WE do of course!

    These fines ought to be drawn directly from the personal accounts of the CEO and board. Then we might just get their serious attention. With the added bonus the general public might start losing the perception that there's one law for rich corporations and another for the rest of us.

    There's little doubt in my mind that a huge proportion of identity theft originates within the banking system, where in many cases attitudes to security are lamentable. Simple fines like this don't even begin to address the problem. Hit the banksters where it counts.

  13. EdwardP
    Flame

    Interesting...

    I wonder how innuendo could possibly affect the kind of innocent children this was designed to save.

    The whole point of innuendo is you're not explicitly saying anything naughty, you're tricking the listener into making the connections themselves, connections that your cotton-wool encased kids couldn't possibly make with their tiny uncorrupted minds.

  14. EdwardP
    Flame

    AHHH: MODS

    Wrong article :(

    Please delete last message, I'll put it on the correct story.

  15. Anonymous Coward
    Anonymous Coward

    Nothing to Hide, Nothing to Fear

    Why are you all so paranoid about secrecy and confidentiality? You really must be up to something.

    As an AC said "Thank!" FSA.

    Fines cost users and customers and are, effectively an operating cost. Gaol time costs offenders. IF the loss is sufficiently serious breach of the law or ‘regulations’ then why penalise customers? The appropriate remedy is criminal penalty of prison and/or disqualification for directors and senior managers of enterprises. That includes Civil servants and other government officials. Restitution from annual profits (no accountancy provisions allowed!) before distribution to shareholders can be required to cover losses incurred to customers and others for data mismanagment.

    That being said, does the loss of a little bit of personal data really make that much difference these days when the Government intends to roll out an ID scheme & database were your data will be able to be legally purchased directly or, because the security will be so poor, purchased for a nominal sum from a 3rd party crook?

    Will offenders be imprisoned - look for the devil in an overcoat!

  16. Anonymous Coward
    Thumb Up

    Unsurprising

    A few years ago my company did a project with HSBC (for obvious reasons I won't go into details). In the course of development I found I had access to large amounts of customer data. I could even find people I knew.

    That was pretty serious. The funny part was watching our counterparts find themselves unable to do the required work because of "security" order from on high. Or, in reality, "box ticking."

    £3m? A banker's bonus, then.

  17. this

    Presumably

    the fine is taken from the bonuses of the management?

  18. Anonymous Coward
    Anonymous Coward

    @Stu

    I'm with the coop bank, if they call me I say sorry, but I'm not giving them details, they say that's fine, just call us back, you can get the number from our web site. I call them up and the person at the other end (usually) knows why I was called.

    However, I actually got into an argument with a guy from Vodafone when I tried this who refused to accept that he couldn't prove to me that he was from Vodafone. I've had scammers calling from Vodafone before and he wouldn't accept that I didn't trust he was who he said he was.

  19. Graham Marsden
    Grenade

    Why not....

    ... instead of fining the bank, fine the Directors. That should make them start taking this seriously!

  20. Tawakalna

    @Graham Marsden...

    "... instead of fining the bank, fine the Directors. That should make them start taking this seriously!"

    hear hear, well said that man!

    Incidentally, i got much the same from bl**dy Swinton's insurance the other day...

    "bring bring" (for i still have a GPO Type 743 pulse tine dial telephone)

    Hello?

    Hi is that Mr XXXXXX?

    Yes, who is calling please?

    This is Jenny from Swinton Insurance, first can i get you to confirm your name please?

    I just did. what do you want?

    Well I need you to confirm your name first?

    <sigh> I just did. why are you asking me to repeat what i just said?

    <flusters>oh erm well it's about a claim you made

    I haven't made a claim in 15 years, duck, that's why i have full no-claims bonus; so what are you ringing me for?

    Oh erm well I can't tell that until you confirm your name and address.

    But you are ringing me, and you obviously have no idea what you're talking about, so who the hell are you and why don't you confirm YOUR details and convince me that you are who you claim to be? you could be anyone. I wouldn't know, would I?

    Erm we're not allowed to give out personal details over the phone.

    Oh but you can ring me up unsolicited and expect me to give you all of mine, hmm? I_think_not.

    <satisfying click>

    Honestly the nerve of these people. I feel like having a good rant on BBC HYS except it's full of illiterate morons who can't string a sentence together.

  21. Sarah Bee (Written by Reg staff)

    Re: @Graham Marsden...

    >I feel like having a good rant on BBC HYS except it's full of illiterate morons who can't string a sentence together.

    Quick - give me five differences between here and HYS. No repetition, no hesitation, no deviation.

  22. Anonymous Coward
    Anonymous Coward

    FSA

    They couldn't manage the flow of shit in a toilet.

  23. Jimbo 6
    Flame

    From Reuters' coverage :

    "While this is a serious matter, no customer reported any loss from these failures and we are doing everything possible to prevent a recurrence," HSBC Insurance Managing Director Clive Bannister said.

    - So *how exactly* would someone who had had their identity cloned know that it was all down to some twunts at HSBC throwing confidential documents around like confetti ? Do those swan-roasting card scammers now send the victim a full breakdown of how they got the personal details ?

    Hopefully 'doing everything possible' will involve taking off and nuking the City from orbit. It's the only etc etc

  24. MikeWW
    FAIL

    No real surprise

    I used to have a HSBC credit card and one day decided to use their internet banking but couldn't find my details. So I rang them. After telling them my card number, name and post code (easily obtained from a statement or any other intercepted postal correspondance)

    HSBC: Please answer security question 1

    Me: Is it A?

    HSBC: No

    Me: Is it B?

    HSBC: No

    Me: Is it C?

    HSBC: No

    Me: Don't know then. They are the usual ones I use.

    HSBC: It's D

    Me: Oh.

    HSBC: Please answer security question 2

    Me: Is it E?

    HSBC: No

    Me: Is it F?

    HSBC: No

    Me: Is it G?

    HSBC: No

    Me: Don't know then. They are the usual ones I use.

    HSBC: It's H

    Me: Oh.

    HSBC: Please answer security question 3

    Me: Is it I?

    HSBC: No

    Me: Is it J?

    HSBC: No

    Me: Is it K?

    HSBC: No

    Me: Don't know then. They are the usual ones I use.

    HSBC: It's L

    Me: Oh.

    They then gave me all the details I needed to log in despite not answering any of the security questions correctly. I therefore decided to cancel my credit card.

  25. AchimR

    @dunncha

    I had the exact opposite with HSBC in that matter.

    I went out one day to get a gfx card for my linux box, but my card has been declined at the shop's terminals all time. Checked an ATM, same thing.

    Went home, phoned 'em up and enquired about it, and they said they registered a suspicious transaction in Poland (where else...) and blocked both the transaction before it went through as well as my cards.

    Was surprised that they did that. Of friends I heard they had to chase their banks around to get money back again which they lost in such frauds.

    That was with a regular account. Now having HSBC Plus, which they also advertise with enhanced security and all that bla, I expect that they act at least the same, though no issues at all yet so far.

  26. Tawakalna
    Joke

    Sarah..

    You can't say that I didn't hand you that one on a plate :) you can give me the fiver later, cash only, none of your dodgy Vulture-central claim-it-back-on-expenses cheques.

    I did go and have a rant on HYS afterwards, some working-class children were walking past my privet hedges in an unruly manner so after whining to the local bobbies i decided to rail against society's ills on HYS as i have been banned from Radio 4.

  27. Anonymous Coward
    Thumb Down

    Not enough

    The fine is tiny. HSBC will not even notice it in the trillions of £ that flow in and out every day globally.

    Also all the comments about passing on this fine to customers is rubbish. The bank has to remain competitave in the market place so the fees will allways be "what they can get away with".

  28. N2

    5 differences between HYS & El-Reg

    1. You can use the word 'Fuck' - where as HYS would probably be off line for several hours

    2. HYS is moderated by self opinionated socialists, who publish comment they agree with, whilst El-Reg is regulated by Moderatrix Ms Bee - worshipped by many.

    3. HYS is prone to tech snags where as El Reg enjoys better availability...

    4. HYS is prone to publishing stupid questions such as "Has Gordon Brown lost control of his party" This sort of garbage is irritating at best & poor reactive journalism - Readers recommend - Yes... (yawn)

    5. HYS seems over populated with people with too much time on their hands, El-Reg readers are always busy - even when not, they selflessly throw them selves at onerous tasks such as ensuring the MDs 100 Tb raid array packed full of porn does not fail...

  29. Anonymous Coward
    FAIL

    Inexcusable

    These fines are far to low, there are no prison sentences for the owners and therefore there is no incentive for other banks or financial organisations to clean up their acts.

    The least any business that finds it necessary to store the financial records of their customers should be required to do in this event is offer proper compensation to every customer affected.

    That doesn't mean a year of credit monitoring and an email providing links to Equifax and Transunion. That means paying the penalties these customers now face when they try to get loans or have their credit card interest rates jacked up because their credit is trashed.

    If the cost of a mortgage goes up 300 quid because a customer's credit rating is wrecked, then the bank should be forced to pay that customer 300 quid a month until they fix the problem.

    If the interest rate of a credit card goes up 10% the bank should be forced to pay the credit card bill for as long as it takes for the credit card bank to restore the previous rate.

    Prison sentences should match these time frames and should be handed out to everyone who sits in the board room or is a partner of the business that fails to secure the information of their customers.

    Suspension from being able to offer any sort of financial service to new customers until they've fixed the problems of their existing customers.

    Tell me this is too much and I'll say fuck you, if it was too much then we wouldn't see 100s of thousands of people put at risk every week by banks and other companies operating like cowboys in the financial industry.

    If they don't want to employ the people necessary to secure the data, they should be forced to pay the real penalty of losing it. Farming out tech to the lowest overseas bidder is fine as long as they are willing to face real consequences when it all goes to shit.

    Tell me why they should be free to keep operating when they just cost anything from 100,000 to 1000,000 people hundreds of pounds a month in interest rate costs, not to mention losing the ability to get new loans and stopping them from being able to buy a house.

    Alternatively we can just shut down any bank or pension company that violates simple data protection laws and move their customers to the banks or pension companies that know how to secure their data.

  30. Anonymous Coward
    Gates Halo

    RE: Perhaps it's time...

    No, I think that is a terrible idea that will just play into the hands of terrorists and paedophiles.

  31. steogede
    FAIL

    Re: Thanks

    > The FSA have just ensured HSBC pass bigger fees onto customers...

    That's what I thought at first, but then again; if HSBC pass on bigger fees, that makes them less competive, which means fewer customers - so if they are wise, they may decide to take it out of the profits, which means less for the shareholders.

    No, I don't believe it either. We'll end up paying for their loss of our data. I would have preferred jail time for the execs, even it was only a couple of weeks. Or personal fines (but they'd probably just give themselves a pay rise to cover it).

  32. Anonymous Coward
    Anonymous Coward

    @ Scott Broukell

    There are a couple of databases that could do the job... HR and payroll.

  33. Michael Dunn
    Pint

    @ steogede

    You lightly suggest a couple of weeks' gaol as adequate punishment - perhaps it would be, because it would then give the careless blighters a criminal record, which would ensure that they were no longer in a position to vote themselves pay rises or bonuses.

    This would, like the famous case of Admiral Byng, definitely encourage the others.

  34. Anonymous Coward
    Anonymous Coward

    Really now

    Ultimately it's up to the bank's costumers to demand fair and competent treatment. And that's the *only* way you're ever going to get better banks. If instead you demand that your government does all your thinking and decisionmaking for you, you'll only ever get f'd in the a by incompetent bureaucrats and opportunistic businessmen.

    HSBC is awful at protecting their customers because HSBC's customers haven't been nearly skeptical enough about their protection. Yes, it's the sort of thing you don't want to think about because it means you have to "get involved" and "think" and "be a conscious consumer", and clearly there is a role for government in preventing criminal behaviour (like selling non-existent security), but in the end supply can only converge on actual demand. Which means we get what we deserve.

This topic is closed for new posts.