Wednesday, June 13, 2007

HBOS Loses Customer Data

HBOS's reputation for professionalism has taken another knock, as it emerged that it has lost a disc holding confidential data on 62,000 HBOS banking group mortgage customers.

As if this were not embarrassing enough, it transpires that the disc was not encrypted.

One wonders quite what their internal audit and IT departments are being paid for, if they do not have procedures in place to ensure that confidential data held on discs is encrypted as a matter or course.

Regrettably, for HBOS, this was not the first time that it has lost customer data. There was also a loss of data in March, we are assured that the second loss was "unrelated" because the data had gone missing in a different way.

So that's alright then!

This month's data breach included names, addresses, dates of birth and mortgage account numbers on a CD-ROM sent by HBOS subsidiary Bank of Scotland to a credit reference agency. It was reported missing when the agency did not receive the expected monthly dispatch of information.

The lost data would enable any self respecting fraudster to have a "jolly time" doing what he does best, namely perpetrate identity theft.

An HBOS spokesperson said:

"The disc would usually be encrypted.

Unfortunately, due to human error on this occasion the usual policy was not followed. We apologise to our customers for this
."

As if this were not bad enough HBOS, for some unknown reason, chose to send the data via the Royal Mail's ordinary service rather than a secure service. This invites theft, as the Royal Mail is notoriously prone to theft and losses.

HBOS said:

"That was a mistake on our part."

Quite!

In March, Halifax building society, another HBOS subsidiary, lost a printout containing data on 13,000 mortgages from an employee's car.

HBOS general manager for group communications, Shane O'Riordain, at the time said:

"Lessons have been learned. We are reviewing our procedures as a matter of urgency."

This was the same month in which HBOS, along with 11 banks, was ordered by the information commissioner to sign a formal undertaking to comply with Data Protection Act principles, after dumping customers' personal data in rubbish bins outside their premises.

HBOs now claim the following:

"Lessons have been learned and we have revised our procedures accordingly," he said. "The other incidents ... are all unrelated. One was the theft of a briefcase from an employee (which has been recovered) and the undertaking referred specifically to the disposal of confidential waste."

Given that banks are forever lambasting their customers over their handling of passwords and personal data, this series of events is pretty pathetic.

Sauce for the goose is evidently not sauce for the gander.

No comments:

Post a Comment