HSBC issued a public apology to 370,000 insurance customers yesterday after the bank lost a computer disk containing their personal information.
The banking giant tried to reassure the customers that the data would be of little or no use to criminals. The data includes names, life insurance cover levels, dates of birth and whether or not a customer smokes but no addresses or bank account details.
HSBC said the disk held no other sensitive information and that there was no sign that it had fallen into the wrong hands. The Financial Services Authority is monitoring the situation and could fine HSBC as part of a wider crackdown on data security at financial companies. HSBC's lapse comes just before the watchdog issues a report on the subject this month.
The disk was reported missing in mid-February when it failed to arrive at Swiss Re, which reinsures the risk on the policies, from HSBC's insurance office in South-ampton. HSBC would normally have sent the data using a secure digital link but the technology did not work and a disk was sent instead by Royal Mail courier.
HSBC is investigating why the office sent the disk instead of simply waiting for the technology to work again. The disk was password-protected but was not encrypted, which would have made it more secure. The bank declined to say whether it had suspended any staff.
"HSBC would like to apologise to its life assurance customers for any concern this may cause them. Each customer will be contacted shortly and a thorough investigation into this matter is under way," the bank said.
HSBC said it believed the disk got lost before reaching Swiss Re, although the reinsurer is said to be conducting a search just in case. Royal Mail said it would be happy to help with any investigation by HSBC but that it was unaware of being contacted by the bank.
The FSA said: "We look to the senior management of firms to ensure the firm has put in place effective systems and controls to manage risk such as information security."
HSBC has already been hit by a £1.1m FSA fine this year. The bank's HFC unit received the punishment in January because of poor procedures for selling payment protection insurance.
The FSA has meted out heavy punishments to two household names for data lapses since the start of last year. Norwich Union Life was fined £1.26m in December for systems failures that allowed fraudsters to impersonate customers and get sensitive information from call centres. In February last year, Nationwide received a £980,000 fine for lax security procedures that came to light after a laptop was stolen.
In November, HM Revenue and Customs admitted it had lost personal details of every family in Britain with a child under 16.