FTAdviser.com

Advertising

The largest bank in the UK, HSBC, has admitted that it may never find the disk that contained thousands of its customers details on it.

The "world's local bank" sent 370,000 customers details in the post from HSBC's life offices in Southampton to Swiss Re in Folkestone in February.

The bank added that it is putting together customer communications and letters are going to be sent out shortly.

HSBC said that the disk, which was password protected but not encrypted, would "normally" be sent electronically, but was sent through the mail when it could not be sent using this method.

HSBC apologised for the breach. Candice Durrett, HSBC's media relations executive, said: "The data disk lost by HSBC contains no address or bank account details for any customer and would therefore be of very limited, if any, use to criminals.

"The data, which was password-protected, includes names, life insurance cover levels, dates of birth and whether or not a customer smokes. There is nothing else that could in any way compromise a customer and there is no reason to suppose that the disk has fallen into the wrong hands. "

A spokesperson for the Information Commissioner's Office said: "Once the ICO has heard from HSBC about the outcome of their investigation we will decide what if any further action is needed on our part."

Peter Wood, chief of operations for computer security firm First Base Technologies and adviser to Scotland Yard, the government and a number of large corporations, said: "Putting disks in the post is not satisfactory. For best practise it needs to be delivered using signed for basis and the content needs to be encrypted for best practise and it is easy to do. A password is not good enough because of the availability of password recovery software. Using a password is trivial as a form of protection."

The FSA said that it could not comment specifically about HSBC but it expects banks to have effective controls to manage information risks. HSBC could face a huge fine from the FSA. Last year the regulator levied a fine of almost £1m to the largest building society in the UK, Nationwide, year for failing to "have effective systems and controls to manage its information security risks" after a laptop was stolen from an employee's home in August 2006.

Norwich Union Life was handed the eighth largest fine in the history of the FSA following poor security checks at call centres. The breach allowed fraudsters to impersonate customers and cash in their policies, leaving customers with a £3.3m loss through identity fraud. The regulator fined Norwich Union £1.26m. Last month Skipton Financial Services lost the personal information of its 14,000 customers and the Information Commissioner's office found it in breach of the Data Protection Act.

One of the largest security breaches happened last November when HM Revenue and Customs lost 25m child benefit recipients on two disks. It resulted in a Independent Police Complaints Commission investigation and the resignation of Paul Gray, the chairman of HMRC.