International bank HSBC has been widely criticised within the finance and security industries for its revisions to calculations of the severity of a recent data loss incident.
After an employee stole a significant amount of client data from a Swiss bank in late 2006, HSBC had originally claimed that only 10 customers were affected. It emerged last week that this figure was completely inaccurate and more than 15,000 people were actually victims of the theft.
HSBC’s Alexandre Zeller said that his firm deeply regretted the way in which the situation was handled. He also attempted to assure customers worldwide that their private details would be protected as thoroughly as possible in the future.
Despite showing remorse and claiming to be taking action, HSBC’s inability to properly asses the level of damage caused by the security breach has angered many. Security expert Steve Moyle said that because this was an inside job that fully exploited employee privileges, it should be subjected to serious scrutiny.
Mr Moyle also said that HSBC acted irresponsibly by taking such an inordinate amount of time to publicise the full extent of the breach and questioned the veracity of its initial reports which claimed that only a handful of its clients were affected.
Industry observer Udi Mokady told V3.co.uk that the HSBC incident was symptomatic of a larger problem within the IT industry relating to employee accounts which remained unregulated, allowing unprecedented access to personal data.
The impact of data loss on businesses, whether perpetrated internally or externally, is calculated as running into the hundreds of millions of pounds, with a significant jump in the cost occurring between 2008 and 2009.
Businesses which become the victims of data theft are urged by most authorities on the subject to work with the necessary investigative bodies from the very beginning. HSBC’s failure to do so has lead to years of client data existing in a compromised state.
Although having a good contingency plan in the event of a data security breach is essential, most businesses will benefit from instigating preventative measures to thoroughly safeguard data and make theft harder in the first place.
PCI commentators and recent surveys have again reinforced the importance of the Payment Card Industry Data Security Standard, as well as highlighting the penalties and pitfalls of ignoring PCI DSS guidelines. Writing for Infosecurity Magazine, independent security analyst Mark Gillespie collates and analyses recent findings which support and promote PCI DDS.
Gillespie identified the current confusion surrounding the application of and adherence to PCI DSS. Since its introduction in 2004 a number of big name brands have incurred fines for improper protection of cardholder data. The highest profile case occurred in 2007 when high street chain TK Maxx was penalised for a lack of adequate safeguards in its payment card system. Continue reading
With security of data being so important in today’s world one would expect every organisation to be taking the uppermost care when it comes to storing data. It may therefore come as a surprise to hear that one of the world’s leading organisations has been found guilty of data loss on more than one account and it hasn’t gone unpunished.
If today’s economic climate isn’t applying enough pressure to HSBC then The Financial Services Authority most definitely is. The FSA has fined HSBC £3m for failing to properly look after its customers’ information and private business data. HSBC’s failure to follow procedure has led to at least two losses of customer data emphasising the fact that no organisation is too big to avoid scrutiny.
In this specific instance the FSA investigated the bank and found unencrypted customer details on open shelves and unlocked cabinets breaching storage requirements. Customer details were also sent via the post or couriers to third parties, and staff were not trained in dealing with the risks associated with identity theft.
With technical advancements made in recent years there are multiple organisations that specialise in the storage of data in an encrypted format. Therefore with these many solutions available on the market today surely there is no excuse for any sized organisation not to be highly efficient in data storage and recovery, especially if financial penalties are in place.
The investigations into HSBC’s data losses and poor practices have been identified over a period of years.
In April 2007 HSBC Actuaries lost details on 1,917 pension scheme members. In July HSBC Actuaries, along with two other subsidiaries, were warned by HSBC Group Insurance’s compliance department to sort out data security. But in February 2008 HSBC Life sent an unencrypted CD through the post containing details of 180,000 customers. The CD was lost.
HSBC Life UK Limited (HSBC Life) was fined £1,610,000, HSBC Actuaries and Consultants Limited (HSBC Actuaries) was fined £875,000 and HSBC Insurance Brokers Limited (HSBC Insurance Brokers) was fined £700,000.
Margaret Cole, director of enforcement at the FSA, said: “These breaches are very disappointing. All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers’ details.”
This makes us wonder what other organisations are using for data storage, are they using improper practices with customer and business data? How many other organisations are passing under the radar by implementing inadequate data storage procedures?