Missing U.K. bank customer data was not encrypted
It should have been, and it shouldn't have shipped via regular mail either
Computerworld UK - A lost disk holding confidential data on 62,000 HBOS banking group mortgage customers was not encrypted -- although it should have been, the bank has admitted.
The bank had promised to learn lessons and overhaul its procedures after a similar loss of customer data in March, but said the second loss was "unrelated" because the data had gone missing in a different way.
This month's data breach included names, addresses, dates of birth and mortgage account numbers on a CD-ROM sent by HBOS subsidiary Bank of Scotland to a credit reference agency. It was reported missing when the agency did not receive the expected monthly dispatch of information.
An HBOS spokesperson confirmed: "The disk would usually be encrypted. Unfortunately, due to human error on this occasion the usual policy was not followed. We apologize to our customers for this."
The bank also confirmed that although disks were usually sent out using a secure post service, the missing disk had been sent through the Royal Mail's standard service. "That was a mistake on our part," the spokesperson said.
In March, Halifax building society -- another HBOS subsidiary -- apologized to 13,000 mortgage customers after a computer printout of their records was stolen from an employee's car.
After the Halifax incident, HBOS general manager for group communications Shane O'Riordain promised: "Lessons have been learned. We are reviewing our procedures as a matter of urgency."
In the same month, HBOS was among also among 11 banks ordered by the information commissioner to sign a formal undertaking to comply with Data Protection Act principles, after dumping customers' personal data in rubbish bins outside their premises.
The information commissioner threatened to take further action -- including possible prosecution -- if the conditions were not met.
But asked how the Bank of Scotland customer data could be lost when the HBOS was supposed to have tightened security procedures after the Halifax security breach and the information commissioner's probe, the spokesperson said the latest incident was different.
"Lessons have been learned and we have revised our procedures accordingly," he said. "The other incidents ... are all unrelated. One was the theft of a briefcase from an employee (which has been recovered) and the undertaking referred specifically to the disposal of confidential waste."
The bank has reported the lost CD to both the Financial Services Authority and the information commissioner.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!