Missing U.K. bank customer data was not encrypted
It should have been, and it shouldn't have shipped via regular mail either
Computerworld UK - A lost disk holding confidential data on 62,000 HBOS banking group mortgage customers was not encrypted -- although it should have been, the bank has admitted.
The bank had promised to learn lessons and overhaul its procedures after a similar loss of customer data in March, but said the second loss was "unrelated" because the data had gone missing in a different way.
This month's data breach included names, addresses, dates of birth and mortgage account numbers on a CD-ROM sent by HBOS subsidiary Bank of Scotland to a credit reference agency. It was reported missing when the agency did not receive the expected monthly dispatch of information.
An HBOS spokesperson confirmed: "The disk would usually be encrypted. Unfortunately, due to human error on this occasion the usual policy was not followed. We apologize to our customers for this."
The bank also confirmed that although disks were usually sent out using a secure post service, the missing disk had been sent through the Royal Mail's standard service. "That was a mistake on our part," the spokesperson said.
In March, Halifax building society -- another HBOS subsidiary -- apologized to 13,000 mortgage customers after a computer printout of their records was stolen from an employee's car.
After the Halifax incident, HBOS general manager for group communications Shane O'Riordain promised: "Lessons have been learned. We are reviewing our procedures as a matter of urgency."
In the same month, HBOS was among also among 11 banks ordered by the information commissioner to sign a formal undertaking to comply with Data Protection Act principles, after dumping customers' personal data in rubbish bins outside their premises.
The information commissioner threatened to take further action -- including possible prosecution -- if the conditions were not met.
But asked how the Bank of Scotland customer data could be lost when the HBOS was supposed to have tightened security procedures after the Halifax security breach and the information commissioner's probe, the spokesperson said the latest incident was different.
"Lessons have been learned and we have revised our procedures accordingly," he said. "The other incidents ... are all unrelated. One was the theft of a briefcase from an employee (which has been recovered) and the undertaking referred specifically to the disposal of confidential waste."
The bank has reported the lost CD to both the Financial Services Authority and the information commissioner.
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!