Missing U.K. bank customer data was not encrypted

Computerworld UK - A lost disk holding confidential data on 62,000 HBOS banking group mortgage customers was not encrypted -- although it should have been, the bank has admitted.

The bank had promised to learn lessons and overhaul its procedures after a similar loss of customer data in March, but said the second loss was "unrelated" because the data had gone missing in a different way.

This month's data breach included names, addresses, dates of birth and mortgage account numbers on a CD-ROM sent by HBOS subsidiary Bank of Scotland to a credit reference agency. It was reported missing when the agency did not receive the expected monthly dispatch of information.

An HBOS spokesperson confirmed: "The disk would usually be encrypted. Unfortunately, due to human error on this occasion the usual policy was not followed. We apologize to our customers for this."

The bank also confirmed that although disks were usually sent out using a secure post service, the missing disk had been sent through the Royal Mail's standard service. "That was a mistake on our part," the spokesperson said.

In March, Halifax building society -- another HBOS subsidiary -- apologized to 13,000 mortgage customers after a computer printout of their records was stolen from an employee's car.

After the Halifax incident, HBOS general manager for group communications Shane O'Riordain promised: "Lessons have been learned. We are reviewing our procedures as a matter of urgency."

In the same month, HBOS was among also among 11 banks ordered by the information commissioner to sign a formal undertaking to comply with Data Protection Act principles, after dumping customers' personal data in rubbish bins outside their premises.

The information commissioner threatened to take further action -- including possible prosecution -- if the conditions were not met.

But asked how the Bank of Scotland customer data could be lost when the HBOS was supposed to have tightened security procedures after the Halifax security breach and the information commissioner's probe, the spokesperson said the latest incident was different.

"Lessons have been learned and we have revised our procedures accordingly," he said. "The other incidents ... are all unrelated. One was the theft of a briefcase from an employee (which has been recovered) and the undertaking referred specifically to the disposal of confidential waste."

The bank has reported the lost CD to both the Financial Services Authority and the information commissioner.