Companies must be made to pay the price for losing customer details
If you are a Brit living in Bermuda who still holds a HSBC bank account in the UK then you had better check your pockets.
The bank became the latest institution to admit losing personal data. HSBC this week said it had lost the personal details of 370,000 customers in the post. A bank employee posted by unregistered mail an unencrypted disc with the details to Swiss Re in Switzerland.
While the UK's Financial Services Authority (FSA) will now investigate HSBC, this latest incident made me wonder just how often this information loss occurred in the past.
I mean, here is a big bank that should know better, and should have the procedures in place to prevent such an incident. This is occurring in an age when many countries have a data protection commissioner and laws regulating the passing on of personal information.
Yet despite this awareness of the problem, a big bank is still making all the right moves for identity thieves. The only reason we probably know of this incident, and others in the US, is because companies are now required to publicly report when they have lost information, and tell those whose information has been lost.
With such lax procedures in place now, I wonder how often data loss has occurred before the new laws and how often such incidents were not reported? This is a scary thought.
What is worse in the case of HSBC is the delay in reporting. The bank discovered the loss after Swiss Re reported in mid-February that it had not received the disc. The BBC only reported the loss on April 7.
HSBC said it has informed the FSA about the loss, but I do not know when, and how long it took to tell its clients. You will not find the company's apology on the group's UK or corporate websites. You will not find a press release on the incident on either website.
In December the FSA fined Norwich Union £1.26 million for a lack of effective data protection controls in place. Norwich's mistake had allowed fraudsters to steal customers' details and cash in £3.3 million worth of policies. The FSA also fined Nationwide bank £980,000 last year after an employee had a laptop containing customer details stolen from his home.
All I can say is keep fining them until they stop losing. Especially so as Symantec this week released its twice-yearly Internet Security Threat Report indicating that bank account details were the most sought after data by criminals.
The security firm reported that underground economy servers are being used as black market forums by criminals and criminal organisations to advertise and trade stolen information and services typically for use in identity theft.
Over the last six months of 2007, Symantec observed that data related to identities, credit cards, and financial details accounted for 44 per cent of the goods advertised on such servers.
Bank accounts were the most commonly advertised item for sale, accounting for 22 per cent of all items.
Here is what such information costs according to Symantec. Credit card details cost between 40 cents to $20; bank accounts $10 to $1000; full identity information $1 to $15; eBay accounts $1 to $8; and email passwords $4 to $30. A megabyte of email addresses will cost you from 83 cents to $10.
Generally the rarer the credit card the higher the price, Symantec noted.
As well, identities were available at bulk rates, at $100 for 50 items. Full identities were the third most common item advertised for sale, making up nine per cent of all advertised goods.
Batten down those security hatches and watch yourself out there.
Send any comments to elamin.ahmed@gmail.com