back to article HSBC pops thousands of customer details in the post

HSBC has admitted that it has misplaced 370,000 customer details, which were put in the post a month ago on an unencrypted disc. The envelope has not arrived at its intended destination - a reinsurance firm. A spokesman for HSBC told the Reg: "We have sent a disc to our reinsurers which they never received. The disc was not …


This topic is closed for new posts.
  1. M Brown

    I know

    Why not just set up a website where you can plug in any name and bring up any details you want of anybody? Surely that will save these companies time. No need to even pretend to give a rat's ass about privacy policies then. Seriously, I'm disgusted these people can even be trusted with our data

  2. Craig

    Why not just set up a website where you can plug in any name

    It's called isn't it?

  3. This post has been deleted by its author

  4. Jay


    Strange thing here is HSBC normally send all their business post by same-day courier just so it's always secure. Looks like someone has really screwed up.

  5. Anonymous Coward

    @M Brown

    MySpace, FaceBook, FriendsReunited... Take your pick.

    I firmly believe this is part of the plan. HM Govt (and now financial institutions) lose your personal data, and Gordo and his yes-men steamroll out National ID cards as the only "secure" way to identify yourself.

    I've no doubt I'm overly paranoid, but not on this issue.

  6. Jonathan

    Who's the idiot?

    not only is it not encrypted, but they send it through royal mail. Why not just hire a courier, or send someone in a taxi?

    Fools, I hope they get a big fine for this. There is no reason for this to happen. They could have used encryption or a more secure transfer mechanism, but no, they decided to save a little money

  7. Steve Woods

    Password protection

    “The disc was apparently password-protected, but this can be overcome fairly easily by an IT-literate person."

    For those without John the Cracker, the password can presumably be obtained by reading the post-it note stuck on the CD cover, if previous revelations of British IT security procedures are to be believed.

    Mine's the one underneath the pointy hat marked with a large capital D.

  8. James Dunmore

    I don't get it.....

    "Our electronic transfer system was down that day, so we sent it in the post"

    (or whatever it said)

    Surely it would have been quicker to wait for that system to come back up!!?

  9. Trotsky

    Conspiracy theory?

    Imagine you are running a spying operation and wanted access to the HSBC's data.

    1. Hire an insider

    2. Figure out that if you cause "network issues" on a specific day then the relevant data will be transferred by post

    3. Figure out how to intercept the post.

    There comes a point where you have to wonder if the regularity of these "lost in the post" type incidents have more sinister forces behind them.

  10. Robin


    I'm wondering how HSBC know whether I smoke or not...

  11. Anonymous Coward
    Anonymous Coward

    Put them in prison

    It's time to start putting people in prison for such serious neglect. Perhaps that will focus the minds of those entrusted with such valuable information.

  12. Simplepieman

    A regulator with teeth?

    >> HSBC has told the Financial Services Authority what happened. The FSA fined Nationwide £980,000 for breaching customer privacy last year by losing a laptop containing customer information. ®

    Wow, a regulator with teeth. Whilst Ofcom fail to grasp the concept of anti-competitive pricing plans and hidden terms and the ICO pander to the ISPs and Phorm over RIPA it's nice to see someone taking our personal data seriously.

  13. Simon Neill

    "but no, they decided to save a little money"

    of course they did. We are talking about the only bank I have ever been to where I have to remember to bring my own pen. Seriously.

  14. amanfromMars Silver badge

    HSBC ..... just can't get the Quality Economic Head Office staff

    Now losing data is always a good excuse to hide losses behind ...... We woz swindled is always going to sound better than we woz swindling.

    "The complication with the banks is, of course, that they make profits for their shareholders but equally provide benefits for society as a whole (it's difficult for any economy to function without a credit system).".....

    Stephen King is managing director of economics at HSBC

    Typical of the less than candid breed which infests the scam economy and onanistic business of Banking, Mr King just cannot resist substituting the word credit for its true worth and meaning, debilitating debt. I would agree though that it's difficult [and some would posit, impossible] for any economy to function without a credit system.

    QuITe obviously something which we cannot expect to see being implemented by present HSBC Management Direction as they continue to flog the dead horse of their pie-in-the-sky business model.

    And that sentence of his is very, and probably deliberately misleading/misspoken, for it would be much more accurate to say, surely ...... The complication with the banks is, of course, that they make profits from their shareholders but unequally provide benefits for society as a whole (it's difficult for any economy to function without a credit system).

  15. Anonymous Coward
    Anonymous Coward

    "The system is down"

    Wtf does that mean? You can't find someone who can use scp? Or DropSend's had a funny 5 minutes?

  16. this


    if they get fined, who pays for it? (me)

  17. Richard
    Black Helicopters

    It's going to keep happening

    Until someone gets some jailtime, a whopping great fine or (better yet) a ban from doing business here. Especially with regards banks - surely data safety should be a condition of a banking licence.

    I vaguely recall that solicitors & the like have a dedicated post service for legal documents. It's about time that the banks were forced into the same sort of thing.

    Black helicopters - not just for heists!

  18. Anonymous Coward

    Its the Muppet Factor.

    The Muppet factor can be calcluated thus.

    Everyday procedure fails, causes confusion.: Confusion 10 Points.

    (Panic scores higher)

    Delgatory irresponsibility ( ie telling a known moron to do something important ) : 40 Points.

    Moron Rating : 40 Points (" thick as two short planks" rating )

    This gives 90 points, a nice high MF!

  19. Mat

    I'll be interested to see

    what punishment the FSA metes out to HSBC; 370,000 << 20,000,000

  20. Chris Miller

    Fines don't work

    Not for large PLCs like HSBC. They make billions in annual profits (except when they're pissing it away on US sub-prime mortgages).

    Fine the directors. Make them personally liable. Make them sell their Bentleys and second homes in Cap Ferrat. Ban them from holding directorships for 10 years. Then we'll start to see a difference.

  21. Mike

    Is that everyone now?

    Or have they missed anyone of the 65m population?

    I hope they send the MPs expenses documents by Royal Mail...

  22. Red Bren


    They will probably face a fine, but it will be a drop in the ocean compared to their huge annual profits and the money will go back to the government rather than the victims.

    At the very least, companies (and governemts) that lose data like this should be ordered to pay compensation equivilant to 10 times the cost of encryption software to each and every victim, in cash and not offset against other debts the victim might have. That might drive home the message that penny pinching on encyption for even one customer's data just isn't worth it.

  23. Steve Sutton
    Black Helicopters

    Where the hell... a bank get information on the smoking habits of 370000 people? What purpose do that have being in possession of this information? Holy shit, what is privacy and data protection coming to?

  24. Andrew Smith

    I can't wait for the day

    when the Govt. asks for the data to fill the National ID database. Do you think they will ask for multiple copies of the CDs to be sent in, to take into account how many CDs go missing in the post.

    Seriously, who the hell is advising these companies that sending data on CD by the post is the best solution to the problem of transferring data? How hard would it be to electronically transfer the data securely.

  25. Jay

    I wonder..

    how long it took HSBC to tell the FSA considering there offices are about 5 minutes walk apart?

  26. Anonymous Coward
    Black Helicopters

    I put this on the e-crime thread but figured it was pertinent here too

    Last week I recieved an email from one of our clients (a bank, not HSBC) with the passwords for 5 zip files of client data (their current security policy dictates that emails are secure). The following day I recieved 5 CD's via courier containing the zip files (of about 3M each so god knows why 5 CD's), plus to be extra helpful they'd included the passwords on a post it note stuck to the front of each cd case.

    If anyone wants to know why data crime is rife then look no further than the banks themselves. They implement data security policy which no one bothers to follow. We've set them up password protected HTTPS upload functionality and SFTP connections but apprarently it's not covered in their current security documentation so zip encrypted CDs with post its are the way forward.

  27. Mike Crawshaw

    @ Trotsky "Conspiracy Theory"

    "Imagine you are running a spying operation and wanted access to the HSBC's data.

    1. Hire an insider

    2. Figure out that if you cause "network issues" on a specific day then the relevant data will be transferred by post

    3. Figure out how to intercept the post."

    You forgot:

    4. ?????

    5. Profit!!!!

  28. George Johnson

    Fines? Don't make me laugh!

    Whats's £980k fine to a bank? Sounds like the total bill for the director's lunches that day! HSBC must turn £1M in interest in the space of minutes if not seconds.

    As people have said previously, the only way to get some justice is to haul the director's off to clinkey for a few months. Perhaps they'll soon learn the value of privacy when they have it taken away. Additionally they may also learn the value of soap-on-a-rope, but most of them coming from public schools anyway, they probably already do!

  29. Anonymous Coward

    Why the confusion about smoking habits?

    Steve Sutton and Robin -

    Why are you surprised that they know about smoking habits? The data was sent to a reinsurance company. Life insurance (for example) costs more if you smoke.

    Annuities, on the other hand, are cheaper.

  30. Anonymous Coward
    IT Angle

    HSBC, reinsurers - security issues - that rings a bell somewere

    Well if I was a name on that one, I'd be like raising HSBC's rate given there clear secuirty issues. But hey I'd of had small print to cover such events.

  31. Greg

    @Steve Sutton

    "Where the hell... a bank get information on the smoking habits of 370000 people?"

    It was life insurance details, right? I'm imagining HSBC ask a few health questions of their life insurance members before signing them up, and smoking is probably first in the list.

  32. Anonymous Coward
    Anonymous Coward


    "do a bank get information on the smoking habits of 370000 people?"

    Probebrly when people ask for a quote for insurance (health or household).

    Many Insurance businesses are owned by banks.

  33. Anonymous Coward

    No smoke without...

    Seriously have us reg readers stopped actually reading the articles now?

    1. The data was for life insurance; so yeah they want to know if you smoke.

    2. The ICO has feck all do to with RIPA.

    /Mine's the one with the big stick with a nail, yeah that's it, the one marked "Clue"

  34. Jon

    Re: Where the hell... (@Steve Sutton)

    "Where the hell do a bank get information on the smoking habits of 370000 people? What purpose do that have being in possession of this information? Holy shit, what is privacy and data protection coming to?"

    I work for a reinsurance company, so perhaps I can answer this.

    HSBC sell life insurance[1] to their customers. It may not be their major product but it still brings in a pretty huge amount of revenue. However, there is risk attached to this, in particular the risk that claims may vary wildly year-on-year - a company doesn't like this because it makes their balance sheets look bad. So they offload part of the risk to a reinsurer, for a price which is set by the reinsurer.

    The insurance company wants the best possible price, so they ask several reinsurers to quote rates. In order for the reinsurers to quote the best possible rates, they need the best possible data on all policies and all claims. In particular, we need sum insured, date of birth, date of policy start, date of policy end (if it has a fixed term), sex and smoker status.[2]

    So, HSBC had the data because they were given it on life insurance application forms. They had to send it to the reinsurers because they wanted a good price[3]. But sending it via Royal Mail is inexcusable.

    [1] This explanation also applies to all sorts of other insurance policies (eg. Critical Illness) but, for the sake of simplicity, I'll only talk about life insurance.

    [2] Yes, these are the only factors we look at when setting rates - any medical conditions you might have are dealt with separately and in a much simpler way.

    [3] OK, there are a number of other possibilities - for example, that they already have a reinsurance arrangement in place with this reinsurer and were just sending a quarterly update - but they all start from this basic scenario.

  35. Richard L


    Having worked for a few banks (not HSBC), it probably comes down to someone just putting the disk in an envelope - most staff don't usually make use of couriers themselves and the senior manager's PA who normally books them was off sick, so they just put it in the 'Out Mail' tray, or if they were feeling particularly dilligent, dropped it off at the Post Office but didn't send it 'Registered' as it'd be too much hassle to get the expenses reimbursed.

    Doesn't excuse why it was sent through the mail, but I can fully understand how.

  36. bambi

    Free smokes

    Just waiting for my spam mails to start flooding in when this data gets 'found'.

  37. Fluffykins Silver badge

    Fines - It's all relative.

    £100 for the Bloke in the Street hurts a bit. £100 for HSBC is below noise.

    £5000 for me is painful for the Bloke in the Street £ 5000 for HSBC is still below noise.

    £1m for the Bloke in the Street is stupid. £1m for HSBC might hurt a little.

    Make the hurt in proporation to the money available: Fine a % of the latest profit figure.

    If the Bloke in the Street is on, say, £2k a month (24k a year) takehome pay, a £5k fine is about 20% of his net annual income and will HURT!

    What's 20% of £20,000,000.

    OOoh it's lots.


  38. Anonymous Coward
    Anonymous Coward


    There is no way that this should have ever happened. "The link was down" is not an acceptable excuse, in the company that I work for (a large UK bank) won't allow its data to be moved around (on any media) without two full time employees accompanying it at all times, this even includes international data transfer*.

    Putting something in the post, unencrypted is just idiotic and asking for losing your data. Twunts.

    *It's not always appropriate to move data over networks, a jumbo jet and box of tapes have rather more bandwidth than most international networks.

  39. Steve Sutton



    "Seriously have us reg readers stopped actually reading the articles now?

    1. The data was for life insurance; so yeah they want to know if you smoke."

    The article doesn't actually say it was *for* life insurance (although, I did misread "reinsurance" as "insurance" - which didn't help). Thanks to that, and a number of explanations that they sell life insurance, It now makes a bit more sense (it really was a funny shaped cloud, not a black helicopter).

    @ Jon

    Thanks for the explanation, however the "HSBC sell life insurance[1] to their customers" would have been sufficient for me to understand:)

  40. Risky

    They will give a damm about the fine

    Be assured that they do care when £980k or even £100k goes up in smoke for no good reason. Unlike HMRC you can expect that peopleget whacked and not just paid leave or trauma counselling or whatever happened with our public servants up north.

  41. Mark

    @Steve Woods

    Steve, It's "John the Ripper" IIRC. "John the Cracer" may be talking about someone who's really hot...

  42. Mark

    @Evil Graham

    So, what we want to do is start smoking in the last couple of years before taking out our pension?


  43. Ishkandar


    Don't be silly !! MPs don't put in expense claim documents. They claim whatever they feel like as a God-given right !!

    @Jon - I think you missed a very important bit of data on the life insurance policy document - State of health !! It's no good insuring a non-smoker if he's lying on his death-bed in a hospital dying of terminal prostate cancer !!

  44. Charles Smith
    Black Helicopters

    Data Protection negligence

    There are no excuses for this negligence by HSBC management. The data on the disk should have been encrypted.

    Sadly this corporate negligence will continue until Directors are sent to prison and given criminal records for allowing the loss of personal data.

  45. Warren Free

    Why oh why Royal Mail

    Why use Royal Mail? Are there any courier or postal firms out there who don't loose things? Maybe BA have forgot to mention that Royal Mail and TNT are running Terminal 5 :).

    There has to be better ways to transfer data. If the network isn't good enough or even up, drive up with the data encrypted on disk or a physical machine.

    If on a physical machine at least the data could be encrypted and if the worst happens, you can execute a remote secure deletion utilising a tool like BackStopp. This way data doesn't go missing, instead just the laptop goes missing. Banks, and anyone with personal data on us the ever at risk public, need to address these issues. A £xxxk fine just doesn't do it, heads should role!!

  46. Anonymous Coward
    Anonymous Coward

    who pays for the fine

    In my experience, banking fines don't seem to affect the customer at all. They'll affect the shareholders' profits, but more likely, it'll come out of staff bonuses and pay rises. There'll be a few unhappy chappies in Southampton when they find out that some numpty in insurance is responsible for their christmas bonus, such as it isn't.

    Also, feel sorry for the managing directors, who I see as evil overlords, with their brilliant schemes constantly foiled by incompetent henchmen.

  47. kain preacher

    Just following the examples

    If the government refuses to take basic security measures, how can you expect industry to? I mean this web site is loaded with examples of various British give entities just lose data .

  48. Jestin

    What's the big deal?

    1) This article should have highlighted it was HSBC Life Insurance not HSBC Bank to avoid all the confusion.

    2) There would have been no identifiable personal data in the lost CD. The most that was lost is policy number, sex, DOB, smoker status, sum insured and such like. Reinsurers do not need to know bank details, names and addresses. This data on it's own cannot be used for identity theft. This is not comparable to Nationwide's open laptop.

    3) This would have been monthly data as the reinsurer needs to carry out calculations to figure out how much HSBC needs to pay them every month so that might be why they didn't wait till the electronic link was fixed and improvised. Although this is not an excuse.

  49. Negrad

    Royal Mail

    I work for the NRC, the Royal Mails National Returns Centre, that gets all the undelivered/refused/returned mail in the UK

    We open it and return where possible.

    We get tens of millions of items a year, and a lot of that is surcharged (under paid or no stamp at all), no or insufficient address - (Uncle Andy, Maidstone), or no house number, london addresses without postcodes, no postcode, made up postcode, postcode for your last address (well we only moved a street or two..) etc etc

    Each day I open and deal with hundreds of bank documents which only have an internal branch address on the envelope or people sending money to the internal address you see printed on paying in slips which obviously only mean something to firm concerned..

    We also get people paying for parking tickets, where you enclose the cheque in the nice yellow slip and still forget to put an address or stamp on it, and don't bother actually including their own address, so it has to be destroyed instead of returned.. (how many of them blame RM when the fine goes up when not paid within two weeks..?)

    And dvla documents, the nice brown envelope that reminds you to put a stamp on it.. well perhaps it should also say "THE BIG EMPTY SPACE ON THE FRONT IS THERE FOR YOU TO WRITE THE DVLAS LOCAL ADDRESS ON.." - sigh

    And students applying for loans..

    Big envelope, first class stamp.. surcharged - refused and returned.. repackaged by student with a 2nd large stamp - surcharged - refused and returned... and students are supposed to be the clever ones..

    Solicitors etc can use the DX mail service, however writing DX 101 or whatever on front and popping it in the post box is pointless, Royal Mail cannot deliver DX mail, so we get to open and return that as well ... hundreds of those a week.

    Reminds me of a couple of years ago, a local firm had sent a hundred DX packets out by

    Royal Mail by mistake (no return address on the envelope obviously), realised and contacted us in a panic, documents contained wills, house deeds, offers for houses, contracts etc, would we pull staff of normal duties, sort through a few hundred thousand items of mail to find them in the next week, or they firm would lose tens of thousands of pounds, redrafting or replacing everything..

    We did so, found them, stacked them in trolleys in the corner, rang firm to come pick them up.. two weeks later still there,,,

  50. Steven Burn


    Not sure how most of your reply relates to this article but oks .... I'll bite as I'm in a funny mood.

    Why didn't you also explain;

    1. The MILLIONS of items of post that go missing? [1]

    2. The RM staff that are KNOWN to steal post? (and it's been in the papers, and on TV numerous times ;o))

    ... back to the article ..... HSBC doing this is no suprise, they're a big firm and "OH NOES! teh funny computer transfer thingy is down" is probably about the best that their completely IT phobic staff could come up with.

    Quite how they came up with the idea of using RM of all companies, is laughable ....... the fact the CD's and data weren't encrypted, comes right back to the fact that most of their staff know absolutely nothing about data security.

    [1] I've both sent and meant to have received hundreds of mail to and from various places over the years .... addresses and postage were correct in almost all cases, so your explanation of "IT'S YOUR DAMN FAULT!" just isn't gonna cut it ;o)

  51. Anonymous Coward
    Paris Hilton

    hardware encrypted USB's

    Why not use them? They are inexpensive and if found, can't be hacked.

    CD's....... ROFL

  52. Wize

    One way to stop this nonsence

    Make it illegal to put sensitive information in an unsecured place.

    The idea of who is guilty is something thats already pondered with the culpable responsibility laws (eg, if I get an idiot to put a system on an oil rig to prevent another piper alpha and that system didn't work, I get charged with murder as I should know the idiot wasn't up to the job). That way they don't blame someone who is new to the job, but instead blame the ones that gave them the data or told them to send it in the post without checking its properly secured.

    And don't fine the people involved. A nice little custodial sentence will put the willies up them (so to speak) and stop others from being so careless.

  53. Steven Burn


    Couldn't have put it better myself ;o)

  54. Gianni Straniero

    How many times?

    Interesting to note that there's been a rash of these stories recently. They're obviously newsworthy since the Revenooers lost all the Child Benefit data last November, but considering the number of times these disks have gone missing since, we must presume this sort of stuff happens all the time.

  55. Wize
    Thumb Up

    Re: How many times

    It happens all the time. A recently closed ice rink round here has dumped all their customer details in a skip. Names, ages, etc of kids. One guy referred to it as a "pedo's goldmine" or something similar.

  56. Clovis

    Hang them all, hang them all, hang them all!

    ... wait. Was this a big deal? Some names and dates of birth and smoker status? This matters... why? No use for identity theft. No use for an invasion of privacy - if you know anyone on the list you already know roughly how old they are, and smoker status isn't a secret (for any smokers labouring under the misapprehension that we don't know you smoke, I'm afraid the smell betrays you at first introduction).

    @wize - a list of names and ages of kids is a 'pedo's goldmine'? WTF? Like the presence of children in a household is a mysterious secret which strangers can't uncover?

    Please gentlemen, let's try to keep a sense of perspective here.

    There's never a rolling eyes smilie when you need one.

  57. Wize

    @ clovis

    Also included was addresses, phone records and even medical details.

  58. Nick

    Re: I put this on the e-crime thread but figured it was pertinent here too

    AC wrote:

    "We've set them up password protected HTTPS upload functionality and SFTP connections but apprarently it's not covered in their current security documentation"

    opening port 22 in a firewall for sftp leaves them vulnerable to bypassing the firewall using ssh port forwarding.

    Also any encrypted traffic passing out of a network can't be monitored by the network admins so I'm not surprised that it's not allowed.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020