HSBC hit by three million pound fine

"Reports that the FSA has hit HSBC's Life UK, Actuaries and Consultants plus Insurance Brokering divisions with heavy-duty fines are the direct result of the bank not using a secure mechanism to allow distributed access to customer's data," said Mark Fullbrook, UK and Ireland Director with the data integrity and security specialist, CyberArk.

"Data vaulting takes the best of encryption and IT security technologies to create data silos into which data can be stored, accessed on a shared basis and edited on a controlled - and auditable - basis," he added.

Over at BeCrypt, the cryptographic specialist, Bernard Parsons, the firm's CEO, said that the HSBC incidents highlight - yet again - the need for organisations of all types to take stock of how they protect and handle data, particularly on removable forms of media.

"It also highlights the dangers of sending (out) unprotected data when a solution is available today that can quickly encrypt data and burn it onto a CD or other removable media, therefore protecting the information whilst it is in transit," said the BeCrypt CEO.

According to Parsons, there is a need for the industry to understand the ways that such breaches can occur, how this could happen and also what can be done to circumvent the issue.

Should data be stolen, he said, on whatever the media form, it is important to note that encryption would protect whatever data was held on it

"It's classic people/processes/technology conundrum: human behaviour is unpredictable - mistakes happen or intentional malicious intent can circumvent best practice guidelines," said the BeCrypt CEO.

"This is where a solid Information Assurance policy can help protect an organisation's integrity, reputation and the data it holds," he added.

Alan Calder, an information security and IT governance expert, meanwhile, said that it seems amazing that an organisation as trusted as a global high street bank should still be caught asleep at the wheel when it comes to personal data protection.

"The FSA is to be applauded for issuing this fine, because it seems that harsh financial penalties are necessary for board directors to start taking these responsibilities seriously," Calder said.

But, added Calder, who is chief executive of IT Governance Limited, the IT security governance training and best practice company, how large will fines have to be for more boards to pay attention?

"We're seeing ongoing 'fine inflation' - plainly, fining the Nationwide (building society) 980,000 pounds for a similar thing two years ago wasn't enough, so will three million do the trick? Well, at least we're hitting sums that might begin to put a dent in a banker's bonus," he said.

"However, I expect the FSA will soon have to make good on its threat to personally prosecute directors for such lapses, or else see the issue kicked into the long grass again within months," Calder added.

"What is really disgraceful if how inexpensive these things are to get right. Putting in place the standards, procedures and training that would protect millions of customers costs well under 100,000 pounds for a firm like HSBC - a drop in the ocean for a bank that earns billions from our money," he added.

Back at Cyber-Ark, company director Mark Fullbrook made the closing comment on who will eventually end up paying HSBC's fine:

"That's right, the bank's customers," he said.


What’s Hot on Infosecurity Magazine?