Banking group HBOS has apologised after confidential information on 62,000 mortgage customers was lost in the post – the second data loss to hit the group in three months.
The information – including names, addresses, dates of birth and mortgage account numbers – was held on a CD-Rom sent by HBOS subsidiary Bank of Scotland to a credit reference agency.
In March, Halifax building society – another HBOS subsidiary – wrote to 13,000 mortgage customers to apologise after a computer printout of their customer records was stolen from employee's car https://www.cio.co.uk/concern/resources/news/index.cfm?articleid=1044&pagtype=allchantopdate.
After the Halifax incident, HBOS general manager for group communications Shane O'Riordain promised: "Lessons have been learnt. We are reviewing our procedures as a matter of urgency."
HBOS was among also among 11 banks that were heavily criticised by the Information Commissioner in March for dumping customers' personal data in rubbish bins outside their premises.
The Information Commissioner ordered HBOS and the other banks to sign a formal undertaking to comply with Data Protection Act principles and said he would take further action – including possible prosecution – if the conditions were not met.
An HBOS spokesperson said the missing Bank of Scotland CD was part of a regular dispatch of data sent monthly to credit reference agencies. Such data was usually sent by secure post but on this occasion had been put in the ordinary Royal Mail post. "That was a mistake on our part," he said.
The loss had come to light when one of the credit reference agencies reported that it had not received the expected disk.
The spokesperson could not confirm whether the data on the CD had been encrypted. But he said the risk of fraud was "very low" because the data did not include bank account details, PINs or passwords.
The bank had been "upfront" about notifying affected customers, who had been offered free protective registration with the Ciphas anti-fraud service. "We will be monitoring accounts carefully," he added.
The bank has reported the lost CD to both the Financial Services Authority and the Information Commissioner.