Halifax bank is writing to 13,000 mortgage customers after a computer printout with their account details was stolen from a member of staff last week.
The incident is the latest data security breach to hit the UK financial sector. Earlier this month, the Information Commissioner’s Office slammed 11 banks – including Halifax’s parent firm HBOS – that dumped customer account details in outside dustbins.
Last month, the Financial Services Authority slapped a fine of almost £1m on the Nationwide building society for inadequate security controls, following the theft of one of its laptops containing customer names, addresses and account details.
Halifax said the latest incident was reported promptly to all the relevant authorities, including the FSA.
But it said it was “almost impossible” that any financial fraud could be committed with the stolen information, held in a briefcase that was stolen from an employee's car late on Wednesday evening.
Around 11,000 of the records on the printout held only names, account numbers and outstanding balances, with 1,800 also containing names and addresses. The employee used the information when liaising with mortgage intermediaries.
Halifax said the stolen personal data “did not include any bank account details, PINs, passwords or details of financial transactions”.
Shane O'Riordain, Halifax’s general manager, group communications, apologised to customers, adding: “Lessons have been learnt. We are reviewing our procedures as a matter of urgency. We have taken immediate steps to protect our customers.”
The bank also pledged that none of its customers would be left out of pocket “in the very unlikely event of fraudulent activity on their account” following the theft.
“We applaud Halifax’s prompt action in communicating with FSA. Disclosure is definitely the right route forward and it’s good to see an organisation acting responsibly,” said Paul Davie, chief and founder of database security vendor Secerno. “However this is another example of an incident that could so easily have been avoided. Checks must be put in place to prevent any one individual – even if his intentions are honourable – from accessing and downloading this volume of data.”
A survey launched this week by Websense suggests that 50% of employees believe their company simply would not know if they took or accidentally took company information.