More than 100 HSBC Australia customers had their banking details, names and home addresses, as well as other personal financial information exposed Wednesday in a serious security breach by staff.
The extraordinary breach was exacerbated by the sheer volume of documents and sensitive nature of the information that was exposed.
The documents, which were found on an early morning peak hour train in Sydney, left HSBC customers dangerously exposed as the paperwork listed customer names and addresses along with their banking details such as branch and account numbers.
Computerworld Australia sighted up to 50 letters of approval for mortgages which included property values, repayment information, even deposits with six digit checks that had been photocopied.
In addition to personal customer information there was training material that featured customer black lists.
Notified of the incident, a spokesman for the Office of the Federal Privacy Commissioner, confirmed an official investigation is underway.
“We will look into the matter and make sure procedures are in place to ensure it doesn’t happen again,” he said. Asked about penalties, the spokesman said the role of the privacy commissioner is to mediate and ensure the institution has taken steps to secure customer information.
A HSBC Australia spokeswoman confirmed the breach adding that the “incident had already been addressed.”
“The employee concerned has been disciplined and the privacy commissioner has also been advised of the incident,” she said.
The spokeswoman did not disclose the disciplinary action taken but did confirm there were no plans to notify customers affected by the breach.
“It was extremely limited data relating to 24 separate accounts,” the HSBC spokeswoman said.
“It included no sensitive information as defined by the Privacy Act. All records have been retrieved and we’re of the view no customers have been impacted.
“HSBC takes its compliance and data security obligations extremely seriously and have standards in place to ensure ongoing compliance with all regulatory requirements, including our privacy obligations.
“Unfortunately this isolated incident is simply a case of human error.”
While HSBC does not believe the information is ‘sensitive’, Hydrasight senior analyst, Michael Warrilow, thinks customers may feel differently.
“Based on current laws there is no requirement for HSBC to disclose details of the breach. This isn’t an isolated incident, it happens a lot but we don’t hear about it,” Warrilow said.
“Until disclosure laws are introduced in Australia it will continue to happen.
“Even the privacy commissioner has no criminal jurisdiction, the commissioner can only mediate a settlement. In other words, the office can bark but not bite.”
Describing the Office of the Privacy Commissioner as a toothless tiger, Warrilow said the review of the Privacy Act currently underway may improve the commissioner’s powers.
Commenting on the breach, Warrilow said it was a very basic flaw.
“It isn’t always IT related, this is human error. Details of home addresses that’s very personal and sensitive information especially when you combine it with banking and mortgage details,” he said.
Headquartered in London, the HSBC Group has some 9,500 offices and over 250,000 employees in 76 countries and territories in Europe, the Asia-Pacific region, the Americas, the Middle East and Africa. The HSBC Group serves almost 125 million customers and has assets in excess of US$1.5 billion.