Privacy Breach: Bank in UK Sends Personal Data of 75,000 Customers to 1 Customer Requesting Her Own Statement

Now Available:

Featured Resources:

The Halifax Bank of Scotland sent the complete account information for 75,000 of their customers to one customer who had requested a copy of her own statement.

A big thanks to my good friend Alec for sending me this story!

Under the European Union Data Protection Directive 95/46/EC individuals have a legal right, among many others, to obtain a copy of the personal information that an organization has about them at their request.

It appears this bank definitely needs to improve their procedures to provide such information!

This customer "...received five packages by post containing the names, sort codes, account numbers and details of transactions of Halifax Bank of Scotland customers after requesting her own statement."

"I sent away for my bank statements to get a refund on some bank charges. A couple of days later these five packages turned up at my door and they were filled with people's names, credit numbers, what they had paid in, and had taken out every day. The details started from April 2003 and there was also the total of the bank's overdraft."

The bank was unaware of the problem until the customer returned the documents. And, even though they sent her details about 75,000 people, they didn't have hers included.

"She is still awaiting her own statements which she requested last month."

Does the bank have information security and privacy policies and procedures in place? Do they have information security incident and privacy breach plans in place? It does not appear so.

Could this happen to your organization?

It will be interesting to see what type of penalty, if any, is applied to the bank for this privacy breach.

Categories

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.

Comments

I tend to follow closely security news, but I didn't hear about this breach until I read your blog.

The bank AND the 75,000 customers are very lucky that the information had such an honest "recipient." But I almost laughed out loud at this quote, "She is still awaiting her own statements which she requested last month."

The scenario is anything but funny... I'm just not sure how organizations, especially those that handle such sensitive info as financial data can be so careless about ROUTINE procedures.

Posted by: Mila | February 8, 2007 1:38 PM

Now Available:

Featured Resources:

Realtime Communities

Newsletter

Monthly Archives

RSS

Ask the Expert