Private Banking: HSBC embarrassed by data security breach in Swiss unit

In April 2008, HSBC in the UK admitted that it had lost a data disk containing information on 370,000 customers. The details included names, date of birth and insurance information but no bank account information nor information that would permit their identities to be cloned. The bank admitted it had no idea where the disk was: it was lost "somewhere between A and B," a spokesman said. The information that was usually transferred within the bank over a secure data link was written to a password protected - but not encrypted - disk and sent between offices by the bank's internal mail system - a system operated by Royal Mail.

A year later, three HSBC units were fined more than GBP3 million. The fines were levied not by the Privacy Commissioner but by the financial regulator, the FSA which was made aware of a second occasion on which data was "lost in the post." The three units were HSBC Life UK, HSBC Actuaries and Consultants, and HSBC Insurance Brokers.The FSA conducted a security audit and found unencrypted data on open shelves and in unlocked cabinets.

Clive Bannister, group managing director of HSBC Insurance, said: "We hold ourselves to the highest standards, but it is clear that in these instances we have fallen short, which we sincerely regret."

That was then. And this is now - or rather it's last December when HSBC's Private Banking Unit in Switzerland discovered that information relating to clients had been compromised.

HSBC had no idea that its data had been stolen by a former employee Herve Falciani until he tried to sell it to the French Authorities who promptly arrested him and handed the data to HSBC. Well, not so promptly - and not all of the data. Falciani tried to sell details of 3,000 accounts and, according to reports in the German newspaper Der Spiegel, he tried to sell 1,300 names of German taxpayers to the German authorities for 2.5 million euros. The paper reported that the likely tax recovery would be between 100 and 200 million euros and that the German finance minister Wolfgang Schaeuble said he would buy the data. There was an outcry - how dare Germany seek to profit from an illegal act, was the general tenor.

But in this Germany has form: in 2008, Germany allegedly paid Heinrich Kieber for data stolen from LGT Group in Liechtenstein - Kieber is reported to be living in Australia under an assumed identity. (Liechtenstein : Bank names data thief).

But yesterday, HSBC for the first time admitted to the scale of the problem: data on more than 15,000 clients was stolen.

And it immediately issued a contrite apology: “We deeply regret this situation and unreservedly apologise to our clients for this threat to their privacy,” said the Swiss bank CEO Alexandre Zeller in a statement. “We are determined to protect our clients’ interests and are taking every necessary measure to do so, actively contacting all our clients with Swiss-based accounts."

The bank has also spent an additional CHF100 million on improving their security systems for their global client base.

The statement says "It is now clear that the theft, which was perpetrated by a former IT employee about three years ago, involves approximately 15,000 existing clients who had accounts with the bank in Switzerland before October 2006. The stolen client information is limited to accounts in Switzerland, excluding ex-HSBC Guyerzeller accounts. There is no data compromised for any branches of the bank outside Switzerland, which operate on separate systems and security, or other entities within the HSBC Group."

The statement goes on "Copies of a significant portion of the data were returned to the bank on 3 March 2010 by the Swiss Federal Prosecutor. The French authorities had previously seized the files from the former IT employee, who absconded from Switzerland while under investigation, before passing copies to the Swiss Federal Prosecutor.

"The Swiss authorities confirmed to us that they will not support the use of the stolen data to answer requests from foreign authorities. The French authorities have informed the Swiss authorities that the data they hold will not be used inappropriately."

Customers' accounts are considered secure, says the bank :"The bank does not believe that the stolen data has or will allow any third party to access any client account."

But there is a large, potentially very expensive, problem looming. Remember that FSA fine? HSBC group's headquarters is still in London even though its CEO has gone back to base in Hong Kong. That means that the whole HSBC group, as subsidiaries of the UK registered and regulated entity are subject to FSA regulation. The FSA requires all UK regulated businesses to maintain UK standards, wherever they operate.

Also, UK businesses - and their overseas subsidiaries - are subject to UK data protection law. Last time, HSBC was probably lucky in its timing: the British government had had a series of data breaches and it was busy negotiating with the Information Commissioner to let them off without prosecution, so action against HSBC at that time would have raised the question as to how the Treasury could lose data with impunity, but a corporation got hammered. A fine from the FSA neatly sidestepped the government's dilemma. That's not the case now: the public recollection of millions of public records going astray, plus details of thousands of applicants to join the Armed Forces and other breaches has faded.

So HSBC in the UK, in addition to any Swiss action that might arise, are at risk of fines from both the FSA and the Information Commissioner.