Tuesday, April 8, 2008

Operational Risk Of HSBC Data Security Breach

The London newspapers were all abuzz yesterday with the news that HSBC had lost 370,000 customers’ data via the post (mail for the U.S. folks). According to BBC News:

"The HSBC banking group has admitted losing a computer disc with the details of 370,000 customers. The disc was lost four weeks ago after being sent by courier from the bank's life insurance offices in Southampton. The customers' details included their names, dates of birth, and their levels of insurance cover. However, there were no addresses or bank account details and HSBC said the customers' exposure to potential fraud was limited.

"We are looking into it and basically it has got lost from A to B," said an HSBC spokesman. "The reinsurer we sent it to is doing a thorough search for the disc. We will do anything we can to find it." "There are no financial details there in terms of banking details. There are no address details or anything like that," he added. As well as name, date of birth and value of the cover, the documents revealed only the customer's policy number and whether or nor the customer was a smoker.”
HSBC is claiming that customers’ exposure to potential fraud will be limited. I think that that ‘limit’ will be determined once the investigation has been completed. However, if the disc fell into the hands of professional identify thieves, the potential for fraud will not be limited.

Operational Risk Analysis
  • Fact 1: HSBC’s wire service was ‘down’ on the day of the delivery, according to Financial Times
    “HSBC usually employs an electronic wire service to transmit details to its reinsurers but it had to use the postal service because the wire service was not working that day.”

  • Fact 2: Customers’ data, while password protected, was not encrypted.

  • Fact 3: Disc containing customers’ data was sent by Post
    “The bank said a computer disc had gone missing after it was sent via Royal Mail Services…"

  • Fact 4: The disc was lost about four weeks ago, according to the Guardian:
    “The disc went missing around four weeks ago after being sent with an external courier from the group's offices in Southampton to a reinsurer [Swiss Re in Folkestone].”
Basel Levels 1 And 2 Loss Event Categories And Violations Identified
Potential operational risks, based on the above facts, would fall into the following Basel loss events:

Level 1 - Business Disruption & Systems Failures
  • Level 2 - Systems – (Utility outage / disruptions) By having the electronic delivery system go down on the day of the delivery, HSBC is in violation of its own Business Continuity Plan (BCP), which stipulates that the business should have redundant backup systems at ready, in case of primary system failure. BCP also stipulates that the continuity plan be tested regularly to ensure implementation at a moments notice. This initial failure set in motion for the loss of customers’ data.
Level 1 - Clients, Products & Business Practice
  • Level 2 - Suitability, Disclosure & Fiduciary – (Fiduciary breaches / guideline violations) By failing to encrypt the disc data, HSBC violated its own data security policy as well as guidance issued by the Information Commissioner's Office (ICO), which recommended that all information must be encrypted before being physically moved by disk or memory stick.” This subsequent failure contributed to increasing the potential for data being exploited by identity thief.

  • Level 2 - Suitability, Disclosure & Fiduciary – (Breach of privacy) By losing unencrypted customers’ data, HSBC may be in violation of The Data Protection Act of 1998, which stipulates that organization have appropriate measures against accidental lost of personal information.”

  • Level 2 - Monitoring & Reporting – (Failed mandatory reporting obligation) By waiting four weeks before notifying the authorities of the data loss, HSBC may be in violation of other data security regulations and their own internal policy for prompt notification of serious operational breach.

  • Level 2 - Customer / Client Account Management – (Negligent loss of client assets) Regardless of how the data was lost, the simple fact of loss is an operational risk.

  • Level 2 - Vendors & Suppliers – (Outsourcing) By using an outside delivery method, HSBC lost control of the data and method for tracking its transportation to the proper counterparty.
Loss From Identified Risk Events
Why HSBC would send a disc full of customers’ data unencrypted by post is anyone’s guess. What is certain is that HSBC will be fined for their negligence. In similar data loss cases, the Financial Services Authority (FSA) fined Norwich Union £1.26 million in December 2007 for “not having effective controls in place, enabling fraudsters to get hold of customers' details and cash in £3.3 million of policies.” FSA also fined Nationwide £980,000 in 2007, after a “laptop containing confidential customer details was stolen from an employee's home in a domestic burglary” in August. Based on these precedents, it is possible that HSBC will face a hefty fine in the range of Nationwide.

While HSBC is cooperating with the investigation into the loss of data, the fact that it took them nearly a month before disclosing the loss is suspect. However, without additional details on how the data was lost in transit, it is suffice to state that the facts so far disclosed to the public is sufficient to indicate that HSBC had serious breach of the Data Protection Act and internal data security policies. Most likely the person who authorized the sending of the data via post will lose his/her position. Right now, HSBC internal Operational Risk and Compliance departments are performing “deep dive” exercises to ascertain the “root cause” of the cascading operational risk events, and drafting “corrective actions” to mitigate a repeat of a similar incident. Having been there and done that, I wish them well.

For more information on Information Security, look into Inforsecurity Europe 2008 event to be held in London.

Ed Kim
DISCLOSURE: The author holds no positions in HSBC at this time nor is affiliated with Infosecurity Europe or The SANS (SysAdmin, Audit, Network, Security) Institute that is sponsoring the event

Sphere: Related Content

No comments: