Tuesday, April 08, 2008

HSBC didn't learn from HMRC

HSBC here in the UK just lost a data disc full of customer details. It wasn't a goof-up of HMRC proportions because 370,000 customer details seem like nothing compared to the 25 million HMRC lost into the postal system. But in light of all the recent incidents, you would have thought they would at least be a little bit more careful about sending things out in the post! From what I can gather, you should only be worried if you have taken out an insurance policy that is somehow connected with HSBC or have insurance related information within HSBC's systems.

A lot of the points I made in commenting about the HMRC incident still apply here so I won't rehash any of it. I'm just very surprised that the bank didn't dive into user security awareness training initiatives to attempt to mitigate the risks in place. I wonder if they also changed some of the procedures and processes around how information is handled.

Or maybe they did both, which brings me to the next point. Assuming they've done a little bit of educating and process re-engineering, the next logical step is to start putting the tools in place to help with the user education (there's nothing better than real-time education of users - how many times have you sat in a security awareness class and come out not remembering a single thing) and information control. Tools which can also protect the information flowing around and even automatically encrypt the information moving to removable media, like a frigging disc that's about to be sent out in the post just in case the person doing it was asleep in class (like the rest of us).

The right approach in my opinion is actually a combination of varying approaches running in parallel. Start small with each aspect and let them evolve and intermingle. For example, you can put in the simple controls using a tool while also conducting user awareness programs and changing information handling processes. It's all iterative.

Of course, whatever they currently have in place isn't working. They claim to have password protection on the disc, but even they admit that it wasn't good enough and that they should have at least encrypted the information.

I know for a fact that this area of security hasn't really been a focus for the bank over the past year. They've been more concerned about PCI...and we know that as long as you are PCI compliant, your customer details are safe right?! Think again (see Rich Mogull's analysis of the Hannaford data loss incident - Hannaford were apparently PCI compliant).

Maybe their priorities will change now? I doubt it...but one can hope.

No comments: