The Halifax Bank of Scotland sent the complete account information for 75,000 of their customers to one customer who had requested a copy of her own statement.
A big thanks to my good friend Alec for sending me this story!
Under the European Union Data Protection Directive 95/46/EC individuals have a legal right, among many others, to obtain a copy of the personal information that an organization has about them at their request.
It appears this bank definitely needs to improve their procedures to provide such information!
This customer “…received five packages by post containing the names, sort codes, account numbers and details of transactions of Halifax Bank of Scotland customers after requesting her own statement.”
“I sent away for my bank statements to get a refund on some bank charges. A couple of days later these five packages turned up at my door and they were filled with people’s names, credit numbers, what they had paid in, and had taken out every day. The details started from April 2003 and there was also the total of the bank’s overdraft.”
The bank was unaware of the problem until the customer returned the documents. And, even though they sent her details about 75,000 people, they didn’t have hers included.
“She is still awaiting her own statements which she requested last month.”
Does the bank have information security and privacy policies and procedures in place? Do they have information security incident and privacy breach plans in place? It does not appear so.
Could this happen to your organization?
It will be interesting to see what type of penalty, if any, is applied to the bank for this privacy breach.
Tags: awareness and training, EU Data Protection Directive, government, Information Security, IT compliance, personal privacy, policies and procedures, privacy, privacy breach, privacy law