Worst Data Privacy Violator Is Barclays

Jay Decenella, IT audit expert
May 25, 2011 /

Lax data privacy handling has become more rampant among major banks while the Information Commissioner’s Office (ICO), the agency tasked to ensure data protection, has been giving only a slap on the wrist to violators.

Consumer watchdog Which? claimed in a report that banks have been violating data privacy laws amid increasing rates of confidential financial details being exposed to third parties. Top on the list is Barclays that raked 116 complaints, followed by Lloyds Banking Group with 114 complaints.

The report was released in the wake of a data privacy breach involving Bank of America.

Reports said a BofA associate had sent sensitive data such as names, addresses, Social Security numbers, phone numbers, bank account numbers, driver’s license numbers, birth dates, e-mail addresses, family names, PINs and account balances to fraudsters that, in turn, hijacked these credentials.

The data breach, which allegedly affected around 300 customers in California and other Western states, was detected by BofA in early 2010 but only notified its customers recently as it had been working with authorities first to identify the scale of the fraud.

In just a year, the ICO received more than 1,000 complaints against banks and building societies involved in different cases of data breach.

But Which? claimed that the ICO has done little to take these banks to task.

“We have made some shocking discoveries about the number of breaches [banks] could be committing, and the scant action the ICO has taken about potentially serious lapses,” Which? said in a statement.

The ICO was previously criticized by consumer groups for having been soft in its treatment with Google Inc. after the search giant failed in its data security measures and had its Street Views cars collecting payload data including emails and passwords.

Poor data protection measures by banks, according to Which? Executive Director Richard Lloyd, not only affects credit ratings but also leaves people open to fraud.

Several examples of lax data privacy handling have been shown by the group’s report that could undermine the trust of customers.

Santander for one was reported to the ICO on December 2010 for erroneously sending to wrong recipients 35,000 bank statements containing personal information of customers, such as name, address, bank details and recent transactions.

Additionally, Halifax was charged for losing a customer’s personal details, Nationwide for linking a customer to an incorrect address, and Barclays for allegedly sending out private documents in unsealed envelopes.

Which? said complaints filed with the ICO surged by 10 percent in 2009, from 1,060 to 1,163, mostly against financial institutions. Using the data disclosed through a Freedom of Information request, the group found that data privacy violations by banks have gone worse.

The ICO has the authority to impose fines of up to £50,000 on companies that violate the Data Protection Act in addition to an undertaking that would require these firms to improve the way they handle customers’ data.

But the data privacy agency failed to impose any of these sanctions on any of the large banks tagged in data privacy complaints.

“We take the most appropriate action depending on the details of the case. Formal enforcement action is not always the most effective or proportionate way of achieving this,” it said.

 

Share your opinion