The Bank of Scotland has been fined $116,295 for sending sensitive customer details to the wrong people over a four-year period via fax.
The information included payslips, bank statements, account details and mortgage applications, along with customers’ names and contact details to the wrong recipients. The first incident was reported in February 2009.
The bank, which is owned by Lloyds Banking Group, was served the fine following an investigation by the UK Information Commissioner’s Office (ICO).
At least 21 documents were sent to third party organisations during this time, with another member of the public receiving 10 misdirected faxes. The incorrect fax numbers were one digit outside the details for the intended recipient, which was a department within the bank responsible for uploading documents to the bank’s system.
The ICO claimed the errors continued while it was investigating the breaches. Stephen Eckersley, Head of Enforcement at the ICO described the bank’s conduct as "unforgiveable."
"The Bank of Scotland has continually failed to address the problems raised over its insecure use of fax machines. To send a person’s financial records to the wrong fax number once is careless. To do so continually over a four year period, despite being aware of the problem, is unforgiveable and in clear breach of the Data Protection Act," he said.
"Let us not forget that this information would have been all a criminal would ever need to carry out identity fraud. Today’s penalty reflects the seriousness of this case," Eckersley continued.
A spokesperson from Lloyds Banking Group apologised for the security breach. "The security of our customers’ data is always our key priority," the spokesperson told RBI.
"We apologise that, due to human error, a very small number of documents relating to 32 customers were unfortunately misdirected. This occurred over a period in which several million customer documents, using the same process, were correctly received," they continued.
According to Lloyds Banking Group, no customer suffered any harm or detriment as a result of the error. "We are continually reviewing our processes to ensure our customers’ information remains safe," the bank said.