The disk was lost after it was posted to a credit reference agency, which reported the information missing when it failed to receive its monthly batch of data.
“The disk would usually be encrypted,” said a spokesperson for HBOS. “Unfortunately, due to human error on this occasion the usual policy was not followed. We apologise to our customers for this.”
As a result of this breach the bank is writing to all the customers involved warning them of the risks of identity theft, and offering them free credit reference checks.
“This case highlights the need for encryption of sensitive information by companies, especially where customer data is involved,” said Calum Macleod, European director for Cyber-Ark.
In March, thousands of Halifax - another subsidiary of HBOS – customers demanded answers after a computer printout of their personal details was snatched from an employee’s car.
The bank sent written apologies to the 13,000 people affected and reiterated that lessons had been learnt and claimed that the company was “reviewing procedures as a matter of urgency.”
Macleod added: “Considering the bank's sister organisation also had a similar incident you'd think they would have reviewed their data security policies by now.
It still comes as a surprise that so many organisations are still using such archaic methods [to protect sensitive data]. The technology required to eliminate these threats costs a fraction of the money that HBOS will now have to spend to recover from this single incident."
A Royal Mail spokesman said: "The Royal Mail advises customers that when sending important information to use a special delivery service." The postal service loses 0.07 per cent of the items posted each year.