
Halifax a building society in the UK has already begun writing letters to all of those customers whose details were taken apologising for the breach and has reported the theft to “all the relevant authorities”, including the Financial Services Authority (FSA), which could take action against the organisation.
“We are very sorry for any inconvenience or upset we may have caused our customers. Lessons have been learnt. We are reviewing our procedures as a matter of urgency,” said a spokesperson for the bank in a statement.
Of the 13,000 customer details taken, 1,800 included the name, address, mortgage account number and balance. The remaining data contained only the customer name, mortgage account number and approval status, the bank said.
Criminals attempting to commit identity or financial fraud could not use such information, Halifax maintained. The data did not include any bank account details, PIN numbers or passwords, according to representatives for the bank.
Halifax has vowed to compensate its customers, should any become the victim of fraud.
"While this is a situation that clearly could have been avoided, Halifax should be commended for being so upfront and notifying its customers immediately," said Jamie Cowper, data encryption expert at PGP Corporation. "It's refreshing to see companies taking the moral high-ground, even when they are under no legal obligation to do so."
The bank’s swift reporting and customer notification of the security breach contrasts with the case of Nationwide last year. Sensitive customer data was taken after the theft of an employee’s laptop in August, which only became public in November.
The building society was fined almost £1 million by the FSA, which found that Nationwide did not start an investigation into the theft until three weeks after it occurred.