The Information Commissioner’s Office (ICO) has served the Bank of Scotland with a monetary penalty of £75,000 after customers’ account details were repeatedly faxed to the wrong recipients.
The information included payslips, bank statements, account details and mortgage applications, along with customers’ names, addresses and contact details. The documents were faxed over a three year period, with the first incident reported to the bank in February 2009 by a third party organisation.
In total, at least 21 documents were sent to the third party organisation during this time, with another member of the public receiving a further 10 misdirected faxes. Both parties had fax numbers that were one digit outside the intended recipient, which was a department within the bank that routinely uploaded documents onto the bank’s system.
Despite the company being informed of the problem on numerous occasions the errors continued. The matter was eventually referred to the ICO by the third party organisation, yet further mistakes were made even as the ICO was investigating the breaches.
Stephen Eckersley, Head of Enforcement at the ICO said:
“The Bank of Scotland has continually failed to address the problems raised over its insecure use of fax machines. To send a person’s financial records to the wrong fax number once is careless. To do so continually over a three year period, despite being aware of the problem, is unforgiveable and in clear breach of the Data Protection Act.
“Let us not forget that this information would have been all a criminal would ever need to carry out identity fraud. Today’s penalty reflects the seriousness of this case.”
View the Bank of Scotland monetary penalty notice (pdf)
SOURCE: Information Commissioner’s Office