© The Financial Times Ltd 2015 FT and 'Financial Times' are trademarks of The Financial Times Ltd.
February 10, 2014 10:58 pm
The bad news is coming thick and fast for Barclays. The latest blow – the revelation that the UK bank has suffered one of the worst customer data breaches in years – follows recent setbacks, including a fresh £330m provision for legal and regulatory issues and criticism from unions over plans to close branches.
For Antony Jenkins, chief executive, the timing could not have been worse.
When he unveils the bank’s annual results on Tuesday, Mr Jenkins plans to trumpet new targets for the lender, most of which are “good citizen” aims to improve relations with staff, customers and society more broadly.
But his mantra of restoring trust is in danger of being drowned out by negative reports that analysts say risks alienating customers further.
In an unscheduled trading update on Monday – prompted by the publication of accurate results forecasts in the Financial Times – the bank said its operating profit for 2013 would be £5.2bn, sharply down on 2012.
The warning came as Barclays’ customers digested the news that the bank had been subject to a security breach triggered by the alleged theft of personal details of at least 2,000 and potentially up to 27,000 individuals.
Barclays and the Financial Conduct Authority are investigating the incident after a report in the Mail on Sunday claimed an anonymous whistleblower had handed over details of customers’ finances, health records and passports and national insurance numbers. The whistleblower claimed the files could be sold for as much as £50 each to rogue City brokers.
Barclays said it had not yet traced the source of the leak but consultants claimed these situations typically involved an internal breach.
“If . . . there is value in things like client lists the easiest thing in the world is for someone to grab a few spreadsheets, put them on a memory stick and walk out,” said Ross Anderson, professor of security engineering at the University of Cambridge.
HSBC, for example, suffered a breach in 2010, when a former employee stole the details of 24,000 clients from a branch in Switzerland.
Security experts said these kinds of breaches were being fuelled by the move to digital services – one Barclays considers itself at the forefront of – as criminals can increasingly use stolen data to open fraudulent accounts online.
“As society becomes more digital, it is easier to exploit weaknesses,” said Ken Allan, global information security leader at EY. “There is greater criminal value in the data . . . so people will start to apply an economic approach to how much risk they are willing to take.”
Barclays breach, warning for weak banks, and China’s squeeze goes overseas
The stolen records relate to customers of Barclays Financial Planning, which ceased operating in 2011. Barclays said it was working through the 2,000 customer records passed to the Mail on Sunday to ascertain their validity. The whistleblower said he had access to up to 27,000 files.
Early indications showed that some of the data did not match Barclays’ customer records – although it was unclear whether the details were falsified or related to accounts held at other institutions.
If evidence emerges of a failure of controls at Barclays the penalties are likely to be severe as the regulator has become increasingly tough on data protection breaches in recent years.
In 2009 insurance subsidiaries of HSBC were fined more than £3m after disks containing unencrypted confidential customer data were lost in the post, while other information was left on open shelves and in unlocked cabinets.
A year later the UK insurance arm of Zurich Financial Services was fined £2.275m for losing the personal details of 46,000 customers, including in some cases bank account and credit card information. The breach occurred when an outsourcing company in South Africa lost an unencrypted back up data tape containing customer information.
Other industries have also been hit. Target, the US retailer, lost 70m customer details when its point-of-sale system was hacked at the end of last year.
Meanwhile in 2007 hackers stole information from at least 45.7m payment cards used by customers of US retailer TJX, which owns TJ Maxx, and UK outlet TK Maxx. And in 2011 Sony PlayStation took its network offline after hackers gained access to 70m user accounts including information such as names, addresses, date of birth, billing history and password answers.
While consultants said IT and data breaches were not unusual, repairing the damage to Barclays’ reputation might take more than a fresh promise of good citizenship.
Copyright The Financial Times Limited 2015. You may share using our article tools.
Please don't cut articles from FT.com and redistribute by email or post to the web.