HSBC Australia account holders are outraged that the bank didn't bother to contact a single customer in the wake of a serious security breach which exposed banking details, names and home addresses, as well as other financial information.
Customers labelled the bank's handling of the breach a "disgrace" accusing HSBC of favouring commercial interests over privacy protection.
HSBC did not advise customers of the breach even though more than 100 account holders were exposed. As reported in Computerworld last month, the sensitive documents were left on a peak hour train in Sydney by a HSBC employee.
Information exposed included approval letters for mortgages which listed property values, repayment information, account details and even deposits with six digit cheques that had been photocopied.
HSBC customer, Scott Wakefield, said he "totally disagreed" with the position taken by the bank not to contact account holders.
While the bank willingly admitted the breach did occur, it didn't consider the incident serious enough to warrant any followup with customers, even claiming the exposed documents were "not sensitive".
"This information is very sensitive and even if my details weren't exposed as a customer I want to be notified anyway," Wakefield said.
"The bank is not notifying customers because of commercial interests, it has nothing to do with customer interests."
One customer that had bank account information and mortgage details exposed in the breach, Prijantha De Silva, said the incident has left him "speechless and totally shocked."
De Silva immediately contacted his HSBC bank manager and has also written a formal letter of complaint.
"Of course Im very concerned a bank should be more careful when it comes to protecting personal information about customers," he said.
"Now that this information about me is out there anything can happen. I am very worried."
When the breach first occurred HSBC did notify the Office of the Privacy Commissioner.
Contacted by Computerworld today, a HSBC spokeswoman confirmed there were still no plans to notify customers adding that the bank is still "in conversations with the privacy commissioner."
"On the issue of protecting customer information we are waiting for advice from the Commissioner," the spokeswoman said.
However, HSBC will be waiting a long time as Assistant Privacy Commissioner, Mark Hummerston, said there are no plans to undertake a full investigation into the incident at this stage.
Under current legislation there is no legal requirement for HSBC to disclose details of the breach.
Hydrasight senior analyst, Michael Warrilow, said until disclosure laws are introduced in Australia these incidents will continue to happen.
"Even the privacy commissioner has no criminal jurisdiction, the commissioner can only mediate a settlement. In other words, the office can bark but not bite."