Standard Chartered incident proves IT outsourcing is risky

Having a third-party service provider process client data has proven to be risky with the recent theft of the monthly bank statements of Standard Chartered’s 647 individual clients.

Standard Chartered engages Fuji Xerox to print bank statements for its private bank clients. A statement issued by both companies said that “the theft did not occur through the bank’s IT and data security systems but through one of the servers of a third party service provider which the bank engaged to print bank statements for its private bank clients.” The monthly statements were for February 2013.

“The confidentiality and privacy of our clients are of paramount importance to us, and we take this incident very seriously. Customer data protection is our responsibility and we sincerely apologise to all our customers and specifically to our Private Bank clients who have been affected,” said Ray Ferguson, CEO, Standard Chartered.

As a precautionary measure, the bank is contacting its affected private bank clients. The bank said no wholesale banking clients, SME and retail customers are affected.

“We share the bank’s concerns on the theft of information on this system, and deeply regret the incident,” said Bert Wong, CEO, Fuji Xerox Singapore. According to Wong, there was unauthorised access by a third party to a server dedicated to Standard Chartered Private Bank in a standalone printing facility.

“This is the first time in Fuji Xerox Singapore’s history that such an incident has occurred. So far, we have taken all appropriate action to protect the integrity of our server systems. A forensic team is also conducting a thorough review. There was no impact on the data of customers on any other systems,” said Wong.

We wish to reassure all customers that the protection of their data is a key priority and that we take our duty of care very seriously, aiming to deliver the highest quality service at all times.”

The companies say they will continue to work closely with the Singapore Police as part of a thorough investigation into the matter.

The Monetary Authority of Singapore said it will review SCB’s investigation report and consider if regulatory action against the bank is warranted.

“MAS takes a serious view of such threats and has stringent requirements in place for FIs to protect the security of their IT systems and confidentiality of their client data. These include regular vulnerability assessments and penetration tests. They also include external audits of the effectiveness of their controls. These requirements apply regardless of whether such client data are processed in-house or at third party service providers,” said MAS in a statement.

As a result of the incident, MAS is paying special supervisory attention to FIs’ compliance with MAS’ requirements for IT outsourcing.