Press Release
FSC Imposes Administrative Penalty on Shanghai Commercial and Savings Bank for Deficiencies in Leaks of Customer Data
2023-11-28
The Financial Supervisory Commission (hereinafter referred to as FSC) approved a penalty on Shanghai Commercial and Savings Bank (hereinafter referred to as SCSB) for violation of regulations. According to the results of the audit on the leak of customer data at SCSB, the bank failed to establish and rigorously implement a comprehensive internal control system for the confidentiality of customer data and information security, which violates the regulation in Article 45-1, Paragraph 1 of the Banking Act, and regulations in Article 3 and Article 8, Paragraph 1, Subparagraph 2, Item 2 of the "Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries" established based on the authorization therein. The FSC therefore imposed a penalty of NT$10 million in accordance with Article 129, Subparagraph 7 of the Banking Act.
I. Penalized entity: SCSB
II. Legal basis for penalty: Article 129, Subparagraph 7 of the Banking Act
III. Facts and reasons of violations: The FSC and SCSB received apprises from the general public regarding information security issues in September 2022 and from May to July 2023. The bank conducted investigations which showed that the bank had failed to fully establish and implement the internal control system, resulting in leaks of customer data, and failed to retain related records.
(I) Failure to establish a comprehensive internal control system:
1. The bank failed to set adequate personal computer administrator access regulations: The bank did not require employees to change their personal computer administrator access password every six months until the commencement of investigations of this case. The continuous use of the same password had led to risk of the leak of customer data.
2. Failure to establish comprehensive management regulations for portable devices: Personnel authorized to use portable devices are permitted to export bank data with portable devices and the bank does not have adequate access management measures which negatively affects information security.
(II) Failure to fully implement the internal control system:
1. The bank's report system related to the case did not record the use of personal data or retain records or related evidence in accordance with internal regulations. It is detrimental to the tracking of personal data use when leaks occur and affects the progress of the audit.
2. The bank failed to implement internal regulations and failed to identify vulnerabilities of the information security monitoring software before operating systems launch and update and confirm execution in work stations. As a result, it failed to notice that the software was not activated normally and could not control and record the access of data by portable devices. The failure reduced the speed of the audit, prevented the bank from assessing actual damages, and negatively affected subsequent investigation procedures.
IV. Results of penalty: A fine of NT$10 million in accordance with Article 129, Subparagraph 7 of the Banking Act.
V. Other regulatory requirements:
(I) The Bank is requested to conduct a comprehensive review of the
liabilities of personnel and supervisors involved in the incident and impose penalties commensurate with their liabilities.
(II) The bank is requested to conduct a comprehensive examination of all computer systems of the bank that contain personal data and verify the retention of personal data usage tracking. The bank must also conduct a comprehensive review of whether all bank employees' access to personal data meets the principle of least privilege and conduct access privilege reviews regularly.
(III) The bank is requested to set up test and audit mechanisms for application systems and monitoring and analysis mechanisms for irregular inquiries and downloads within access.
(IV) The bank is requested to enhance the information system audit capabilities of audit personnel and appoint CPAs to implement a special personal data protection audit for the entire bank.
The FSC stated that financial institutions must establish comprehensive personal data protection and management procedures and measures in accordance with the "Regulations Governing Security Measures for the Protection of the Personal Information File for Non-government Agencies Designated by the Financial Supervisory Commission" and regularly review its appropriateness for full implementation. The FSC will also continue to urge financial institutions to strengthen information security and personal data protection to safeguard customer interests and personal data security.
Contact: Domestic Banks Division, Banking Bureau
Tel: +886 (2) 8968-9681
If you have any questions, please send an email to
https://fscmail.fsc.gov.tw
I. Penalized entity: SCSB
II. Legal basis for penalty: Article 129, Subparagraph 7 of the Banking Act
III. Facts and reasons of violations: The FSC and SCSB received apprises from the general public regarding information security issues in September 2022 and from May to July 2023. The bank conducted investigations which showed that the bank had failed to fully establish and implement the internal control system, resulting in leaks of customer data, and failed to retain related records.
(I) Failure to establish a comprehensive internal control system:
1. The bank failed to set adequate personal computer administrator access regulations: The bank did not require employees to change their personal computer administrator access password every six months until the commencement of investigations of this case. The continuous use of the same password had led to risk of the leak of customer data.
2. Failure to establish comprehensive management regulations for portable devices: Personnel authorized to use portable devices are permitted to export bank data with portable devices and the bank does not have adequate access management measures which negatively affects information security.
(II) Failure to fully implement the internal control system:
1. The bank's report system related to the case did not record the use of personal data or retain records or related evidence in accordance with internal regulations. It is detrimental to the tracking of personal data use when leaks occur and affects the progress of the audit.
2. The bank failed to implement internal regulations and failed to identify vulnerabilities of the information security monitoring software before operating systems launch and update and confirm execution in work stations. As a result, it failed to notice that the software was not activated normally and could not control and record the access of data by portable devices. The failure reduced the speed of the audit, prevented the bank from assessing actual damages, and negatively affected subsequent investigation procedures.
IV. Results of penalty: A fine of NT$10 million in accordance with Article 129, Subparagraph 7 of the Banking Act.
V. Other regulatory requirements:
(I) The Bank is requested to conduct a comprehensive review of the
liabilities of personnel and supervisors involved in the incident and impose penalties commensurate with their liabilities.
(II) The bank is requested to conduct a comprehensive examination of all computer systems of the bank that contain personal data and verify the retention of personal data usage tracking. The bank must also conduct a comprehensive review of whether all bank employees' access to personal data meets the principle of least privilege and conduct access privilege reviews regularly.
(III) The bank is requested to set up test and audit mechanisms for application systems and monitoring and analysis mechanisms for irregular inquiries and downloads within access.
(IV) The bank is requested to enhance the information system audit capabilities of audit personnel and appoint CPAs to implement a special personal data protection audit for the entire bank.
The FSC stated that financial institutions must establish comprehensive personal data protection and management procedures and measures in accordance with the "Regulations Governing Security Measures for the Protection of the Personal Information File for Non-government Agencies Designated by the Financial Supervisory Commission" and regularly review its appropriateness for full implementation. The FSC will also continue to urge financial institutions to strengthen information security and personal data protection to safeguard customer interests and personal data security.
Contact: Domestic Banks Division, Banking Bureau
Tel: +886 (2) 8968-9681
If you have any questions, please send an email to
https://fscmail.fsc.gov.tw
- Visitor: 952
- Update: 2023-12-28
