Another national bank was fined.Financial Supervisory CommissionIt was announced today that Bank of Shanghai has failed to fully establish and implement internal control systems regarding the confidentiality of customer information and information security. The lack of verification of the case has violated Article 45-1, Paragraph 1 of the Banking Law and the “Financial Holding Company” stipulated in its authorization. According to the provisions of Article 3 and Article 8, Item 1, Item 2, Item 2 of the Implementation Measures for Internal Control and Audit Systems in the Banking Industry, therefore, a fine of RMB 10 million is imposed in accordance with Article 129, Paragraph 7 of the Banking Law.
The Financial Supervisory Commission conducts an inventory,Shanghai Commercial BankAmong the 65 branches, each branch has at least 100 customers, and the personal information of about 14,000 people in total, including names and ID card information, was leaked, that is, they were taken out of the country.
The Financial Supervisory Commission pointed out that in September 2011 and from May to July 2012, it received reports from the public about the bank’s information security issues. The results of the case review showed that the internal control system was not fully established and implemented, which caused customers The data was leaked and the relevant traces were not kept, so a fine was issued.
The Financial Supervisory Commission stated that Shanghai Commercial Bank’s deficiencies include:
(1) Failure to establish an internal control system:
1. Failure to formulate appropriate regulations for personal computer administrator rights: The bank did not clarify that it would change the password for personal computer administrator rights every six months until after the incident, and failed to change the password for a long time, resulting in the risk of leakage of customer information.
2. Failure to establish complete management regulations for portable devices: Personnel who have the right to use portable devices may use portable devices to carry out data within the industry, and there are no appropriate access control measures, which is detrimental to information security protection.
(2) Failure to implement the internal control system:
1. The case reporting system does not follow internal regulations to record the use of personal data and retain track data or relevant evidence, which is not conducive to tracking the use of personal data when personal data is leaked, and affects the audit process.
2. The bank failed to implement internal regulations and failed to test the investment security monitoring before the operating system went online and when it was updated.softwareVulnerability, and confirmed its execution on the workstation, so that the software was not found to be unable to start normally, resulting in the inability to control and record the access of portable device data, affecting the timeliness of the audit, and making it impossible to determine the actual damage. and is not conducive to subsequent investigation procedures.
The Financial Supervisory Commission also stated that it has required Shanghai Commercial Bank to conduct follow-up investigations and accountability, including:
1. Comprehensively review the responsibilities of the responsible personnel and supervisors involved in this case, and the degree of punishment should be commensurate with their responsibilities.
2. The bank is required to take stock of whether various computer systems involving personal data in the bank have established audit trails for retaining personal data, and to check whether the permissions of all bank employees to inquire about personal data comply with the principle of minimal permissions, and review them regularly. Permissions job.
3. The bank is requested to establish a testing and auditing mechanism for various application systems and a monitoring and analysis mechanism for abnormal query and download situations within the scope of authority.
4. The bank is requested to enhance the information system audit capabilities of auditors and entrust accountants to conduct bank-wide personal data protection project audits.