The Financial Services Authority (FSA) has fined HSBC Actuaries and Consultants £875,000 for losing personal information of 1,917 pension scheme members.
Their details were contained on an unencrypted floppy disk, which was lost in the post in April 2007. The confidential information included members' addresses, dates of birth and national insurance numbers.
The FSA has also fined HSBC Life UK £1,610,000 and HSBC Insurance Brokers £700,000 for failing to have adequate systems in place to protect customers' confidential details from being lost or stolen.
All three firms were warned about the need for robust security controls by HSBC Group Insurance's compliance team. However, in February 2008, HSBC Life also lost an unencrypted CD in the post, which contained the details of 180,000 policyholders.
Margaret Cole, director of enforcement at the FSA, said: "All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details.
"Fraud, particularly identity theft, is a major concern to everyone and firms must ensure their data security systems and controls are constantly reviewed and updated to tackle this growing issue.
"In areas where we have previously warned firms of the need to improve, people can expect to see fines increase to deter others and change behaviour in the industry."
All three HSBC firms have since taken a number of remedial actions to address the concerns raised, including: contacting the customers concerned, improving staff training, and requiring that all electronic data in transit is encrypted.