Some 24,000 customers may have been affected by the theft of data from a Swiss branch of bank HSBC three years ago, the bank says.
Previously the private bank had said information on no more than ten accounts had been stolen by a former IT employee, who passed the data onto the French authorities, setting off a row between Paris and Bern.
"It is now clear that the theft, which was carried out by an employee of the [bank’s] IT department about three years ago, could concern about 15,000 current clients whose accounts were opened in Switzerland before October 2006," said Alexandre Zeller, CEO of the Swiss branch of the bank.
A further 9,000 account holders affected by the theft had since changed banks, HSBC confirmed. It also insisted that client data in the bank's branches outside Switzerland or other parts of the banking group were not affected because of distinct computer and security systems.
The theft triggered a brief spat between Switzerland and France last year after the data was handed over by the former employee, Hervé Falciani, to the French authorities who wanted to probe suspected evasion by French taxpayers with secret Swiss accounts.
The dispute came against the backdrop of international pressure on Switzerland to play ball in tax evasion cases and ease banking secrecy.
A deal to resolve the row between Paris and Bern was reached last month.
As part of the agreement to move forward on a double taxation agreement, France said it would not request administrative assistance in obtaining information about suspected tax evaders whose details were contained in the stolen data, and it agreed to provide Switzerland with copies.
Sophisticated computer files
Zeller said the bank had only been able to evaluate the extent of the leak after it received the copies on March 3. The data came in the form of "sophisticated computer files" rather than a list of customers, he explained.
"We are determined to protect our clients’ interests and are taking every necessary measure to do so, actively contacting all our clients with Swiss-based accounts," Zeller added.
The case has raised questions about the HSBC’s security system, and prompted the Swiss financial regulator to begin formal investigations into how the theft of the data could have happened.
A data security expert told swissinfo.ch that large companies like HSBC had complex systems that were difficult to control.
“Technically, it’s possible to monitor and detect virtually anything. Burning sensitive information onto a CD, for example, is relatively easy to detect,” explained Marco Marchesi of the Zurich-based data security company, ISPIN.
But he pointed out that firms had to weigh up the benefits of introducing security systems that did not infringe on individual rights of staff, or hinder them in their work.
“It comes down to a balance between security and the cost and effort of maintaining systems,” he added.
Perhaps more importantly, Marchesi said, is the fact that in the current political climate, banks can no longer afford to risk any breaches. “Four years ago, the security reputation of the big banks was so high that even if they had suffered data leakage, it would not have damaged their reputation as seriously as today.”
As part of the HSBC statement, the bank underlined that it has “made significant improvements to its security, spending over SFr100 million ($93 million) to upgrade systems and improve security”.
Switzerland is also involved in a separate stolen data affair with Germany. The federal government in Berlin is supporting German states who want to purchase CDs that contain information on presumed tax cheats with assets hidden in Switzerland.
One CD offered to the state of Baden-Württemberg could hold data on as many as 1,000 tax cases. Who is selling the information and for how much has not been made public. The state of North Rhine-Westphalia has already bought a CD containing similar data.
swissinfo.ch and agencies (with input from Matthew Allen in Zurich)
Switzerland has been under constant attack for helping foreign tax evaders hide their assets.
The OECD placed Switzerland on a “grey list” of uncooperative tax havens in April last year. The Swiss were removed in September after renegotiating more than a dozen double taxation treaties, but they have refused to automatically transfer information to tax investigators without proof of crimes.
A former German finance minister referred last summer to the Swiss as Indians running away from the cavalry. His Italian counterpart said that he wanted to “bleed dry” the financial sector in the Italian-speaking part of Switzerland.
Several countries, including Italy, France, Britain and the US, launched tax amnesties last year in an effort to repatriate assets from tax cheats.
The most damaging tax evasion case involved the activities of UBS bank in the US. A year ago, UBS was fined $780 million after admitting helping US citizens to dodge taxes. It also handed over data of 285 account holders.
In September, the Swiss government agreed to transfer the details of 4,450 UBS clients to the US – in effect violating Swiss banking secrecy to prevent a ruinous court case for UBS.
Also last year a former employee of HSBC private bank in Geneva ran away with sensitive client data that he handed over to the French authorities.
In January an informant offered to sell the authorities in the German state of North Rhine-Westphalia the data of around 1,000 possible tax evaders with bank accounts in Switzerland.
Subsequently similar data has been offered to more German states, triggering heated debate in both countries.