Santander has been caught sending sensitive personal information to wrong addresses again, after the discovery last month that 22,000 customers received other people's details on their bank statements.
The Spanish giant, which faces a probe and possible multi-million pound fine for Data Protection Act breaches, sent a cash card to the wrong person this month after also sending someone else's statement to the same recipient in August (see the Best Bank Accounts guide).
After the mass statement blunder in December, Santander insisted the incident, caused by a printer error, was a one-off.
Lisa Jones-Tinsley, from Leeds, who was sent the offending items this time, says she initially feared she was a victim of identity fraud but the bank has since reassured her that was not the case and that it made a glaring error.
Both the statement and the cash card were meant for two people within the same household in the Leeds area, Santander later told Lisa.
On the statement, Lisa could see the other customers' name, sort code, account number and recent transactions. It mistakenly included Lisa's address, rather than the true customer's address, as did the paperwork that accompanied the cash card.
Lisa, on Santander's database because her daughter's child savings statements are sent to her, says: "It is appalling that I should be sent these items.
"It is also appalling it took a call from the media for me to get an apology as I highlighted this back in August and kept getting fobbed off.
"I work in the NHS and we have to treat personal information with the utmost sensitivity. Why can't Santander do the same?"
Santander says it has contacted the two customers whose paperwork or plastic went astray to apologise.
A spokesman says: "Having looked at this case thoroughly, we believe it to be a completely isolated incident.
"We're very sorry for any concern or worry caused to those affected by this unusual incident."
The Information Commissioner's Office (ICO), which regulates the handling of personal data, and the City regulator, the Financial Services Authority (FSA), are both investigating the leak of 22,000 customers' details.
The FSA has previously taken a tough line on the loss of personal data.
Insurer Zurich was fined £2.28 million last August for losing 46,000 policyholders' details. HSBC was fined £3 million in 2009 after it lost a disk containing the details of 180,000 policyholders.
The maximum fine the ICO can levy is £500,000.
Further reading/Key links