Royal and Sun Alliance (RSA) has been fined £150,000 by the Information Commissioner’s Office following the loss of personal information relating to 59,592 customers.
Following the theft of a hard drive, which contained customers’ names, addresses and bank account details including account numbers and sort codes, ICO enforcement officers found that RSA did not have appropriate measures in place to protect financial information, when the theft occurred at the offices in West Sussex between 18 May and 30 July 2015, an ICO undertaking found .
The device also held credit card details of 20,000 customers, although security numbers and expiry dates were not affected.
The investigation found that the device was stolen from company premises either by a member of staff or a contractor, the information on it was not encrypted and the device has never been recovered. It was kept in a data server room, which required access via an access card and key, to which 40 members of RSA’s staff and contractors (some of whom were non-essential) were permitted to enter unaccompanied.
Steve Eckersley, head of enforcement at the ICO, said: “When we looked at this case we discovered an organization that simply didn’t take adequate precautions to protect customer information. Its failure to do so has caused anxiety for its customers not to mention potential fraud issues.
“There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment. RSA did not do any of this and that’s why we’ve issued this fine.”
Dr Bernard Parsons, co-founder and CEO of Becrypt, said that the fine should serve as a warning on how dangerous storing unencrypted data can be.
“We find data at rest - information stored in removable hard drives and portable devices such as laptops and tablets - is frequently the weak link in an organization’s security, leaving them extremely vulnerable to a serious breach in the event of a device being stolen or lost,” he added. “Alongside the threat of malicious insiders stealing portable storage devices, we have also seen cases of burglaries targeting technology in recent months.
“These kinds of data loss incidents can be prevented if all potentially sensitive and valuable information stored on portable storage devices is encrypted against unauthorized access by default. This means that, even if the worst happens and a device is stolen by an insider, the organization can be confident that the data it contains will be safe from abuse.”
Mark James, IT security specialist at ESET, said: “The fine itself may seem fairly insignificant, but that of course is not the whole story. The PR exposure, your customer hearing about your failings and of course the damage done through the act in the first place, all has a cost.
“Encryption is not new, it has a relative low cost and can be rolled out and maintained with ease, it would not have stopped the theft of the hard drive in this case, but it would have stopped the data from being accessible. Fines need to be in place, but more importantly there needs to be follow-up, if you are holding other people’s data you need to do all you can to keep it safe.”