[BreachExchange] RSA fined £150,000 by ICO after 60,000 customer details stolen

[Audrey McNeil]

http://www.v3.co.uk/v3-uk/news/3002210/rsa-fined-gbp150-
000-by-ico-after-60-000-customer-details-stolen

The Information Commissioner's Office (ICO) has fined insurance giant Royal
& Sun Alliance (RSA) £150,000 for a major data loss incident.

The case related to the theft of a hard drive by either a member of staff
or a contractor at an office in West Sussex between 18 May and 30 July hat
contained details of 59,592 customers.

This information included names, addresses and bank account details
including sort codes and account numbers. Credit card details of 20,000
customers were also on the device, although CVC and expiry dates were not
included. The device has never been recovered.

An investigation by the ICO found that the firm lacked the necessary
processes to mitigate against such thefts and that the hard drive was
unencrypted.

They also said many of the staff who had access to the data server room
where the device was stored did not require access, and that no CCTV
installed in the room.

In light of this Steve Eckersley, ICO Head of Enforcement said a hefty fine
warranted and that it should service as yet another reminder why basic
security procedures such as encryption are vital for any firm handling
sensitive data.

"When we looked at this case we discovered an organisation that simply
didn't take adequate precautions to protect customer information. Its
failure to do so has caused anxiety for its customers not to mention
potential fraud issues," he said.

"There are simple steps companies should take when using this type of
equipment including using encryption, making sure the device is secure and
routine monitoring of equipment. RSA did not do any of this and that's why
we've issued this fine."

In response RSA acknowledged that it had failed to put in place the
necessary processes to protect customers' data and said it had worked hard
to rectify these errors.

"Whilst there remains no evidence to suggest that the stolen storage device
has resulted in any economic loss for the customers involved; we recognise
that this should have never have happened and we would like to say sorry
once again to those of our customers and partners who were impacted," a
spokesperson said.

"We have reviewed and reinforced our data protection procedures to mitigate
the risk of this happening again - the substantive work that has been
undertaken since then to improve date protection in our company has been
acknowledged by the ICO."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170110/e3c313d7/attachment.html>