Zurich Insurance's UK branch has been fined 2.275 million by the Financial Services Authority (FSA) following the loss of 46,000 customers' data.
Bank account and credit card information was lost by Zurich, along with identity details and information on insured assets and security arrangements.
The incident occurred in 2008 when the company's UK branch outsourced the processing of some of its general insurance customer data to Zurich Insurance Company South Africa (Zurich SA).
An unencrypted back-up tape was misplaced by Zurich SA during a standard transfer to a data centre.
Zurich UK did not learn about the loss until a year later as there were not any adequate reporting lines in place, the FSA said.
The regulatory body concluded Zurich UK did not have effective systems and controls in place to manage the risks involved in protecting customer data in relation to the outsourcing deal.
Furthermore, Zurich did not have sufficient protection in place to ensure lost data would not be used for financial crime, the FSA claimed.
"Zurich UK let its customers down badly," said Margaret Cole, the FSA's director of enforcement and financial crime.
"It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later."
Zurich's UK chief executive (CEO), Stephen Lewis, said: "This incident was unacceptable. It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers' data."
He also confirmed Zurich UK would be hiring an information security officer to ensure protection measures are effective.
The fine is the biggest financial penalty levied on a single organisation ever in the UK for a data security issue.
Had the firm not agreed to settle at an early stage of the investigation, the fine would have been 3.25 million.
To date, Zurich has not seen any evidence to suggest the lost data was compromised or used for criminal activities.
A sufficient deterrent?
Earlier this year, the Information Commissioner's Office (ICO) made Zurich's Lewis sign an undertaking to ensure whenever back-up tapes were in transit, the right data security procedures, such as encryption, would be in place.
This was before the ICO was able to fine up to 500,000 for data breaches, but Stewart Room, partner in Field Fisher Waterhouse's Privacy and Information Law Group, claimed this case highlighted the limited powers of the ICO.
"It does throw into relief, yet again, the adequacy of the 500,000 penalty for the information commissioner, where the FSA has already shown that it needs something that is at least four-and-a-half times as large," Room told IT PRO.
"This case demonstrates once again that what we need is a more unified approach to security but within regulation."
Room, who is also a director of the Cyber Security Challenge UK, called into question how far the FSA fine will go in acting as a deterrent.
"I don't believe that this fine will act as a wake up call to the financial services industry. Nor do I believe that the financial services industry will resolve all its problems now that this fine has been published," he added.
"I think the FSA will need to scale up fines considerably before it becomes such a deterrent effect."
Room also suggested Zurich's reputation will not be irrevocably damaged by the data security failings.
-
What is polymorphic malware?Explainer Polymorphic malware constantly changes its code to avoid detection, making it a top cybersecurity threat that demands advanced, behavior-based defenses
-
Outgoing Kaseya CEO teases "this is just the beginning" for the companyOpinion We spoke to Fred Voccola who remains a key figurehead at the firm as it enters its next chapter...
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
