RSA insurance group fined £150,000 after losing customer details

Royal & Sun Alliance Insurance apologises for not keeping its customers' data safe

fine and gavel

Royal & Sun Alliance Insurance (RSA) has been fined 150,000 for losing the names, addresses and financial details of tens of thousands of customers.

The data in question disappeared when someone stole a network attached storage (NAS) device from the data server room of the company's office in Horsham.

The information stored on the device included one data set of nearly 60,000 customer names, addresses, bank account and sort code numbers, and another data set of 20,000 customer names, addresses and credit card 'Primary Account Numbers'.

According to the penalty notice issued by the Information Commissioner's Office (ICO), the stolen NAS was accessible by 40 of RSA's staff and contractors, some of whom were non-essential. While an access card and key were required to enter the server room, there was no CCTV surveillance inside and there were no regular checks to ensure the device was still online and, if not, raise the alarm.

Additionally, while the NAS was password protected, the data on it wasn't encrypted. The culpret has, to date, not been identified, nor has the device been recovered.

The ICO said these facts constituted "a serious contravention of the seventh data protection principle" for the Data Protection Act 1998, which demands that appropriate technical action be taken to protect personal data from illegal access. Although the DPA allows for a fine of up to 500,000, the ICO decided to fine RSA 150,000 for the breach.

Steve Eckersley, ICO head of enforcement, said that customers put their trust in companies to protect their personal information and if that's financial information, they expect companies to take extra care not to let others access it.

"When we looked at this case we discovered an organisation that simply didn't take adequate precautions to protect customer information," he said. "Its failure to do so has caused anxiety for its customers not to mention potential fraud issues."

In response to the judgement, an RSA spokeswoman said: "RSA serves nine million customers in over 100 countries and we take a breach of our security and protocols very seriously."

She said that while there's no evidence customers have suffered financial loss, the company is sorry for failing to protect its systems.

"We have reviewed and reinforced our data protection procedures to mitigate the risk of this happening again the substantive work that has been undertaken since then to improve date protection in our company has been acknowledged by the ICO," she said.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

8 of the most secure web browsers
web browser

8 of the most secure web browsers

25 Sep 2020
Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
The Xbox Series X shows how far the cloud still has to go
Cloud

The Xbox Series X shows how far the cloud still has to go

25 Sep 2020