RSA insurance group fined £150,000 after losing customer details

Royal & Sun Alliance Insurance apologises for not keeping its customers' data safe

fine and gavel

Royal & Sun Alliance Insurance (RSA) has been fined 150,000 for losing the names, addresses and financial details of tens of thousands of customers.

The data in question disappeared when someone stole a network attached storage (NAS) device from the data server room of the company's office in Horsham.

The information stored on the device included one data set of nearly 60,000 customer names, addresses, bank account and sort code numbers, and another data set of 20,000 customer names, addresses and credit card 'Primary Account Numbers'.

According to the penalty notice issued by the Information Commissioner's Office (ICO), the stolen NAS was accessible by 40 of RSA's staff and contractors, some of whom were non-essential. While an access card and key were required to enter the server room, there was no CCTV surveillance inside and there were no regular checks to ensure the device was still online and, if not, raise the alarm.

Advertisement - Article continues below

Additionally, while the NAS was password protected, the data on it wasn't encrypted. The culpret has, to date, not been identified, nor has the device been recovered.

The ICO said these facts constituted "a serious contravention of the seventh data protection principle" for the Data Protection Act 1998, which demands that appropriate technical action be taken to protect personal data from illegal access. Although the DPA allows for a fine of up to 500,000, the ICO decided to fine RSA 150,000 for the breach.

Steve Eckersley, ICO head of enforcement, said that customers put their trust in companies to protect their personal information and if that's financial information, they expect companies to take extra care not to let others access it.

"When we looked at this case we discovered an organisation that simply didn't take adequate precautions to protect customer information," he said. "Its failure to do so has caused anxiety for its customers not to mention potential fraud issues."

In response to the judgement, an RSA spokeswoman said: "RSA serves nine million customers in over 100 countries and we take a breach of our security and protocols very seriously."

She said that while there's no evidence customers have suffered financial loss, the company is sorry for failing to protect its systems.

"We have reviewed and reinforced our data protection procedures to mitigate the risk of this happening again the substantive work that has been undertaken since then to improve date protection in our company has been acknowledged by the ICO," she said.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019

Five signs that it’s time to retire IT kit

29 Nov 2019

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019