RSA insurance group fined £150,000 after losing customer details

Royal & Sun Alliance Insurance apologises for not keeping its customers' data safe

fine and gavel

Royal & Sun Alliance Insurance (RSA) has been fined 150,000 for losing the names, addresses and financial details of tens of thousands of customers.

The data in question disappeared when someone stole a network attached storage (NAS) device from the data server room of the company's office in Horsham.

The information stored on the device included one data set of nearly 60,000 customer names, addresses, bank account and sort code numbers, and another data set of 20,000 customer names, addresses and credit card 'Primary Account Numbers'.

According to the penalty notice issued by the Information Commissioner's Office (ICO), the stolen NAS was accessible by 40 of RSA's staff and contractors, some of whom were non-essential. While an access card and key were required to enter the server room, there was no CCTV surveillance inside and there were no regular checks to ensure the device was still online and, if not, raise the alarm.

Advertisement - Article continues below
Advertisement - Article continues below

Additionally, while the NAS was password protected, the data on it wasn't encrypted. The culpret has, to date, not been identified, nor has the device been recovered.

The ICO said these facts constituted "a serious contravention of the seventh data protection principle" for the Data Protection Act 1998, which demands that appropriate technical action be taken to protect personal data from illegal access. Although the DPA allows for a fine of up to 500,000, the ICO decided to fine RSA 150,000 for the breach.

Steve Eckersley, ICO head of enforcement, said that customers put their trust in companies to protect their personal information and if that's financial information, they expect companies to take extra care not to let others access it.

"When we looked at this case we discovered an organisation that simply didn't take adequate precautions to protect customer information," he said. "Its failure to do so has caused anxiety for its customers not to mention potential fraud issues."

In response to the judgement, an RSA spokeswoman said: "RSA serves nine million customers in over 100 countries and we take a breach of our security and protocols very seriously."

She said that while there's no evidence customers have suffered financial loss, the company is sorry for failing to protect its systems.

Advertisement - Article continues below

"We have reviewed and reinforced our data protection procedures to mitigate the risk of this happening again the substantive work that has been undertaken since then to improve date protection in our company has been acknowledged by the ICO," she said.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020