RSA insurance group fined £150,000 after losing customer details
Royal & Sun Alliance Insurance apologises for not keeping its customers' data safe
Royal & Sun Alliance Insurance (RSA) has been fined 150,000 for losing the names, addresses and financial details of tens of thousands of customers.
The data in question disappeared when someone stole a network attached storage (NAS) device from the data server room of the company's office in Horsham.
The information stored on the device included one data set of nearly 60,000 customer names, addresses, bank account and sort code numbers, and another data set of 20,000 customer names, addresses and credit card 'Primary Account Numbers'.
According to the penalty notice issued by the Information Commissioner's Office (ICO), the stolen NAS was accessible by 40 of RSA's staff and contractors, some of whom were non-essential. While an access card and key were required to enter the server room, there was no CCTV surveillance inside and there were no regular checks to ensure the device was still online and, if not, raise the alarm.
Additionally, while the NAS was password protected, the data on it wasn't encrypted. The culpret has, to date, not been identified, nor has the device been recovered.
The ICO said these facts constituted "a serious contravention of the seventh data protection principle" for the Data Protection Act 1998, which demands that appropriate technical action be taken to protect personal data from illegal access. Although the DPA allows for a fine of up to 500,000, the ICO decided to fine RSA 150,000 for the breach.
Steve Eckersley, ICO head of enforcement, said that customers put their trust in companies to protect their personal information and if that's financial information, they expect companies to take extra care not to let others access it.
"When we looked at this case we discovered an organisation that simply didn't take adequate precautions to protect customer information," he said. "Its failure to do so has caused anxiety for its customers not to mention potential fraud issues."
In response to the judgement, an RSA spokeswoman said: "RSA serves nine million customers in over 100 countries and we take a breach of our security and protocols very seriously."
She said that while there's no evidence customers have suffered financial loss, the company is sorry for failing to protect its systems.
"We have reviewed and reinforced our data protection procedures to mitigate the risk of this happening again the substantive work that has been undertaken since then to improve date protection in our company has been acknowledged by the ICO," she said.