RSA insurance group fined £150,000 after losing customer details

Royal & Sun Alliance Insurance apologises for not keeping its customers' data safe

fine and gavel

Royal & Sun Alliance Insurance (RSA) has been fined 150,000 for losing the names, addresses and financial details of tens of thousands of customers.

The data in question disappeared when someone stole a network attached storage (NAS) device from the data server room of the company's office in Horsham.

The information stored on the device included one data set of nearly 60,000 customer names, addresses, bank account and sort code numbers, and another data set of 20,000 customer names, addresses and credit card 'Primary Account Numbers'.

Advertisement - Article continues below

According to the penalty notice issued by the Information Commissioner's Office (ICO), the stolen NAS was accessible by 40 of RSA's staff and contractors, some of whom were non-essential. While an access card and key were required to enter the server room, there was no CCTV surveillance inside and there were no regular checks to ensure the device was still online and, if not, raise the alarm.

Additionally, while the NAS was password protected, the data on it wasn't encrypted. The culpret has, to date, not been identified, nor has the device been recovered.

The ICO said these facts constituted "a serious contravention of the seventh data protection principle" for the Data Protection Act 1998, which demands that appropriate technical action be taken to protect personal data from illegal access. Although the DPA allows for a fine of up to 500,000, the ICO decided to fine RSA 150,000 for the breach.

Advertisement - Article continues below
Advertisement - Article continues below

Steve Eckersley, ICO head of enforcement, said that customers put their trust in companies to protect their personal information and if that's financial information, they expect companies to take extra care not to let others access it.

"When we looked at this case we discovered an organisation that simply didn't take adequate precautions to protect customer information," he said. "Its failure to do so has caused anxiety for its customers not to mention potential fraud issues."

In response to the judgement, an RSA spokeswoman said: "RSA serves nine million customers in over 100 countries and we take a breach of our security and protocols very seriously."

She said that while there's no evidence customers have suffered financial loss, the company is sorry for failing to protect its systems.

"We have reviewed and reinforced our data protection procedures to mitigate the risk of this happening again the substantive work that has been undertaken since then to improve date protection in our company has been acknowledged by the ICO," she said.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020