The Information Commissioner’s Office (ICO) has fined a London estate agency £80,000 for leaving 18,610 customers’ personal data exposed for nearly two years.
The breach occurred when Life at Parliament View Ltd transferred personal data from its server to a partner organisation and failed to switch off an ‘anonymous authentication’ function.
This failure meant anyone going online would have full access to all the data stored between March 2015 and February 2017.
The data which was exposed included personal data including salary details, bank statements, copies of passports and dates of birth and addresses of tenants and landlords.
The ICO uncovered numerous security errors and found that the estate agency had failed to take appropriate measures against the unlawful processing of personal data.
Furthermore the estate agency only alerted the ICO to the breach when it was contacted by a hacker. The ICO concluded this was a serious contravention of data protection laws.
Steve Eckersley of the ICO said ‘Customers have the right to expect that the personal information they provide to companies will remain safe and secure. That simply wasn’t the case here…’ He further stated ‘These shortcomings have left its customers exposed to the potential risk of identity fraud.’
This is a further example which indicates organisations still have not fully got to grips with data protection law. What is particularly concerning regarding the above incident is the apparent large amount of customer personal data which was accessible and the significant period of time for which it remained accessible before action was taken. Customers of the estate agency will be rightfully concerned about the above incident and I suspect they have many questions which they want answering.
At Ben Hoare Bell LLP we have significant experience in data protection. If you wish to discuss a data breach please contact our Solicitors Richard Hardy firstname.lastname@example.org or Andrew Freckleton email@example.com to discuss further.