The ICO tells London Estate Agency: Companies must accept that they have a legal obligation to both protect and keep secure the personal data they are entrusted with. Where this does not happen, we will investigate and take action.
A London based estate agency has been fined £80,000 by the Information Commissioners Office for failing to keep the data of their tenants safe.
For two years, London based estate agency, Life at Parliament View Ltd, failed to prevent a security breach, which left the personal data of 18,620 customers exposed for almost two years. The breach happened when the company transferred personal data from its server to a partner organisation and failed to switch off an Anonymous Authentication function.
What is Anonymous Authentication?
Anonymous Authentication controls how internet information services processes requests from anonymous users. This feature gives users access to the public area of a website without prompting them for a user name or password.
The failure by the estate agency meant access restrictions to all data stored between March 2015 and February 2017, meant access restrictions were not implemented and anyone going online had full access to all personal data. The data exposed included personal information such as bank details, bank statements, salary details, passport information, birth dates and addresses.
Following the breach, the ICO launched an investigation and uncovered a ‘catalogue of security errors’. They found that the agency had failed to take appropriate security measures against the unlawful processing of personal data. The ICO says that the Estate Agency only alerted them to the breach when it was contacted by a hacker. As a result they say the breach was a serious convention of the data protection laws.
Director of Investigations at the ICO Steve Eckersley said: “Customers have the right to expect that the personal information they provide to companies will remain safe and secure. That simply wasn’t the case here. As we uncovered the facts, we found LVPL had failed to adequately train its staff, who misconfigured and used an insecure file transfer system and then failed to monitor it. These shortcomings have left its customers exposed to the potential risk of identity fraud. Companies must accept that they have a legal obligation to both protect and keep secure the personal data they are entrusted with. Where this does not happen, we will investigate and take action.”
What is a data Breach?
A data breach occurs when sensitive and confidential information is accessed by a third party who is not authorised to do so. This data can include things such as passwords, credit card numbers, health records or addresses. The most common way hackers gain access to a system, is by guessing a password or by installing malware. Data breaches can range in size, from a single individual accessing a file, to millions of company records being stolen. How someone is affected by a data breach depends on the information that is accessed and released. The best way to protect your data is to change your password regularly and not store sensitive information on your computer.