The Information Commissioner’s Office (ICO) has fined a London estate agency £80,000 for leaving 18,610 customers’ personal data exposed for almost two years.
The security breach happened when Life at Parliament View Ltd (LPVL) transferred personal data from its server to a partner organisation and failed to switch off an Anonymous Authentication function in Microsoft’s Internet Information Services (IIS) .
This failure meant access restrictions were not implemented and allowed anyone going online to have full access to all the data stored between March 2015 and February 2017, prior to the full implementation of the EU General Data Protection Regulation (GDPR) in May 2018.
The exposed details included personal data such as bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.
During its investigation, the ICO said it uncovered “a catalogue of security errors” and found that LPVL had failed to take appropriate technical and organisational measures against the unlawful processing of personal data.
In addition, the estate agency alerted the ICO to the breach only when it was contacted by a hacker. The ICO concluded this was a serious contravention of the 1998 data protection laws which have since been replaced by the GDPR and the GDPR-aligned Data Protection Act 2018.
Touching on the theme of data stewardship, Steve Eckersley, director of investigations at the ICO said customers have the right to expect that the personal information they provide to companies will remain safe and secure.
“As we uncovered the facts, we found LPVL had failed to adequately train its staff, who misconfigured and used an insecure file transfer system and then failed to monitor it. These shortcomings have left its customers exposed to the potential risk of identity fraud,” said Eckersley.
“Companies must accept that they have a legal obligation to both protect and keep secure the personal data they are entrusted with. Where this does not happen, we will investigate and take action.”
The LPVL fine comes a week after the ICO issued notifications of its intention to fine British Airways £183.39m and Marriott International £99m for infringements of the GDPR.
The fine notification for Marriott International, highlighted the issue of due diligence regarding privacy practices, which has been underlined further in the LPVL fine notification, even though the incident is not covered by the GDPR.
The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems.
Echoing Eckersley’s comments about the LPVL case when commenting on the Marriott fine, information commissioner Elizabeth Denham said the GDPR makes it clear that organisations must be accountable for the personal data they hold.
“This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” she said.
“Personal data has a real value, so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Reacting to the ICO’s proposed fines for British Airways and Marriott International, the International Association of Information Technology Asset Managers (IAITAM) said IT asset managers should take note that regulators are paying attention to companies’ due diligence regarding privacy practices.
“We’ve been advising organisations for more than a year that privacy laws are changing, and due diligence is going to be imperative,” said Barbara Rembiesa, president and CEO of IAITAM.
“Organisations with mature IT asset management programmes already have a programme in place that can help address vulnerabilities in due diligence, even when it comes to personal privacy,” she said.
To assist organisations in safeguarding personal information, the ICO has published guidance entitled Practical guide to IT security.