The Information Commissioner’s Office has issued a fine of £80,000 to London-based real estate agency Life at Parliament View Ltd for failing to appropriately secure personal and financial information of landlords and tenants between March 2015 and February 2017.
The fine was issued after the ICO concluded that the real estate agency failed to implement access restrictions when it transferred personal and financial data of landlords and tenants from its server to a partner organisation.
The failure to implement access restrictions meant that anyone with an Internet connection could enjoy full access to personal data stored in the server between March 2015 and February 2017. The ICO discovered “a catalogue of security errors” on part of the real estate agency and noted that the data exposure would have continued had the agency not been alerted to the exposure by a hacker.
Real estate agency failed to prevent public access to personal data
“As we uncovered the facts, we found LPVL had failed to adequately train its staff, who misconfigured and used an insecure file transfer system and then failed to monitor it. These shortcomings have left its customers exposed to the potential risk of identity fraud,” said Steve Eckersley, Director of Investigations at the ICO.
“Companies must accept that they have a legal obligation to both protect and keep secure the personal data they are entrusted with. Where this does not happen, we will investigate and take action. Customers have the right to expect that the personal information they provide to companies will remain safe and secure. That simply wasn’t the case here,” he added.
The ICO issued the fine of £80,000 to the real estate agency under the Data Protection Act 1998 as the exposure of personal data took place prior to the arrival of GDPR and the Data Protection Act 2018 that authorise the ICO to levy much larger fines to erring organisations.
In October last year, the ICO had also issued a fine of £175,000 to health insurance company Bupa for failing to prevent a massive data breach in 2017 that compromised personal information of up to 108,000 international health insurance customers.
The breach took place when a malicious employee at Bupa gained access to the company’s customer relationship management system (“SWAN”) that stored personal information of 1.5 million customers, misused his privileged access to steal data of 108,000 customers and then put up the data for sale on the dark web.
While announcing a £175,000 penalty on Bupa under the 1998 Data Protection Act, the ICO noted that Bupa “failed to take appropriate technical and organisational measures against unauthorised and unlawful processing of the personal data which was accessible through SWAN”.
ALSO READ: How to use a zero-trust model to strengthen security