“A catalogue of security errors” resulted in a London estate agent being fined £80,000 by the Information Commissioner’s Office (ICO)
13 August 2019
Author: Dawn McKnight
Life at Parliament View Ltd (LPVL) left the personal details of about 18,610 tenants and landlords available online between March 2015 and February 2017. The data that was available included names, bank statements, salary details, dates of birth and copies of passports.
The breach was a result of a transfer of personal data between LPVL to a partner organisation. During the transfer, the "Anonymous Authentication" function was not switched off meaning that access restrictions were not in place. With no restrictions in place, anyone with access to the server was able to have full access to all the personal data that had been stored between March 2015 and February 2017.
During the investigation the ICO stated that it had "uncovered a catalogue of security errors and found that LPVL had failed to take appropriate technical and organisational measures against the unlawful processing of personal data." This, along with the fact that that the breach was only brought to the attention of the ICO when LPVL was contacted by a hacker, were viewed as aggravating factors when the ICO reached its decision that the breach of the Data Protection Act were wide-ranging.
As the data loss occurred between 2015 and 2017, LPVL was fined under the 1998 Data Protection Act and not the more recent European General Data Protection Regulations (GDPR) which came into effect for all EU member states on the 25 May 2018. Some commentators have pointed out how fortunate LPVL are to have avoided the more punitive GDPR rules as they can allow a fine up to 4% of a company’s global turnover for such a serious contravention of the rules. For example, the ICO have recently warned British Airways that it is planning to issue a record fine of £183.39m for last year’s breach.
Director of Investigations at the ICO, Steve Eckersley, stated that: "Customers have the right to expect that the personal information they provide to companies will remain safe and secure. That simply wasn't the case here.
We found LPVL had failed to adequately train its staff, who misconfigured and used an insecure file transfer system and then failed to monitor it. These shortcomings have left its customers exposed to the potential risk of identity fraud.
Companies must accept that they have a legal obligation to both protect and keep secure the personal data they are entrusted with. Where this does not happen, we will investigate and take action."
A spokesman from LPVL stated that LPVL have "taken full responsibility for the historic data breach... take our legal responsibilities to manage our client's data seriously and as a result of the incident, we have invested heavily in substantially updating our systems and training of colleagues."