The Information Commissioner’s Office has given a London based estate agency a £80,000 fine for exposing 18,610 customers’ personal data for a period of almost 2 years.
The data breach occurred when the agency: Life at Parliament View Ltd (LPVL) moved personal data from their network to a partner organisation and didn’t switch off their ‘Anonymous Authentication’ function leaving the data easier to acquire for hackers.
This problem meant that access restrictions and permissions were not implemented and that allowed anyone connecting to the server full access to all the data captured between March 2015 and February 2017.
The GDPR Breach
The details left exposed from the attack included personal data which included bank statements, salary information, copies of passports, dates of birth and addresses of all registered tenants and landlords.
With its investigation, the ICO found what it calls “a catalogue of security errors” and revealed that LPVL had failed to secure their data using the correct security and permissions which lead to the breach. Furthermore, LPVL only made the ICO aware of the breach when it was contacted by an ethical hacker. The ICO concluded that their conduct was a massive contravention of the 1998 data protection laws which have since been replaced by the GDPR and the Data Protection Act 1998.
The estate agency left customers at risk
Steve Eckersley, Director of Investigations at the ICO stated:
“Customers have the right to expect that the personal information they provide to companies will remain safe and secure. That simply wasn’t the case here.
“As we uncovered the facts, we found LPVL had failed to adequately train its staff, who misconfigured and used an insecure file transfer system and then failed to monitor it. These shortcomings have left its customers exposed to the potential risk of identity fraud.
“Companies must accept that they have a legal obligation to both protect and keep secure the personal data they are entrusted with. Where this does not happen, we will investigate and take action.”