EYE NEWSFLASH: Agent fined £80,000 after leaving customers’ personal data exposed

The Information Commissioner’s Office (ICO) has fined an estate agent £80,000 for leaving 18,610 customers’ personal data exposed for almost two years.

The security breach happened when the London agency, Life at Parliament View Limited, transferred personal data from its server to a partner organisation and failed to switch off an ‘Anonymous Authentication’ function.

This failure meant access restrictions were not implemented and allowed anyone going online to have full access to all the data stored between March 2015 and February 2017.

The exposed details included personal data such as bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.

During its investigation, the ICO uncovered a catalogue of security errors and found that LPVL had failed to take appropriate technical and organisational measures against the unlawful processing of personal data.

In addition, LPVL only alerted the ICO to the breach when it was contacted by a hacker.

The ICO concluded this was a serious contravention of the 1998 data protection laws which have since been replaced by the GDPR and the Data Protection Act.

The partner organisation involved in the breach has not been identified by the ICO.

However, in its penalty notice, the ICO says that in March 2015, the agent “integrated with a partner organisation which offered a property letting transaction service”. This required the transfer of tenancy data held on LPVL’s server.

Steve Eckersley, Director of Investigations at the ICO, said: “Customers have the right to expect that the personal information they provide to companies will remain safe and secure. That simply wasn’t the case here.

“As we uncovered the facts, we found LPVL had failed to adequately train its staff who misconfigured and used an insecure file transfer system and then failed to monitor it.

“These shortcomings have left its customers exposed to the potential risk of identity fraud.

“Companies must accept that they have a legal obligation to both protect and keep secure the personal data they are entrusted with. Where this does not happen, we will investigate and take action.”

The ICO has published guidance on a Practical Guide to IT Security.

The penalty notice is here: https://ico.org.uk/media/action-weve-taken/mpns/2615396/mpn-life-at-parliament-view-limited-20190717.pdf

x

Email the story to a friend!



6 Comments

  1. AgencyInsider

    Scary!

    Report
  2. DarrelKwong43

    seventh paragraph last reference to the Data Protection Act 1998…i assume you mean the Data Protection Act 2018?

    Report
    1. AgentM

      The breach occurred in 2015, which was prior to the 2018 GDPR regulations becoming law – this means the agent was in breach of the 1998 Data Protection Act, and the agent fined accordingly.

      I’ve no doubt that the fine may have been significantly higher had the breach occurred post May 2018, particularly as the regulator is looking to make an example of those early to breach; as evidenced by the £183million fine passed to BA last week.

      Report
  3. Mike Dawson

    Good Lord!!

    Report
  4. alexrooker

    It’s important to investigate and take action.
    http://rolltheball.co/basketball-legends

    Report
  5. goalken

    The information is very special, I will have to follow you, the information you bring is very real, reflecting correctly and objectively, it is very useful for society to grow together. https://basketball-legends.online

    Report
X

You must be logged in to report this comment!

Comments are closed.

Thank you for signing up to our newsletter, we have sent you an email asking you to confirm your subscription. Additionally if you would like to create a free EYE account which allows you to comment on news stories and manage your email subscriptions please enter a password below.