The info Commissioners office (ICO) has fined a London estate agency £80,000 for leaving 18,610 customers' personal data exposed for almost two years.
The security hack happened when Life at parliament view Ltd (LPVL) transferred personal data from its server to a partner organisation and failed to switch off an Anonymous Authentication function. This failure meant access restrictions were not implemented and allowed anyone going online to have full access to all the data stored between mar 2015 and february 2017.
The exposed details included personal data such as bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.
During its investigation, the ICO uncovered a catalogue of surety errors and found that LPVL had failed to have seize technical and organisational measures against the unlawful processing of personal data. In addition, LPVL only alerted the ICO to the drudge when it was contacted by a hacker. The ICO concluded this was a serious contravention of the 1998 data tribute laws which have since been replaced by the GDPR and the data tribute bit 2018.
Steve Eckersley, Director of Investigations at the ICO said:
Customers have the redress to look that the personal information they provide to companies will remain safe and secure. That simply wasnt the pillowcase here.
As we uncovered the facts, we found LPVL had failed to adequately prepare its staff, who misconfigured and used an insecure file transference system and then failed to monitor it. These shortcomings experience left its customers exposed to the potentiality risk of identity fraud.
Companies must consent that they hold a legal obligation to both protect and keep secure the personal data they are entrusted with. Where this does not happen, we will investigate and read action.