London-based real estate agency fined £80,000 by ICO

London-based real estate agency fined £80,000 by ICO


The Information Commissioner's Office has issued a fine of £80,000 to London-based real estate agency Life at Parliament View Ltd for failing to appropriately secure personal and financial information of landlords and tenants between March 2015 and February 2017.
The fine was issued after the ICO concluded that the real estate agency failed to implement access restrictions when it transferred personal and financial data of landlords and tenants from its server to a partner organisation.
The failure to implement access restrictions meant that anyone with an Internet connection could enjoy full access to personal data stored in the server between March 2015 and February 2017. The ICO discovered "a catalogue of security errors" on part of the real estate agency and noted that the data exposure would have continued had the agency not been alerted to the exposure by a hacker.

Real estate agency failed to prevent public access to personal data

"As we uncovered the facts, we found LPVL had failed to adequately train its staff, who misconfigured and used an insecure file transfer system and then failed to monitor it. These shortcomings have left its customers exposed to the potential risk of identity fraud," said Steve Eckersley, Director of Investigations at the ICO.
"Companies must accept that they have a legal obligation to both protect and keep secure the personal data they are entrusted with. Where this does not happen, we will investigate and take action. Customers have the right to expect that the personal information they provide to companies will remain safe and secure. That simply wasn’t the case here," he added.
The ICO issued the fine of £80,000 to the real estate agency under the Data Protection Act 1998 as the exposure of personal data took place prior to the arrival of GDPR and the Data Protection Act 2018 that authorise the ICO to levy much larger fines to erring organisations.
In October last year, the ICO had also issued a fine of £175,000 to health insurance company Bupa for failing to prevent a massive data breach in 2017 that compromised personal information of up to 108,000 international health insurance customers.
The breach took place when a malicious employee at Bupa gained access to the company's customer relationship management system ("SWAN") that stored personal information of 1.5 million customers, misused his privileged access to steal data of 108,000 customers and then put up the data for sale on the dark web.
While announcing a £175,000 penalty on Bupa under the 1998 Data Protection Act, the ICO noted that Bupa "failed to take appropriate technical and organisational measures against unauthorised and unlawful processing of the personal data which was accessible through SWAN".
ALSO READ: How to use a zero-trust model to strengthen security

Copyright Lyonsdown Limited 2020

Top Articles

Malaysia Airlines flyers impacted in 9-year-long supplier data breach

Malaysia Airlines has suffered a major breach that compromised personal data records of its frequent flyer customers for over nine years.

Universal Health Services lost $67m to a Ryuk ransomware attack last year

Universal Health Services said the cyber attack cost it $67 million in remediation efforts, loss of acute care services, and other expenses.

How the human immune system inspired a new approach to cyber-security

Artificial intelligence is being used to understand what’s ‘normal’ inside digital systems and autonomously fight back against cyber-threats

Related Articles