Personal Data Exposed Following Estate Agency Data Transfer Error

A London estate agency has been fined £80,000 by the Information Commissioner’s Office (ICO) for inadvertently exposing over 18,000 pieces of sensitive customer data for almost two years.

Between March 2015 and February 2017, London agents, Life at Parliament View Ltd (LPVL), failed to protect 18,610 pieces of personal data whilst making a transfer of data from its server to a partner organisation.

During the process, the estate agency failed to switch off an ‘anonymous authentication’ function which meant the access restrictions were not implemented leaving full access to the data until the issue was discovered two years later.

Overall, the breach provided a smorgasbord of freely accessible data for anybody to consume. For a cyber criminal, the bank statements, salary details, copies of passports, addresses and date of births were a veritable feast.

LPVL only notified the ICO after they were drawn to the error by a cyber hacker who happened across the information. As a result, the agency was fined in accordance with the Data Protection Act 1998 which has now been replaced by GDPR.

Steve Eckersley, Director of Investigations at the ICO said:

“Customers have the right to expect that the personal information they provide to companies will remain safe and secure. That simply wasn’t the case here.

“As we uncovered the facts, we found LPVL had failed to adequately train its staff, who misconfigured and used an insecure file transfer system and then failed to monitor it. These shortcomings have left its customers exposed to the potential risk of identity fraud.

“Companies must accept that they have a legal obligation to both protect and keep secure the personal data they are entrusted with. Where this does not happen, we will investigate and take action.”

Is your law firm secure from making seemingly innocuous and innocent mistakes when transferring data?