The Information Commissioner’s Office (ICO) has fined a London estate agency £80,000 for leaving 18,610 customers’ personal data exposed.
The breach appears to have occurred when the agency transferred data from its server to a partner organisation and failed to switch off an ‘Anonymous Authentication’ function. This error meant that access was not restricted and allowed anyone accessing the correct web page to have access to all the data from March 2015 to February 2017 without any restrictions or protection.
The data that was exposed included bank statements, salary details, copies of passports, dates of birth and addresses of landlords and tenants.
The ICO discovered a catalogue of security errors and found the agency had failed to take any appropriate technical and organisational measures against the unlawful processing of data. Furthermore, it is understood that the agency only alerted the ICO to the breach when it was contacted by a hacker. The ICO found that the agency had contravened the 1998 data protection laws which has since been replaced by the GDPR and the Data Protection Act 2018.
Data Protection breaches are a huge concern for many businesses especially with hackers on the rise. Care should be taken with online data and processes and procedures put into place to ensure data is secure.
The ICO’s guidance on IT Security which is well worth a read can be found here.
Published 8 August 2019
