The Financial Services Authority (FSA) in the UK has fined Zurich Insurance a whopping £2.28 million (US $3.5 million) for the loss of a backup tape in 2008. It was revealed that data encryption was not used to protect the contents of the tape.
46,000 Affected in the UK
The fine was for losing the information of 46,000 customers. The original story I had blogged about had noted that the personal details of 51,000 UK customers had been lost (over 640,000 people had been affected in all). I guess the initial report was slightly off. What is still accurate, though, is that the backup tape went missing en route to a storage center (for security purposes, I imagine).
This is the largest fine the FSA has handed out for a data breach to date. It would have been higher, but Zurich settled quickly, earning itself a 30% discount.
Oblivious to the Data Loss
The fine may have also have been for not having adequate controls that would have, if not prevented the loss to begin with, at least prompted Zurich to respond faster to what is a global problem: financial data theft. From property-casualty.com:
Margaret Cole, the FSA’s director of enforcement and financial crime, said in a statement, “[ZIP UK] let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, [ZIP UK] was oblivious to the data loss incident until a year later.”
It was also quoted in the same article that “as there were no proper reporting lines in place [ZIP UK] did not learn of the incident until a year later.” While I’m probably reading too much into it, it almost sounds as if the breach was discovered early on, but relaying the information was mired up in bureaucracy because no one knew who to report it to (“no proper reporting lines” speaks volumes to me. Maybe it’s because I served in the military).
While a supposition, I guess my thought above could be true: Zurich UK has announced that a “dedicated information security officer” had been appointed since the incident, per the BBC. Waiting an entire year because of that? That’s pretty screwed up. Geez, people! Get in touch with the CIO! It might not be the CIO’s responsibility per se, but at least they tend to know a thing or two about data security.
Oh, brother. $3.5 million because of one tape that was not protected with encryption software. Well, not entirely because encryption was not used; the issues revolving around data security are pretty complex. On the other hand, using encryption is usually a sign that other data security procedures are also in place (monitoring, auditing, etc).
No need to say that an encryption tool like AlertBoot would have been extremely useful in this case. Not just as a tool for avoiding fines when a tape goes missing, but for actually protecting sensitive customer information.
I mean, let’s be honest: we still don’t know whether approximately half a million people in the world will find themselves victims of ID theft. ID-theft based crimes either tends to happen very soon after a breach, or a long time after a breach. And why not? Some of that data is pretty much permanent. For example, a Social Security number is pretty much for life.
Related Articles and Sites: