Zurich Insurance in the UK has just discovered the true cost of failing to secure confidential customer data properly, as the Financial Services Authority (FSA) fines the company a record £2.275m ($3.5m) for the data loss incident in 2008 which potentially put some 46,000 customers at risk.

The incident occurred when an unencrypted back-up tape containing those 46,000 customer records disappeared in transit between two sites in South Africa in 2008, although apparently it took the best part of a year before Zurich UK heard about the data loss.

According to the FSA the resulting £2.275m fine is the highest levied to date on a single firm for data security failings . But it could have been much worse, Zurich were granted a 30 percent discount for settling at an early stage during the investigation which dropped the fine from an original amount of £3.25m ($5m).

The misplaced data included customers' personal details such as bank account and credit card information as well as information about insured assets and security arrangements. Although Zurich UK states it has seen "no evidence" to support suggestions that the data has been misused or compromised in any way, the fact remains that it certainly had the potential to cause serious problems for the 46,000 customers concerned.

FSA Director of Enforcement and Financial Crime, Margaret Cole, said "Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later. Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made."

The FSA states, and the case highlights, how Zurich UK failed to "take reasonable care to ensure it had effective systems and controls to manage the risks" relating to the security of customer data resulting from the outsourcing arrangement and further that it "failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime".

Stephen Lewis, Chief Executive of Zurich Insurance PLC (UK) said in a statement : "This incident was unacceptable. It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers’ data. We are appointing a dedicated Information Security Officer to provide ongoing assurance that appropriate measures are in place and that they will continue to be effective. We believe our customers can be confident that we are doing everything we can to keep their data secure and protected."

So it seems that Zurich has learnt from the mistakes it has made, despite the 'record fine' being but a drop in the ocean in financial terms for a company of this size. Other companies should take note that if you effectively crap on customer data security concerns then it should come as no great surprise if, when the brown stuff hits the fan as it inevitably will, the green folding stuff starts flying out of the bank...

227 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Member Avatar
Member 949455

So it seems that Zurich has learnt from the mistakes it has made, despite the 'record fine' being but a drop in the ocean in financial terms for a company of this size. Other companies should take note that if you effectively crap on customer data security concerns then it should come as no great surprise if, when the brown stuff hits the fan as it inevitably will, the green folding stuff starts flying out of the bank...

Good Aritcle. It is sad that something like that happend.

It really can hurt any company asset. Losing that much money.

I think now most Insurance and Banks read about it and are very cautious and already adding security to prevent something like that from happening to their own company.