UK: Mortgage Company Data Protection In Arrears

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.eweekeurope.co.uk/news/mortgage-company-data-protection-in-arrears-says-watchdog-5500

Redstone Mortgages had been sending customer details by email since
2005 with no password or encryption

A mortgage company has been found in breach of the Data Protection Act
after accidentally emailing details of more than 15,000 customer
accounts to a member of the public.

In a statement released this week, the Information Commissioners
Office (ICO) said that Redstone Mortgages Ltd was found in breach of
the act after sending customer details by email without bothering to
encrypt or password protect the information. The information was meant
for a consultant but was sent to a member of the public with a similar
email address on 3 August 2009.

According to the undertaking document, Redstone had been sending
unsecured customer data by email every month since 2005. The chief
executive of Redstone Mortgages David Lautier has now signed an
undertaking to make sure all future customer information will be
password protected before being emailed. Redstone will also be
required to implement other security measures to protect personal
data, the ICO said. “It is essential that the right procedure is
followed and care is taken when sending out emails of this nature. If
personal information falls into the wrong hands, individuals could
experience considerable distress,” said ICO head of enforcement and
investigations, Sally-Anne Poole. “It appears that this method of
sending out reports containing personal information has been common
practice within the company for a while. I am pleased that Redstone
Mortgages has agreed to take remedial steps to safeguard personal
information and prevent a similar incident happening again.”

In January the ICO warned that businesses that do not own up to data
breaches will face tougher action than those that come forward of
their own volition.  The ICO said that more than 800 data security
breaches have been reported over the last two years. The ICO warns
that companies that approach it voluntarily will still face some
action, but those businesses which attempt to cover-up security
incidents will be hit with much tougher penalties.

The Conservative Party’s plans to increase privacy and reduce the
amount of government data will involve a big increase in the powers of
the Information Commissioner, a London meeting heard last week. “Our
personal data belongs to us, and the government holds it on trust,”
said Eleanor Laing, MP, the shadow Minister for Justice, speaking at a
Westminster Legal Policy Forum meeting in London.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php