back to article What do you call a firm that leaves customer financials unencrypted on a hard drive? RSA

A UK insurance business has been fined £150,000 for its lax security practices after a hard drive containing customers' unencrypted information was stolen. The hard drive disappeared from the offices of Royal & Sun Alliance insurance (ironically it prefers the abbreviation RSA) back in 2015. It contained 59,592 customers' …

  1. Anonymous Coward
    Anonymous Coward

    ICO Fail

    RSA group profits before tax 2015 = £323m

    ICO Fine = £150,000

    2015 ICO guidance on fines:

    The amount of the monetary penalty determined by the Commissioner cannot exceed £500,000. It must be sufficiently meaningful to act both as a sanction and also as a deterrent to prevent non-compliance of similar seriousness in the future by the contravening person and by others.

    1. Anonymous Coward
      Anonymous Coward

      Re: ICO Fail

      I'd argue that RSA should have copped a full half million, since what they did was negligent, so that's an ICO fail. But half a mill is still beer money for RSA, and that's not the ICO's fault, but a persistent failure of all shades of government, who should have raised the penalties dramatically. And whilst at it, they should have made them recoverable personally from directors if the company wouldn't pay (as that would hit the fly-by-night shysters operating phoenix companies).

      Whilst the UK will probably try for a GDPR equivalence, and that will increase the potential fines, I'll wager that the EU haven't clocked the issue of phoenix companies.

      1. Anonymous Coward
        Anonymous Coward

        Re: ICO Fail

        There is no 'will try for GDPR equivalence', the UK will have to introduce the GDPR as it will be in force well before we leave the EU so we will have to have it.

    2. Hans Neeson-Bumpsadese Silver badge

      Re: ICO Fail

      You need a way to ring-fence the financial hurt though, to stop innocent $FINANCIAL_INSTITUTION customers from suffering. If RSA got fined an metric s***t-tonne of money, there is the risk that they find money to pay that by reducing dividends on customers' life insurance policies, ISAs, pension funds, etc. Too many times you see the big institutions passing the hurt onto the little people.

      1. Blank Reg

        Re: ICO Fail

        That's easily fixed, levy the fine against the C level in the company, and no the company can't pay on their behalf, and their compensation level is frozen for 5 years to prevent the company boosting salary/bonuses to make up for the fine.

        1. Anonymous Coward
          Anonymous Coward

          Re: C level

          And in this case 'c' would stand for.....?

          1. waldo kitty
            Boffin

            Re: C level

            And in this case 'c' would stand for.....?

            CEO, CTO, CFO, etc...

      2. Alan Brown Silver badge

        Re: ICO Fail

        > You need a way to ring-fence the financial hurt though, to stop innocent $FINANCIAL_INSTITUTION customers from suffering.

        A number of fines have been levied on companies "to be taken from shareholder dividends"

        IE: after tax and disbursements.

    3. Anonymous Coward
      Meh

      Re: ICO Fail

      ICO Fine = £150,000 £120,000

      "If the Commissioner receives full payment of the monetary penalty by 7 February 2017 the Commissioner will reduce the monetary penalty by 20% to £120,000 (One hundred and twenty thousand pounds). However, you should be aware that the early payment discount is not available if you decide to exercise your right of appeal."

  2. psychonaut

    is anyone suprised about this stuff anymore?

    i mean anyone? bueller?

  3. Anonymous Coward
    Anonymous Coward

    Contradiction

    I don't understand how an organisation with the ability to know that its data has been stolen lacks the ability/common sense to secure it.

    If you were designing for your own ineptitude, you'd make sure that there was no record of the sensitive data being on the hard disk.

    1. Doctor Syntax Silver badge

      Re: Contradiction

      "the ability to know that its data has been stolen"

      Hindsight is a very powerful route to knowledge. Presumably they knew it had gone AWOL because they couldn't find it when they wanted to use it. I'm not sure from the report that the disk wasn't simply reformatted & reused but they're not in a position to know that it was and had to take a worst case view.

    2. Dabooka

      Re: Contradiction

      Although in this instance it wasn't discovered through of audit of data accessed or intrusion detection, things that might suggest ability and / or common sense. Their 'ability' to detect was more a case of someone shouting "Anyone seen that usb drive?" which was sprobably nicked by someone who uses it to transport their .mkvs around.

      Still in woefully inadequate fine though

  4. adam payne

    What do you call a firm that leaves customer financials unencrypted on a hard drive?

    I bunch of complete muppets.

    "An RSA spokesperson said: “The ICO fined us for not foreseeing the risk that the theft of a storage device could cause and for not protecting it adequately."

    Did their mouthpiece really just say that?

    Have you not assessed what could happen if these things went missing?

    Why was the drive not encrypted before it was deployed?

    1. mark 120

      I'll assume from their comment that they're also still not PCI compliant yet, either, and further, more considerable, funds may be leaving their organisation in future.

    2. Doctor Syntax Silver badge

      "Why was the drive not encrypted before it was deployed?"

      Maybe they couldn't rely on a post-it note with the key staying stuck on.

  5. Doctor Syntax Silver badge

    “The ICO fined us for not foreseeing the risk"

    Isn't foreseeing risks what insurance companies do for a living?

    1. Craig 2

      “The ICO fined us for not foreseeing the risk"

      Now THAT'S irony!

      1. Prst. V.Jeltz Silver badge

        they probly assesed that its easier just to pay 150k when they lose some data

  6. Anonymous Coward
    Anonymous Coward

    150k doesn't get much in the way of infosec people / tech

    So probably a sound decision for now.

  7. lglethal Silver badge

    £2.50 per person - that really going to encourage them to be better!

    See title.

    1. Nunyabiznes

      Re: £2.50 per person - that really going to encourage them to be better!

      Especially when they are just going to raise their rates by 3/month/person to pay the fine and a little something for the executives for having to listen to the whining.

  8. Pen-y-gors

    'Lost forever'?

    The drive may be lost forever but I suspect the data may well re-surface in various less-than-salubrious parts of the Web.

  9. This post has been deleted by its author

  10. John G Imrie

    I've decided to run as an MP

    I have one policy

    The maximum fine of the ICO will be amended to £500,000 per person/organisation who's data was lost and 90% of the fine will be distributed equally to each effected person/organisation

  11. gnasher729 Silver badge

    "Insurer's details on 60k people lost forever"

    Could you clarify: Does that mean not only was the data unencrypted, but it was also not backed up? That the only copy in existence is gone? I would optimistically hope that someone in the office needed a new hard drive or a new laptop, took it, and erased it before using it, but if customer data is "lost forever", does that mean insurance claims will not be paid out, the company has no knowledge that people paid their premiums etc. ?

  12. gnasher729 Silver badge

    "Insurer's details on 60k people lost forever"

    Could you clarify: Does that mean not only was the data unencrypted, but it was also not backed up? That the only copy in existence is gone? I would optimistically hope that someone in the office needed a new hard drive or a new laptop, took it, and erased it before using it, but if customer data is "lost forever", does that mean insurance claims will not be paid out, the company has no knowledge that people paid their premiums etc. ?

    And if money should go to those affected, does that mean they don't know who is affected?

  13. Anonymous Coward
    Anonymous Coward

    RSA Customers?

    Wasn't this Lloyds Bank customer data that was stolen? (and widely reported as such, as it made a better headline!)

    Did Lloyds terminate its contract with RSA, invoking penalty clauses for failing to protect its customer data? At the very least, RSA should have been made to pay the costs of changing account numbers for all the impacted customers, and given each of them a £100 sweetener (similar to what's offered to switch banks) That might focus the minds of board, or the shareholders who agree their salaries.

  14. Anonymous Coward
    Anonymous Coward

    One alternative is fine this company's in 50% of their gross profit for the last 2 years. I will want to see who are the company's that will not take security and privacy serious.

    1. Anonymous Coward
      Anonymous Coward

      And what

      about the staff losses that will follow to cover that fine.

      Because thats what will happen. Being made redundant for a companies ineptitude is not fun.

    2. Alan Brown Silver badge

      "One alternative is fine this company's in 50% of their gross profit for the last 2 years."

      There are so many ways to fiddle the books to make profit look smaller that this is a nonstarter.

      10% of TURNOVER on the other hand....

  15. Woodnag

    mitigate the risk?

    "We have reviewed and reinforced our data protection procedures to mitigate the risk of this happening again."

    I'd prefer to hear "prevent" instead of "mitigate the risk of" myself.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like