The ICO have announced that Co-operative Life Planning (CLS) have suffered a data breach affecting 82,000 customers. In March 2011 a data file containing the personal information of customers who had funeral insurance policies was hacked into and published online. It occurred after the file had been repaired by the CLS software support contractor. The data included names, dates of birth, addresses and the contributions they had made to their insurance policies.
After being alerted to the breach Co-operative Life Planning organised to have it deleted and removed from the internet. The Information Commissioner’s Office (ICO) have now asked the managing director of CLS to sign an undertaking to install data loss prevention software across all the company’s servers. In addition, they will be expected to test every database which may be repaired in future to ensure it is secure. This is a result of the investigation of the incident by the ICO, which revealed that the software support contractor did not have permission to copy the data from the company server, and had failed to delete the information after performing the repair.
Sally-Anne Poole, acting head of enforcement at the ICO, said:
“This case highlights the need for companies to ensure their contractors are following procedures on keeping customers' personal information secure. Co-operative Life Planning's customers had an expectation that the organisation would keep their details safe and they have been let down by this breach.”
“The ICO takes breaches of the law extremely seriously and always seeks to take the most appropriate level of enforcement action. In this case, a monetary penalty was not appropriate because the information that was compromised was unlikely to cause substantial damage or distress and its disclosure didn't present a significant risk to the individuals affected.”
“Co-operative Life Planning also had appropriate policies already in place around protecting personal information stored on their servers. Our focus has therefore been to make sure the organisation commits to making improvements to stop this from happening again and we are pleased that they are being put in place.”
All data breaches which reveal personal information are concerning, but this incident raises the possibility of hackers targeting elderly individuals and using the data which was stolen to attempt to defraud them of their savings or insurance payments. The CLS must ensure all customers are aware of the data breach and realise the dangers of email hoaxes such as phishing.