Zurich Insurance Plc (Zurich UK)

What

Loss of personal information including bank and credit card details and details of insured properties.

How much

46,000 records.

Why

Unencrypted backup tape lost by Data Processor.

Regulator

FSA

Regulatory action

Monetary penalty: £ 2,275,000

Reason for action

Zurich did not audit data processor (a Group company in South Africa) and relied on group policies procedures and controls rather than managing the outsourced relationship as with a normal data processor.

When

24 August 2010

Links

View the press release relating to Zurich Insurance on the FSA website

View PDF of the Zurich Insurance Final Notice (via FSA website)

View PDF of the Zurich Insurance Final Notice (Breachwatch archive)

HSBC Life (UK)

What

  • Loss of personal data.
  • General lack of controls

How much

180,000 records.

Why

Loss of unencrypted CD in the post.

Regulator

FSA

Regulatory action

Monetary penalty – £1,610,000

Reason for action

Systemic organisational failings in InfoSec. No risk assessment. Repeated transmission of unencrypted data. Customer data held insecurely in office.

When

17 July 2009

Links

Press release on the FSA website

View PDF of the HSBC Life (UK) Final Notice (via FSA website)

View PDF of the HSBC Life (UK) Final Notice (Breachwatch archive)

HSBC Insurance Brokers

What
No breach

How much

None

Why

FSA audit – probably as a result of other group breaches

Regulator

FSA

Regulatory action

Monetary penalty – £700,000

Reason for action

  • Ignored specific and repeated compliance recommendations.
  • Inadequate risk assessment
  • Weak controls

When

17 July 2009

Links

Press release on the FSA website

View PDF of the HSBC Insurance Brokers Final Notice (via FSA website)

View PDF of the HSBC Insurance Brokers Final Notice (Breachwatch archive)

HSBC Actuaries and Consultants

What

Loss of personal data.

How much

1,917

Why

Loss of unencrypted floppy disk in the post

Regulator

FSA

Regulatory action

Monetary penalty – £875,000

Reason for action

  • Inadequate risk analysis/assessment.
  • Ignored instructions from HSBC group following Nationwide breach

When

17 July 2009

Links

Press release on the FSA website

View PDF of the HSBC Actuaries and Consultants Final Notice (via FSA website)

View PDF of the HSBC Actuaries and Consultants Final Notice (Breachwatch archive)

Merchant Securities Group

What

No breach.

How much

None.

Why

FSA thematic visit.

Regulator

FSA

Regulatory action

Monetary penalty – £77,000

Reason for action

  • Inadequate risk assessment.
  • Poor control over backup media.

When

13 June 2008

Links

View the press release relating to Merchant Securities Group on the FSA website

View PDF of the Merchant Securities Group Final Notice (via FSA website)

View PDF of the Merchant Securities Group Final Notice (Breachwatch archive)

Norwich Union Life

What

  • Disclosure of personal information to fraudsters.
  • Fraudulent policy surrender

How much

  • 632 records
  • 74 records

Why

Telephone based fraudsters used publically available information (name, DoB etc) to impersonate customers and gain access to accounts.

Regulator

FSA

Regulatory action

Monetary penalty – £1,260,000

Reason for action

Aware of threat but took inadequate countermeasures except in case of Aviva group directors.

When

17 December 2007

Links

View the press release relating to Norwich Union Life on the FSA website

View PDF of the Norwich Union Life Final Notice (via FSA website)

View PDF of the Norwich Union Life Final Notice (Breachwatch archive)

Nationwide Building Society

What

Loss of personal data

How much

Not reported, potentially all customers (10+ million)

Why

Theft of unencrypted laptop from staff member’s home.

Regulator

FSA

Regulatory action

Monetary penalty – £980,000

Reason for action

  • Inadequate risk assessment
  • No incident response plan and slow response to theft (3 weeks)
  • Poor staff training and awareness
  • Poor controls

When

14 February 2007

Links

View the press release relating to Nationwide Building Society on the FSA website

View PDF of the Nationwide Building Society Final Notice (via FSA website)

View PDF of the Nationwide Building Society Final Notice (Breachwatch archive)