The Financial Services Authority (FSA) has fined Norwich Union £1.26m for failing to safeguard customers against fraud. The City regulator said it had slapped the firm's UK life insurance biz, Norwich Union Life, with a record-breaking financial penalty because of a number of glaring system weaknesses which exposed confidential …
Just goes to show.
Businesses only care about the security of our data when it becomes too expensive not to care.
Thats business for you...
Make as much money as you can while doing as little as possible. Don't REALLY care or fix problems, employ a PR dept to cover them up coz its cheaper.
When I was a student about seven years ago, I supplemented my beer money temping - the very first job I was given was data input at Norwich Union. I was plonked down in front of a computer, a manager logged me in, and I was left to my own devices. It quickly dawned on me that I had pretty much unlimited access to the whole customer database - I could look up names, addresses and medical history of anyone who was or had ever been a Norwich Union customer, for the whole two weeks I worked there.
Out of boredom I have to admit that I did look up people I knew, but felt bad about it and stopped, as I could see confidential medical data on them.
I also looked up a few celebrities, including the entire royal family (not sure if was really a customer or whether some joker had added them) but there was nothing juicy.
Good thing I was honest and kept information to myself - but being a completely unvetted temping worker, I could have quite easily done mischief. Especially as due to my data entry work, my access was not limited to reading the database - I could have altered stuff too, if the mood had struck me.
I had kind of hoped that procedures had improved since then - but it doesn't sound like it. If I was being paid more than minimum wage temping pittance, maybe I would have pointed out some of their glaring security holes and tried to get something done about it. Hey ho.
We, the policy holders, pay the fine with reduced benefits from our policies. What a foolishness fining organisations when the cost of the fine will be passed on directly to the customer/consumer.
I have to comment that since Labour came to power their only answer, together with many other organisations', to all sorts of circumstances is to fine us for this, fine us for that. Plenty of stick, no carrot. We pay heavily for the loss of any moral imperative.
Shame the FSA don't run HMRC
If Norwich Union have to stump up £1.28m for around 600 breaches, Alistair Darling would be crapping himself right about now.
Oh I forgot, unlike businesses, local authorities and charities; government ministers can't be surcharged for serial incompetence, fraud and illegality. Otherwise Darling and Ruth (the Poison Dwarf) Kelly would be out of a job and bankrupt.
This news does not surprise me. I had the misfortune to work for NU a few years ago in one of their IT/software depts (only job I was offered at the time after a previous redundancy and I had a mortgage to pay...). Back then the whole thing was run on WinNT with most of the software a mixture of ASP and Visual Basic (UGH!!). They operated what was laughably called a "Lights Out" system at their pair of server farms at Bowthorpe, near Norwich. LIghts Out meant that no one should be in the server farms apart from hardware maintenance and everything should have been via remote access under strict control... but the lights were always on as there were always people in the farms. Half the servers didn't work properly and, because the IT infrastructure was totally crap, remote access was so pathetically slow that you had no choice but to drive up to Bowthorpe and go into the farm yourself in order to get anything done. Additionally, the management were complete toss pots lining their own pockets, the amount of red tape was unbelievable, and the progress made per working day almost negligible.
I bet it isn't much different today - I wouldn't trust them at all!
Privacy ... we've heard about it.
@Mike Richards: And in prison. With Blunkett and Reid who had their fair share of "acting unlawfully" judgements against them.
They work for us eh? Yeah right. If it wasn't so serious it would be funny. And don't think it would be any different with another government - the opposition parties are just as technologically incompetent.
@Julian: Quite agree - thanks FSA you're doing a really great job - even less chance of my endowment mortgage being paid off now.
Still its in line with the recent ASDA milk fine - punish the company by putting up costs for the customer. Real thinking outside the box that was.
When are they going to make individuals accountable and start fining directors? Cos nothing else is going to get them to take privacy seriously.
"It identified and quickly informed nine of its directors that their life policies had been targeted."
Their corp bigwigs were looked after, but the rest of us forgotten about after the "gold users" were fixed. Sounds familar.
Fines for directors
The only problem then, is that to get anyone worthwhile as a director, you have to pay them more, as there is added risk for them - so the cost is still passed down to the end user, just that there is a price to pay for it every year, not just every so often when they get fined.
Joined up reporting
On way home from work yesterday I listened to Radio 5 first discussing this case and talking to some security expert about how people had managed to impersonate NU customers and got checks sent to them using little more than names and addresses etc.
Next item was on the missing driving test disk and talking to a different correspondent they commented several times that there weren't any financial implications of this loss as it was just names and addresses that had been lost.
Somehow they failed to spot the glaring inconsistency between the two items!
NU trying to move the liability?
"Norwich Union said it will compensate all the customers affected by the frauds"
Compensate? Customers should not be treated as if they have been defrauded - NU has been defrauded. This is typical of Financial Institutions - they always try and make out as if the customer has been personally affected and they are doing them a favour by "compensating" them. Their attitude is that it is your account details on the fraud therefore it is your problem - even if the company gave away your account details to the fraudsters in the first place.