back to article UK insurer hit with biggest ever data loss fine

Zurich Insurance must pay an enormous £2.3m fine for losing thousands of British people's personal data. The fine was imposed not by the Information Commissioner's Office but by the Financial Services Authority. Zurich Insurance lost 46,000 customer records including some bank details when a tape back-up went missing between …

COMMENTS

This topic is closed for new posts.
  1. David Lawrence
    WTF?

    How do you 'lose' data exactly?

    I'm confused. I am aware of recent problems where laptops, CDs, DVDs and memory sticks have been lost/mislaid, and they had sensitive data on them. I'm ok with that. Something physical that has data on it.

    From what I have read, Zurich 'lost' some data while transferring over to a 3rd party for archiving. I also understand that no customers have suffered financially as a result. I conclude then that while the data got 'lost', it did not fall into enemy hands.

    So where did it go? Into the interwebs? All them little bits and bytes leaking out into people's routers and networks. How clumsy.... and how unfortunate to have been fined such a large amount for 'losing' some data. I also understand that it took Zurich quite a while to realise that the data had been 'lost' and to admit same.

    Is anyone else similarly confused?

    1. basa48
      Stop

      Erm - A back-up tape?

      It was a back-up tape that was lost.

    2. Tom Chiverton 1

      Clue is in the article

      "Zurich Insurance lost 46,000 customer records including some bank details when a ******tape back-up****** went missing"

    3. _Absinthe_

      Hmm, did you read the article!?

      "Zurich Insurance lost 46,000 customer records including some bank details when a tape back-up went missing between two sites in South Africa."

      Kind of answers your question in one neat little sentence... ;)

    4. Anonymous Coward
      FAIL

      @David Lawrence: Reading and comprehension fail.

      "a tape back-up went missing between two sites in South Africa"

      It was only blind luck that this backup tape didn't fall into the wrong hands.

      As for the notification, it is obvious that they knew of the loss at the time but covered it up for a year.

  2. Anonymous Coward
    Anonymous Coward

    Erm...

    >Even worse, it took a year for Zurich UK to hear about the loss

    No. I'd say even worse is that UK personal data is being stored and processed anywhere other than the UK.

    1. Neil Greatorex

      It wasn't UK personal data

      From the article text:

      The lost tape included data on half a million South African clients of Zurich, and 40,000 from Botswana.

      No Britons involved...

      1. Ru
        Thumb Down

        Re: It wasn't UK personal data

        From the very first line of the article: "losing thousands of British people's personal data"

        The little note at the end uses the word 'included'. I'd take that to mean 'additionally to the data on UK citizens for which Zurich as being fined'.

    2. LawLessLessLaw
      Boffin

      The Sun Set on the Empire

      > The lost tape included data on half a million South African clients of Zurich, and 40,000 from Botswana.

      SA and Botswana are not part of the UK, bokkie.

      1. Anonymous Coward
        Anonymous Coward

        @Neil Greatorex and @LawLessLessLaw

        You both could try reading the whole article from the beginning.

        >Zurich Insurance must pay an enormous £2.3m fine for losing thousands of British people's personal data.

        Now while I realise that these British people could be British in name but resident in South Africa I doubt whether the FSA would have any sway if this was a purely South African issue.

  3. The Metal Cod

    Eunuch ICO

    Credit to the FAS for holding Zurich to account and imposing a punishment. It should have been the ICO imposing such a penalty.

  4. N2

    Fine?

    which no doubt leads to larger bills for their customers, who should really be receiving a cut.

  5. Rishi
    Thumb Down

    Not the ICO but the FSA

    However the most shamefull thing is that it was not the toothless ICO but the FSA who levied the fine.... I am sure the ICO's office would have said - dont worry it was just 48,000 customer - No harm done...nothing to see.

    1. CASIOMS-8V

      ICO = UK Data ?

      Wouldn't the ICO only potentially be involved if it was UK data ?

      Not stating as a fact, just interested to know

  6. TkH11

    data lost?

    Data isn't tangible, so does it matter if it gets lost? What actually is there to lose?

    If a copy exists then has the data been lost?

  7. Anonymous Coward
    Anonymous Coward

    Were they insured...

    Were the tapes insured against loss? *cough*

  8. Anonymous Coward
    Anonymous Coward

    Fines?

    The Nationwide one was paid by the members, not the directors (cheers guys) and Zurich made £91m last year, so this is going to be paid by emptying the petty cash box: http://www.zurich.co.uk/home/mediacentre/company/Zurichs_UK_reports.htm

  9. Peter 39

    Pity

    'Tis unfortunate that it's an insurance company. No doubt they're self-insured for this sort of thing and will just treat it as cost-of-doing-business.

    Had it been a regular company then their business insurance rates would go way up - 'natch. The bean-counters could then weigh this against the cost of improving security and, hopefully, apply appropriate funding to (2)

  10. Anonymous Coward
    Coat

    but

    They were told.

    Repeatedly.

    (backup tape btw - unencrypted natch)

    Coat because that's what they told me to get a couple of years ago...

  11. Alpha Tony

    So...

    ...Who gets the money from the fine?

    Can the Zurich customers whose data was lost expect a £50 cheque in the post each?

    No.. Thought not.

    I'm certainly not against fining any organisation that compromises the data of the general public, but surely any revenue raised should go to compensate the people that were actually wronged?

  12. Tieger
    FAIL

    Re: Chris W

    "No. I'd say even worse is that UK personal data is being stored and processed anywhere other than the UK."

    riiight... because no other data about UK people EVER leaves the UK for storage/processing...

    especially considering Zurich UK is just part of a multinational company.

    1. Anonymous Coward
      Anonymous Coward

      @Tieger

      You mean other companies keep and process data of British citizens offshore. Well bugger me, I didn't know that.

      However, what exactly is your point.

  13. Aristotles slow and dimwitted horse
    Stop

    @ David Lawrence

    You are right to be confused as the story does not convey what actually happened very accurately.

    The data itself was on a tape being transported between the Zurich offices in SA to an off-site silo by the 3rd party that manages Zurich SA applications and infrastructure. What the story also does not convey is that the fine was probably so high because the application in question holds/processes data on "high net worth" Zurich UK customers.

    I believe that the 3rd party has been dismissed and that this application is now managed in-house.

  14. James 5
    Happy

    Way hay !

    At last -

    But they should also force them to state on all their advertising "We have been fined £2.3m by the FSA for losing your personal data. Still trust us?" for the period of one year.

  15. Anonymous Coward
    FAIL

    @TkH11 are you for real?

    So a tape containing (hypothetically) you name address, d.o.b. NH number, children's names and ages, etc etc etc is lost. there's nothing there's no need to worry. I wonder what all that mine of non existent data could be used for? Mmmmm.

  16. This post has been deleted by its author

  17. TkH11

    @AC

    You mentioned a tape. I didn't mention a tape. I questioned the subject of data loss!

    I didn't describe the medium - if any - on which that data is held.

    I was actually referring to loss of data into the ether, where there is no medium to loose.

  18. TkH11

    @AC

    @AC, my post was a response to the very first post, how do you actually lose data?

    One doesn't lose data, it's not tangible. (Which was the subject of my first post).

    One loses the medium on which the data is stored.

    1. Desk Jockey

      Actually it is loss of control

      It is not the medium loss that they are being fined for, but the shoddy loss of control of data due to poor practices. Specifically, the data not being encrypted. Don't forget, anyone holding personal data in the UK of other people (ie customers) has a statutory obligation to look after it.

      Therefore Zurich losing a backup tape is irrelevant in terms of the use of the word loss. The term loss is being applied that they could not account for the data and could not demonstrate that the missing data was not used for other purposes. In short, they lost control not just the physical hardware and therefore they did not fulfill their statutory obligations. If the data was lost say through a server failure, that would be a loss to the company, but not a loss in terms of personal data because no one else gained unauthorised access to it. Someone deliberately going in and copying the data, bypassing safeguards is termed a breach.

      Many people, particularly lawyers and Intellectual Property types, would disagree with your opinion that data is not tangible. It has value, therefore it is worth money and therefore it is tangible in the same way that you would pay an electrician or a builder to do your house. He has knowledge that you do not, you could buy the materials and do it yourself, but you are also paying for what they know in order to get the job done better. Software has value, it can be sold and traded therefore, it also is tangible because it is a saleable commodity.

  19. DEAD4EVER
    Thumb Down

    uk insurer

    seriously what is it with uk companies loosing data records of there customers do they not have a safe thease days to keep them safe

    1. Mark C 2
      FAIL

      @DEAD4EVER

      1. Read the article.

      2. Learn to spell.

      That is all.

  20. Tigra 07
    Thumb Down

    Fire

    THis will keep happening until the actual people losing the data get the fines or prison sentences.

    Fining the company hardly affects the idiot losing the laptops and tapes

  21. TkH11

    Definition of Tangible

    "Having physical existence and/or form, or discernible through one or more senses."

    Alternatives:

    a. Discernible by the touch; palpable: a tangible roughness of the skin.

    b. Possible to touch.

    c. Possible to be treated as fact; real or concrete: tangible evidence.

    2. Possible to understand or realize: the tangible benefits of the plan.

    3. Law That can be valued monetarily: tangible property.

    According to this, data is not tangible as it can not be physically touched. However, in a legal context an additional definition exists. For the purposes of law I can accept this. But for most people in the literal definition, (where most people are not lawyers), data is not tangible.

    1. John H Woods Silver badge

      You are correct ...

      ... in believing that it is incorrect to say 'data is tangible'. However, data ARE tangible.

    2. lpopman
      WTF?

      titular something or other

      "c. Possible to be treated as fact; real or concrete: tangible evidence"

      Seems like Data could be covered under this definition. Personal data is

      1. factual

      2. real

      3. concrete (see 1 and 2)

      ergo Data is tangible

  22. Anonymous Coward
    Flame

    Purely symbolic "punishment"

    "Zurich Insurance must pay an enormous £2.3m fine for losing thousands of British people's personal data."

    Enormous? Is that even 1% of companys yearly _profit_?

    If it's not, it's even less than a slap to the wrist and saying 'Bad, bad!'

    Losing anything beyond name should be punishable at rate of £1000 per person and that sum goes to those whose details have been "lost", ie. sold to 3rd parties. Criminal charges on top of that if necessary.

    If a company goes bankrupt because of this, it servers them right: Ordinary citizen is financially ruined when he does major crimes and gets caught, tell me why corporations should get away for free? Or purely symbolic "punishment" like this?

  23. Ascylto
    Big Brother

    Solution (again)

    It will happen again and again and again until they make the heads of these companies/departments responsible and SACK them ... THEN you'll get change. Fines are meaningless to companies of this size - less than 1%!

This topic is closed for new posts.

Other stories you might like