A new data loss scandal is unfolding after it was revealed that the Royal London Mutual Insurance Society has lost eight laptop computers.
The Information Commissioner’s Office (ICO) announced that the loss had occurred last week, stating that over two thousand customers had had their personal information exposed as a result of the breach.
The ICO has emphasised the fact that the firm has been found to have breached the terms of the Data Protection Act, as all eight of the laptops are believed to have been stolen from within premises operated by the firm in Edinburgh.
It is believed that only two of the laptops held the data and that those affected by the loss are employees of companies who had approached the Royal London Mutual Insurance Society for pension protection.
According to reports there was no data encryption in place, but rudimentary password protection was acting as a basic safeguard. The ICO said that the insurance company admitted, after an investigation, that it did not hold information relating to the location of any of its laptops whilst they were in use, showing a lack of physical security over portable devices.
It has also emerged that the firm’s administration was unaware as to the presence of personal data on the affected laptops, which has been used in partial defence of the lack of encryption.
The ICO’s Mick Gorrill said that staff members should have been made aware of company policy relating to data security and if proper training had been in place the data loss could have been avoided.
Security expert Chris McIntosh said that this latest incident showed that many businesses were still failing to take on board advice and legislation relating to the protection of data. He said that the ICO was repeatedly forced to address problems after they had occurred and that preventative measures were not being employed by the very firms that are most at risk.
Mr McIntosh highlighted that the price of encryption and secure storage was falling and that it should make financial sense for most businesses to take basic steps to protect their data.
