Tag Archives: Zurich Insurance

Data loss costs Zurich Insurance �2.27 million in FSA fines

August 25, 2010

The Financial Services Authority (FSA) has imposed fines of nearly �2.3 million against the UK arm of Zurich Insurance over a serious data loss incident in which 46,000 of its customers had their details exposed.

The fine is a new record and the FSA’s Margaret Cole said that it was appropriate because Zurich had failed in its responsibility for the protection of private data, protection that its UK customers had a right to expect.

Zurich’s UK CEO Stephen Lewis admitted that the data loss, which took place two years ago this month, was not acceptable. Included in the data that went missing back in August 2008 were financial details relating to Zurich customers, including account numbers and payment card information.

It took the insurance firm 12 months to detect the loss and it was only then that it was able to inform affected customers. This delay added to the controversy surrounding the original data loss and may have contributed to the scale of the record fine.

The data was lost in South Africa as storage drives were being transferred between centres as part of standard procedures.

The FSA criticised Zurich in a statement, saying that it had not ensured the protection of customer data with policies and data management systems and had been lax in its use of third party firms to manage data, consequently underestimating the risks.

The South African branch of Zurich’s operation was deemed to have lacked the necessary controls to ensure that data belonging to UK customers was properly protected against loss and subsequent use in fraud, Cole said.

At this time, Zurich has been adamant that the lost data has never been exploited by criminals, adding that improvements to data protection policy and a security executive had been put in place to help prevent any repeat of the incident.

Zurich had originally been facing fines of 3.25 million, but by choosing to accept the FSA’s rulings it saw a 30 per cent reduction in this total.

Zurich Insurance reprimanded over data loss

March 26, 2010

The Information Commissioner’s Office (ICO) has reprimanded Zurich Insurance, a firm that has been embroiled in a data loss scandal since 2008.

A total of 47,000 clients were affected nearly a year and a half ago when the South African arm of Zurich Insurance misplaced a significant data storage device during a transfer between data centres.

According to the ICO, Zurich withheld the news of the breach for 12 months before admitting it and in so doing was clearly in breach of the UK Data Protection Act.

It is known that the lost data device was completely unencrypted, allowing the personal information contained to easily leak out onto the black market.

Zurich Insurance conducted an investigation internally, the findings of which unearthed a catalogue of potentially damaging deficiencies in the management of data protection at its South African headquarters.

Zurich Insurance’s Stephen Lewis met with representatives from the ICO earlier in the week to commit to improving data security, particularly when data is to be transferred physically between two locations. Mr Lewis will now have to ensure that data is properly encrypted to contain the potential threat posed by any loss.

Mr Lewis is also committing to more transparency between his firm and the regulators, ensuring that any breaches or fragility identified in its systems will be rapidly reported to the proper authorities. Training staff and informing partners will also be an important step towards safeguarding customer data.

ICO investigator Sally-Anne Poole said that inadequate data protection would not only incur the scrutiny of a business by the relevant external bodies, but would also impact the business’ status and image amongst consumers and potential customers.

Data security expert Chris McIntosh told V3 that he found the year long delay between the point at which the data was stolen and the reporting of the event to be unbelievable. He said that identifying when leaks have occurred and notifying the affected parties and appropriate regulatory bodies is essential for any firm in maintaining the trust and respect of the market.

Zurich Insurance apologises to customers for data loss

October 26, 2009

A major failure in backup security procedures has left the personal details of 51,000 UK citizens at large in the Southern Hemisphere for a period of over 12 months. The Swiss insurance group Zurich experienced the loss when a data tape was being transferred for storage in South Africa in 2008. It has taken a year for the loss to be discovered and the story has spread quickly because of the catastrophic volume of data involved.

On top of the UK customers exposed, over half a million South African clients of the insurance giant had personal details stored on the mislaid data tape. KPMG has been called in to assist in identifying the causal factors behind the loss.

Zurich’s European CEO Annette Court was quick to apologise to the affected customers in the UK and abroad, rightly denouncing the loss as an unacceptable blunder. Court also took the opportunity to reassure customers that Zurich is updating its storage and backup infrastructure in order to provide more effective security in the future. Since no details on this improvement programme have been forthcoming, it is likely that the newly discovered data loss has in fact been the catalyst for a comprehensive data protection upgrade programme within Zurich. Continue reading →