Zurich Insurance promises changes after data loss
Promises to pull socks up, won't do it again
Zurich Insurance has promised to improve its information security after losing personal financial information on 46,000 British clients through careless handling of unencrypted backup tapes.
The back-up tape, which also contained personal details of 1,800 third party insurance claimants from the UK, was lost by Zurich's South African sister company during what was described as a routine transfer to a data storage facility in South Africa in August 2008.
In total, 51,000 British records were on the tape, along with with a much larger number of details about Zurich customers in South Africa (550,000) and Botswana (40,000). Zurich's UK arm wasn't informed about the problem until a year later.
There's no evidence that the information was subsequently used in ID theft or other scams in any country, but that's down to good luck rather than basic safeguards, which were notably absent.
The case was reported to UK privacy regulators, who extracted a promise from Zurich to improve its procedures or risk tougher action for any future data breaches.
In particular, Zurich Insurance plc pledged (pdf) to apply encryption controls on backup records and apply "controls to monitor and promptly report potential or actual data loss activity" in future.
Zurich said: "where any future movement of back-up tapes containing personal data is required, ZIP UK will ensure that appropriate data security procedures, including the use of encryption where appropriate, are in place;".
The insurance giant also promised to carry out staff training to prevent future similar breaches by improving lax backup handling procedures, as explained in a statement (pdf) on the case issued by the ICO. The company said all this had either already happened or would happen very soon.
Chris McIntosh, chief exec of data encryption expert Stonewood, said the incident illustrated the need for organisations to ensure their data security policies were "airtight at every single step in that data's lifecycle".
"This is especially important when operating in regions such as South Africa which, unfortunately, has a reputation for data theft and fraud. Indeed, the issue with this loss is not just the loss itself. It is the tardiness with which the loss was eventually reported. This has resulted in the data of a further 5,000 UK customers being threatened, thanks to deficiencies in operating procedures which caused the original loss not being addressed immediately," McIntosh added. ®
And why is that?
Because manglement is on their backs for using too much time to restore service. And they can get away with it because InfoSec is not going for manglement's throat when something goes wrong. Probably because InfoSec doesn't have the clout they need to actually tear out a throat or two as and when needed. So start complaining at the CEO or board, then get back to us when they're ready to shell out for the necessary procedures.
You get what you pay for...
just be like citibank
I think losing customer data can be a good thing (if done enough).
Citibank for instance whom I have been an account holder of most of my life has sent me several letters through the years telling me through their careless activity they lost confidential customer information to an unknown amount of clients.
These are all snail mailed letters that can be confirmed by Citi with a phone call. They've done this enough that when you see the letter come in you know what it is.......
But theres a light at the end of that tunnel. They always seem to have some "free" credit monitoring program open to you "for a limited amount of time" since Citi knows that identity thieves usually don't try to steal the identity of people after so much time.
They know it better then we all do, that's why they continue to lose customer data and make money on the backend by those taking advantage of these credit monitoring programs. It's only free for a limited time then you pay and Citi gets paid.
I say to Zurich, follow Citis lead, maybe you can get 25 billion from our government as well.
Yet another abject failure of Government
If there is no penalty other than having to 'promise not to do it again', then no company will *ever* proactively secure anything. They'll wait until something gets lost, then promise not to do it again.
Just like Health and Safety, *nothing will change until there are consequences for breaches*
The only reason for the UK's currently excellent record on workplace safety is because doing nothing costs too much when there is an accident - and has the potential to be really expensive even without an accident.
Yet not bothering with Data Protection costs nothing at all, even when massive breaches happen!
The first "question"
I think would be.
Management "You are going to let tapes fall in the wrong hands then?".
IT Techie "No, well, of course not".
Management "Good then, any more silly proposals?".
Managent to Managemet "who is that guy, anyway?"
The big question
is why UK data is being transmitted and stored outside of the UK? Why isn't the information commissioner jumping all over them for that?