Estate agent dodges GDPR-sized bullet after exposing 18,610 folks' data for two years
Fined £80,000 under Data Protection Act – could have been a lot more under new EU rules
A London estate agent has been fined £80,000 for losing thousands of clients' personal data when it was handed over to a third party.
A ruling from the Information Commissioner's Office found Life at Parliament View Ltd (LPVL) left the personal details of 18,610 people available online for just under two years. The data was from both tenants and landlords and included bank statements, salary details, dates of birth and other information including copies of passports.
The loss occurred when the estate agent passed the details from its own servers onto a partner company and failed to switch off an "Anonymous Authentication" function, which meant there were no access restrictions to the data between March 2015 and February 2017.
The ICO said its investigators "uncovered a catalogue of security errors and found that LPVL had failed to take appropriate technical and organisational measures against the unlawful processing of personal data".
The company only told the ICO when it was contacted by a hacker about the breach.
Steve Eckersley, director of investigations at the ICO, said: "Customers have the right to expect that the personal information they provide to companies will remain safe and secure. That simply wasn't the case here.
"We found LPVL had failed to adequately train its staff, who misconfigured and used an insecure file transfer system and then failed to monitor it. These shortcomings have left its customers exposed to the potential risk of identity fraud.
"Companies must accept that they have a legal obligation to both protect and keep secure the personal data they are entrusted with. Where this does not happen, we will investigate and take action."
Because of the date of the losses, the company was fined under the 1998 Data Protection Act rather than the more punitive European General Data Protection Regulations (GDPR), which came into force in EU member states on 25 May 2018 and allow a fine of up to 4 per cent of a company's global turnover, which could have been a significantly larger amount.
We've attempted to contact the company and will update this story if we get a response.
Updated to add on 23 July
A spokesman for Life at Parliament View sent us a statement:
Life at Parliament View have taken full responsibility for the historic data breach. The regrettable breach took place between 2015 -2017 whilst our IT systems were being worked on to facilitate an upgrade to our services. As soon as we were made aware of the severity of the situation, the relevant authorities were informed. We take our legal and moral responsibilities to manage our client’s data seriously and as a result of the incident, we have invested heavily in substantially updating our systems and training of colleagues." ®