Information relating to individuals’ arrears and possession proceedings, which was intended for a consultant using a private email account, was sent to the wrong address in August 2009.
The Information Commissioner’s Office (ICO) found that the data was not encrypted nor password-protected and that similar reports had been emailed without protection every
month since 2005.
Redstone Mortgages was forced to sign an undertaking to ensure that all reports containing personal information would be password protected before being emailed externally in future. The lender must also implement other security measures to ensure that data is protected against unauthorised access.
Sally-Anne Poole, head of enforcement & investigations at the ICO, said: “It is essential that the right procedure is followed and care is taken when sending out emails of this nature. It appears that this method of sending out reports containing personal information has been common practice within the company for a while.”
Fahim Antoniades, group director at Mortgage Centre IFA, said he hoped that firms would use the case as a warning to implement robust systems and prevent against these types of problems.
He added: “Firms must ensure that systems are strong enough to protect against these breaches.
It was an innocent mistake but password protection and encryption are relatively easy to put in place.”
