Data exposed included 18,610 individual’s personal information such as bank statements, salary details, copies of passports, dates of birth and addresses of tenants and landlords.
The security breach happened when London firm Life at Parliament View (LPVL) transferred personal data from its server to a partner organisation and failed to switch off an Anonymous Authentication function.
This failure meant access restrictions were not implemented and allowed anyone going online to have full access to all the data stored between March 2015 and February 2017.
Catalogue of security errors
During its investigation, the ICO said it uncovered a catalogue of security errors and found that LPVL had failed to take appropriate technical and organisational measures against the unlawful processing of personal data.
In addition, LPVL only alerted the ICO to the breach when it was contacted by a hacker.
The ICO concluded this was a serious contravention of the 1998 data protection laws which have since been replaced by the GDPR and the Data Protection Act 2018.
Exposed to identify fraud risk
ICO director of investigations Steve Eckersley noted that customers had the right to expect the personal information they provided to companies would remain safe and secure.
“That simply wasn’t the case here,” he said.
“As we uncovered the facts, we found LPVL had failed to adequately train its staff, who misconfigured and used an insecure file transfer system and then failed to monitor it.
“These shortcomings have left its customers exposed to the potential risk of identity fraud.
“Companies must accept that they have a legal obligation to both protect and keep secure the personal data they are entrusted with. Where this does not happen, we will investigate and take action,” he added.
Invested heavily in updates
A spokesman for Life at Parliament View told Mortgage Solutions: “Life at Parliament View has taken full responsibility for the historic data breach.
“The regrettable breach took place between 2015-2017 while our IT systems were being worked on to facilitate an upgrade to our services.
“As soon as we were made aware of the severity of the situation, the relevant authorities were informed.
“We take our legal and moral responsibilities to manage our client’s data seriously and as a result of the incident, we have invested heavily in substantially updating our systems and training of colleagues,” he added.
The firm has until 15 August to pay the fine and if it does so before 14 August it will receive a 20 per cent discount.