Financial Services Firm Slapped With £150,000 Data Breach Fine

Tom Brewster is TechWeek Europe’s Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Missing tapes at Welcome Financial Services results in a rare ICO fine for a private organisation

The Information Commissioner’s Office (ICO) has fined Welcome Financial Services (WFS) £150,000 for a data breach that saw over half a million customers’ details go missing.

The breach happened in November last year when two back up tapes containing names, addresses and telephone numbers of customers were lost and never recovered.

WFS told TechWeekEurope it accepted the fine and confirmed procedures had been changed.

“WFS has been working closely with the relevant authorities since voluntarily reporting the matter to the ICO. WFS also employed a specialist data security firm, with extensive experience in financial services, to review data security across the group and advise on any necessary improvements,” a spokesperson said.

“While there is still no evidence that the information has fallen into the wrong hands or been used maliciously, WFS takes its obligations to protect personal data of its customers and staff extremely seriously and is implementing all of the changes to its data protection processes recommended by both the ICO and its own independent review. The ICO acknowledges in its penalty notice that remedial action has been taken.”

Baring its teeth

The fine, one of just a handful that have been handed to private companies, came as the ICO released its 2011/12 annual report, in which information commissioner Christopher Graham claimed the watchdog had reached its “Olympic challenge” of becoming the “authoritative arbiter of information rights”.

Yet Graham bemoaned the fact that the ICO had not been recognised by the Leveson Inquiry for being “the first to blow the whistle on Fleet Street practices” in its 2006 publications ‘What Price Privacy?’ and ‘What Price Privacy Now?’

“We are still waiting for the stronger deterrent penalty to the section 55 offence of ‘blagging’ personal information from unsuspecting data controllers,” Graham said in the report.

He claimed the ICO had “bared its teeth”  over the last year too, following significant fines on various organisations, most of them local councils and NHS bodies. The biggest penalty was handed to the Brighton and Sussex University Hospitals NHS Trust, but that body is appealing the £325,000 fine.

“This year we have seen some truly shocking examples, with sensitive personal information, including health records and court documents, being lost or misplaced, causing considerable distress to those concerned,” the commissioner added.

“This is not acceptable and today’s penalty shows just how much information can be lost if organisations don’t keep people’s details secure.

“We hope these penalties send a clear message to both the public and private sectors that they cannot afford to fail when it comes to handling people’s data correctly.”

Since gaining the power to fine up to £500,000 for breaches of the Data Protection Act, the ICO has issued 21 penalty notices, bringing the total value of fines to over £2 million. Yet private firms have only been handed a small portion of those penalties.

A Freedom of Information (FoI) request from security company ViaSat discovered in April that despite being responsible for 263 out of 730 self-reported data breaches between 22 March 2011 and 17 February 2012, the private sector only received one financial penalty.

Are you a security guru? Try our quiz!