When it comes to the UK’s most loathed professions, estate agents – and those who work in advertising and marketing for that matter – are rarely far from the top and one London business has done little to make amends after being found guilty of leaving thousands of customer records exposed for nearly two years.
Life at Parliament View, trading as Life Residential, markets itself as one of the top estate agents in the capital, with its website claiming: “With more than 4,500 residential properties across the capital, we have London (and you) covered.”
Sadly, an Information Commissioner’s Office investigation found that it did not have 18,610 customers’ personal details covered at all, leaving then exposed for almost two years.
The security breach happened when the firm transferred personal data from its server to a partner organisation and failed to switch off an ‘Anonymous Authentication’ function. This failure meant access restrictions were not implemented and allowed anyone going online to have full access to all the data stored between March 2015 and February 2017.
The compromised details included personal data such as bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.
During its investigation, the ICO uncovered a catalogue of security errors and found that Life Residential had failed to take appropriate technical and organisational measures against the unlawful processing of personal data.
In addition, it only alerted the regulator to the breach when it was contacted by a hacker.
One stroke of luck for the LIfe Residential team, however, was that the breach occurred before GDPR came into force. The ICO still whacked the business with an £80,000 fine under the Data Protection Act 1998, but this could have been in the hundreds of thousands – possibly even millions of pounds – under the new regulation.
ICO director of investigations Steve Eckersley said: “Customers have the right to expect that the personal information they provide to companies will remain safe and secure. That simply wasn’t the case here.
“As we uncovered the facts, we found LPVL had failed to adequately train its staff, who misconfigured and used an insecure file transfer system and then failed to monitor it. These shortcomings have left its customers exposed to the potential risk of identity fraud.
“Companies must accept that they have a legal obligation to both protect and keep secure the personal data they are entrusted with. Where this does not happen, we will investigate and take action.”
Gnashing watchdog to fuel rise in breach over-reporting
ICO shows ‘staggering’ lack of judgement over BA case
BA faces record £183m GDPR fine for data meltdown
ICO reveals it has 10,000 data breach cases to probe
ICO ‘failings’ exposed as most probes come to nothing
Over 40% of firms suffered cyber breach in past year
Top tourist attractions hit by 110m data theft attacks