Estate agency fined £80,000 for LPVL data breach
A London estate agency has been fined £80,000 by the Information Commissioner's Office (ICO) after it left 18,610 customers' personal data exposed for almost two years. LPVL only alerted the ICO to the breach when it was contacted by a hacker.
While this fine is significant, the breach took place before the new data protection regulations came into force. So, the punishment could have been much harsher. For example, in the last few weeks, we have seen the ICO warn both British Airways and Marriott Hotels that it is planning to issue fines of £183.39m and £99.2m respectively for data protection failures.
What happened in the LPVL data breach?
In this case, the data breach occurred when Life at Parliament View Ltd (LPVL) transferred the personal information from its server to a partner organisation. By failing to switch off an 'Anonymous Authentication' function, access restrictions were not implemented. As a result, anyone online could have accessed all the data between March 2015 and February 2017.
What information was put at risk in this data breach?
The details exposed by LPVL included bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords. If this data has fallen into the wrong hands the results could be devastating.
What has the ICO said about the data breach?
Investigating this breach, the ICO uncovered a catalogue of security errors. Crucially, it found that LPVL had failed to take appropriate technical and organisational measures to protect the data.
The ICO concluded that LPVL was guilty of a severe infringement of data protection laws.
Commenting on this case, Steve Eckersley, Director of Investigations at the ICO, said:
"Customers have the right to expect that the personal information they provide to companies will remain safe and secure. That simply wasn't the case here.
"As we uncovered the facts, we found LPVL had failed to adequately train its staff, who misconfigured and used an insecure file transfer system and then failed to monitor it. These shortcomings have left its customers exposed to the potential risk of identity fraud.
"Companies must accept that they have a legal obligation to both protect and keep secure the personal data they are entrusted with. Where this does not happen, we will investigate and take action."
What should you do if you are affected by the data breach?
If you have been the victim of the LPVL data breach, it is vital that you know how to react. Here's what you should do as soon as you find out that your data has been breached.
- Follow any security instructions provided to you by LPVL
- Contact your bank or credit card provider and let them know what has happened
- Keep an eye out for any bills or emails about goods or services you haven't ordered
- Check your bank statements regularly and alert your bank if there is any suspicious activity
- Keep an eye on your credit score for any unexpected dips
- Call Credit, Experian and Equifax to ensure credit isn't taken out in your name
- Do not click on any suspicious links. This could result in you giving a fraudster even more access to your personal or financial details
- Always question uninvited emails, calls etc. in case it's a scam. Instead, contact the company directly using a known email or phone number
- Don't accept friend requests from people you don't know on social media and review your privacy settings
- Report any suspected phishing attempts to the police and Action Fraud
- Register with the Cifas protective registration service. This will slow down credit applications made in your name with additional verification checks made to ascertain that the applicant is actually you
- Change your passwords and use a different password for every account (if you are worried about remembering them all you could sign up to a password manager)
- Make sure your devices are protected by up-to-date internet security software
If you want to make a compensation claim following the LPVL data breach, you should contact Hayes Connor Solicitors. You can make a data breach claim for loss of money or emotional distress.
Our expert, online fraud and data protection solicitors will advise you on whether you have a valid claim and will be pleased to answer any questions you might have.
Our initial assessment is always free. We'll ensure that you are fully informed on this matter and will notify you about your legal rights when making a claim.