A Lloyds Bank data storage device stolen from an RSA data centre two months ago contains customer names, addresses, sort codes and account numbers for Lloyds' Premier Account customers who had Royal Sun Alliance emergency home cover attached to their bank account between 2006 and 2012.
This policy comes as a standard part of the £25 pcm packaged account, and the numbers affected have been described as ‘a small number' and as ‘thousands'. They have all been contacted by Lloyds warning them that they may be at risk of fraud, and in a move that some customers may find ironic, they are urging them to take insurance against fraudsters using the data to steal from them – though admittedly, RSA is refunding the £20 fee for two years.
The Organised Crime Unit is investigating the 30 July theft of the device, described as the size of an old-style video recorder, taken from a data room belonging to Royal Sun Alliance (RSA) insurance, which provided the home cover, but so far there is no evidence that the data has been misused.
An RSA spokesman is reported as saying:“We have advised our regulators and are in the process of contacting potentially impacted customers to apologise.
"We are working with the police on a full investigation and although there is no evidence to suggest that this data has been misused in any way, we are offering identity protection with Cifas for two years to provide reassurance to these customers. We recognise this should never have happened and apologise to all customers who have been impacted.”
Jason du Preez, CEO of data privacy company Privitar commented to SCMagazineUK.com: “This incident highlights the need for a data-centric approach to securing sensitive data. Gone are the days when setting up perimeter security and access controls for personal data were considered sufficient to prevent the mishandling or theft of data. There is now plenty of evidence showing how fallible perimeter security models are and how often data breach or theft can be attributed to human factors. Companies should invest in modern techniques to ensure privacy-preserving algorithms travel with the data so that the data is de-sensitised and of no value if it falls into the wrong hands.”
Simon Gilbert, managing director, Elmore insurance brokers emailed SCMagazineUK.com to comment how the case hightlighted the difficulties of insuring against data theft: “Suppliers of goods or services have repeatedly been the cause of large claims under crime and cyber-insurance policies. The RSA event shows how hard it is for insurers to underwrite large corporates such as Lloyds and take into account all the possible scenarios of data loss.
“To counter this, insurers often require chapter and verse on critical third party suppliers, which have access to IT systems, such as data processes, cloud storage and application service providers. It is difficult for insurers to probe deeper for companies like Lloyds as the list would run into the thousands therefore, insurers must rely upon best practice polices and processes to be confirmed in order to manage such risk.”
At a time when the issue of encouraging reporting breaches is a concern, the following Twitter message demonstrates why some are reluctant to disclose unless obliged to do so:
“@mmlatest You need to act fast; Lloyds data theft could hit thousands; Why you should buy RBS shares http://t.co/jwag1G9ItS.”
The Information Commissioner's Office, has been informed and the City regulator, the Financial Conduct Authority, is said to be working with Lloyds and RSA to ensure those affected are helped. An FCA spokesman was reported by The Guardian as saying: “We will also work with the firms to look at the root causes of the data loss, since we expect all regulated firms to have adequate systems and controls in place so that customers data is not left at risk.”