http://www.techworld.com/security/news/index.cfm?newsID=10952 By John E. Dunn Techworld 17 December 2007 A UK insurance house has been slapped with a record fine by the Financial Services Authority (FSA) watchdog for incompetent customer account security. The latest offender is Norwich Union, which allowed fraudsters to impersonate customers when phoning its call centres, cashing in policies on an astonishing 74 occasions out of a total of recorded 632 attempts. The criminals 11 suspects have now been arrested were able to steal a total of 3.3 million during the scam, which took place in 2006. The FSA has hit the company with a 1.26 ($2.6 million) million fine, a record for the UK, and even larger than that levied on The Nationwide Building Society earlier this year for losing a laptop full of unspecified customer data in August 2006. The Norwich Union only avoided an even larger fine of 1.8 million ($3.6 million) by promptly settling the charges with the industry regulator, and agreeing to tighten up its procedures. One of the most serious charges was that the company failed to react to the pattern of fraud, allegedly initially only informing customers who had been or were current directors of the company. In other words, the company realised fraud was happening but was unable to put in place extra security to stop further occurrences of fraud from happening. "Norwich Union Life let down its customers by not taking reasonable steps to keep their personal and financial information safe and secure, said the FSAs Margaret Cole. "It is vital that firms have robust systems and controls in place to make sure that customers' details do not fall into the wrong hands. Firms must also frequently review their controls to tackle the growing threat of identity theft."This fine is a clear message that the FSA takes information security seriously and requires that firms do so too," she added. The Norwich Union for its part claims to have tightened up its procedures, which appear to have been compromised by the ease with which criminals were able to use data taken from a variety of public sources to impersonate policy holders. "We are sorry that this situation arose and apologised to the affected customers when this happened.", Mark Hodges, Norwich Union Life chief was reported to have said. "We have extensive procedures in place to protect our customers but in this instance weaknesses were exploited and we were the target of organised fraud," he said using a degree of understatement. The Norwich Union since has refunded stolen money and reinstated the hacked policies. __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Mon Dec 17 2007 - 22:23:33 PST