[ISN] Insurer gets record fine for ID theft disaster

From: InfoSec News (alerts@private)
Date: Mon Dec 17 2007 - 22:03:23 PST


http://www.techworld.com/security/news/index.cfm?newsID=10952

By John E. Dunn
Techworld
17 December 2007

A UK insurance house has been slapped with a record fine by the 
Financial Services Authority (FSA) watchdog for incompetent customer 
account security.

The latest offender is Norwich Union, which allowed fraudsters to 
impersonate customers when phoning its call centres, cashing in policies 
on an astonishing 74 occasions out of a total of recorded 632 attempts. 
The criminals 11 suspects have now been arrested were able to steal a 
total of 3.3 million during the scam, which took place in 2006.

The FSA has hit the company with a 1.26 ($2.6 million) million fine, a 
record for the UK, and even larger than that levied on The Nationwide 
Building Society earlier this year for losing a laptop full of 
unspecified customer data in August 2006. The Norwich Union only avoided 
an even larger fine of 1.8 million ($3.6 million) by promptly settling 
the charges with the industry regulator, and agreeing to tighten up its 
procedures.

One of the most serious charges was that the company failed to react to 
the pattern of fraud, allegedly initially only informing customers who 
had been or were current directors of the company. In other words, the 
company realised fraud was happening but was unable to put in place 
extra security to stop further occurrences of fraud from happening.

"Norwich Union Life let down its customers by not taking reasonable 
steps to keep their personal and financial information safe and secure, 
said the FSAs Margaret Cole.

"It is vital that firms have robust systems and controls in place to 
make sure that customers' details do not fall into the wrong hands. 
Firms must also frequently review their controls to tackle the growing 
threat of identity theft."This fine is a clear message that the FSA 
takes information security seriously and requires that firms do so too," 
she added.

The Norwich Union for its part claims to have tightened up its 
procedures, which appear to have been compromised by the ease with which 
criminals were able to use data taken from a variety of public sources 
to impersonate policy holders.

"We are sorry that this situation arose and apologised to the affected 
customers when this happened.", Mark Hodges, Norwich Union Life chief 
was reported to have said. "We have extensive procedures in place to 
protect our customers but in this instance weaknesses were exploited and 
we were the target of organised fraud," he said using a degree of 
understatement.

The Norwich Union since has refunded stolen money and reinstated the 
hacked policies.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Mon Dec 17 2007 - 22:23:33 PST