Norwich Union Life fined for data control 'weaknesses'

The Financial Services Authority (FSA) has fined Norwich Union Life £1.26m for failing to manage customer data adequately, resulting in financial crimes such as identity theft being committed against its customers.

Aviva PLC, of which Norwich Union Life is a subsidiary, issued a statement on Monday apologising for the fraud. It said, "due to some weaknesses in internal controls, 74 policies were fraudulently surrendered and 558 other customers' policies were placed at risk" over the course of 2006.

According to the FSA, weaknesses in Norwich Union Life's systems and controls allowed fraudsters to use publicly available information, including names and dates of birth, to impersonate customers and obtain sensitive customer details from its call centres. Also, in some cases, they were able to ask for confidential customer records such as addresses and bank account details to be altered.

An FSA statement said: "The fraudsters used the information to request the surrender of 74 customers' policies [resulting in losses] totalling £3.3m in 2006."

The FSA severely criticised Norwich Union Life, saying it had failed its customers.

Margaret Cole, the FSA's director of enforcement, said: "Norwich Union Life let down its customers by not taking reasonable steps to keep their personal and financial information safe and secure. It is vital that firms have robust systems and controls in place to make sure that customers' details do not fall into the wrong hands. Firms must also frequently review their controls to tackle the growing threat of identity theft."

Norwich Union Life apologised, saying the fraud was unacceptable. The financial services company blamed "organised fraud" for the losses to its customers.

Mark Hodges, chief executive of Norwich Union Life, said: "We are sorry that this situation arose and apologised to the affected customers when this happened. We have extensive procedures in place to protect our customers but in this instance weaknesses were exploited and we were the target of organised fraud. Whilst the number of customers affected is very small compared to the number of policies we manage overall, any breach in customer confidentiality is clearly unacceptable."

Calling the breaches that led to the fine "a perfect example of trusted organisations not placing enough importance on managing personal data", database security company Secerno said the recent spate of public- and private-sector data-loss incidents could shake consumer confidence.

Paul Davie, founder of Secerno, said: "Breaches such as the HMRC's loss of two discs affected 25 million people, while Leeds Building Society recently lost sensitive data relating to workers' payslips and this month, the DVLA compromised 6,000 drivers after losing their sensitive information. Consumers and credit-card companies will no longer tolerate what have now become exceedingly routine data-loss incidents."

Tom Espiner writes for ZDNet.co.uk