The personal details of thousands of Lloyds Bank account holders have gone missing following the suspected theft of a data storage box.
The breach affects any customers who made a claim under a Royal Sun Alliance (RSA) emergency home cover policy attached to their £25 a month Lloyds Premier bank account between 2006 and 2012.
RSA said the storage device disappeared from one of its data centres on 30 July 2015, but it did not notify police until much later as it attempted to resolve the issue ‘internally’. The Organised Crime Unit is now investigating the matter.
A spokesman for the insurance company said:
Unfortunately a data storage device has been reported as stolen from one of our data centres.
We have advised our regulators and are in the process of contacting potentially impacted customers to apologise.
We recognise this should never have happened and apologise to all customers who have been impacted.
The missing device – said to contain customers’ names, addresses, account numbers and sort codes – has been described by the BBC as being quite small and thus portable.
RSA says there is no evidence so far to suggest that the data has been misused in any way. Even so, it has offered customers – who only began to receive notification of the breach last week – free identity theft insurance for two years.
Strangely, the company has asked its affected customers to pay for that protection up front and then request a refund which seems to go against the principles of good customer service in my opinion.
Affected customers should be on their guard against phishing emails or rogue callers trying to take advantage of the situation. RSA wisely says it will not email or make unsolicited phone calls to customers regarding the incident – a sound approach.
Instead, the company says it will contact impacted customers by post – letters were sent out on 7 September and are expected to arrive no later than 14 September. If you believe you may have been affected but have not heard anything by then, RSA urges you to make contact via email or call the free helpline on 0800 316 8090.
Given the industry it operates in, Royal Sun Alliance has also had to inform not one but three regulators – the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA) and the Information Commissioner’s Office (ICO) – the latter of which has the power to fine firms up to £500,000 where lapses in data protection are discovered.
While we have no way of knowing how the ICO investigation will proceed, I suspect much will be made of physical security in the data centre and also the level of protection applied to the missing storage device, especially in terms of whether its content was encrypted and, if so, by what means.
While I would like to think that a renowned insurance company such as RSA would use appropriate encryption, not only to remain compliant with the law but, more importantly, to protect its customers’ data, I’m well aware that some companies can make a hash of things, but not in a cryptographic sense.
We only need to look at the recent Ashley Madison breach – and the discovery that some user passwords were only encrypted with a single iteration of the MD5 hashing algorithm – to realise how implementations can sometimes go wrong.
As Paul Ducklin wrote recently in a detailed post entitled “To encrypt or not to encrypt“, good crypto is no silver bullet but it can be used to mitigate the damage caused by a data breach through the addition of an all important extra layer of protection.