On December 17, 2007 the United Kingdom Financial Services Authority (FSA) fined Norwich Union Life £1.26 million ($2.54 million) for poor information security, privacy and anti-fraud mitigation systems and controls.
This is the 4th time the FSA has fined a financial services company for inadequate information security, privacy and anti-fraud measures. This is the largest of all fines so far. So, it seems they are trending upward in their fines.
Here are the FSA fines to date:
* March, 2006: £300,000 ($606,499) against Capita Financial Administrators Limited (CFA), a third party administrator of collective investment schemes, for poor anti-fraud mitigation systems and controls.
* February, 2007: £980,000 ($1.9 million) against Nationwide Building Society for having a laptop computer containing sensitive customer data stolen in 2006.
* May, 2007: ¬£350,000 ($707,582) against BNP Paribas Private Bank for weaknesses in its systems and controls that allowed a senior employee to fraudulently transfer ¬£1.4 million ($2.8 million) out of clients’ accounts. (NOTE: It seems odd to me the fine was less than the amount of the fraud.)
* December, 2007: £1.26 million ($2.54 million) against Norwich Union Life.
The FSA document reported that beginning in April 2006, Norwich Union Life had been the target of an organized fraud scheme involving pretexting. Telephone callers, using information obtained from public sources, “contacted Norwich Union Life call centers pretending to be genuine Norwich Union Life customers.”
The FSA said that weaknesses in Norwich Union Life’s systems, procedures and controls had “allowed fraudsters to use publicly available information including names and dates of birth to impersonate customers and obtain sensitive customer details.”
The FSA reported that by providing a customer’s full name, address, postcode and date of birth, callers were able to satisfy the Norwich Union Life caller identification procedures and obtain access to customer information, including policy numbers and bank details.
The fraudsters would then tell Norwich Union Life “to surrender the proceeds of customers’ policies to bank accounts controlled by the fraudsters.”
The fraudsters targeted 632 policies; “there were 74 fraudulent surrenders amounting to approximately ¬£3.3 million ($6.7 million) in total.”
The fraudsters were also successfully “able to ask for confidential customer records such as addresses and bank account details to be altered.”
The FSA reported that according to its investigation Norwich Union Life had failed to “properly assess the risks posed to its business by financial crime, including fraudsters seeking to obtain customers’ confidential information,” making their customers more likely to be financial crime victims.
The FSA said Norwich Union Life had broken Principle 3 of the Authorities Principles of Business by “failing to take reasonable care to organize and control its affairs responsibly and effectively, with adequate risk management systems.”
Norwich Union Life “did not take reasonable care to establish and maintain effective systems and controls for countering the risks that the firm might be used to further financial crime, specifically the risks relating to the security of confidential customer information and the consequential risk of the surrender of customer policies to third parties impersonating its customers.”
This case provides many lessons for business organizations. Some of these include:
* Social engineering, such as pretexting schemes, are used often by criminals to gain access to customer accounts and financial assets.
* Organizations need to have strong identity verification procedures to ensure they do not give criminals access to their customer accounts. Do not use publicly available information to verify the identity of customers.
* Provide targeted training and ongoing awareness communications to personnel who have direct contact with callers and others who may contact the organization in other ways to gain access to customer accounts.
* Don’t store personally identifiable information (PII) on mobile computers and storage devices. If you must, then encrypt the data!
* Establish controls and flags to prevent and identify insiders who are taking advantage of their authorized capabilities to commit fraud and other crime.
* Regulatory oversight agencies are going to continue cracking down on organizations with inadequate information security and privacy programs and practices. As time goes on, the fines and penalties will get larger. Don’t think that you can wait to get caught with bad security and given a warning; chances are you will get a larger penalty as time rolls on.
Tags: Authorities Principles of Business, awareness and training, FSA, identity verification, Information Security, IT compliance, Norwich Union Life, personally identifiable information, PII, policies and procedures, pretexting, risk management, security awareness, security training