Fraudsters are always searching for ways to exploit technology. Firms holding sensitive information should take data protection very seriously, to protect their customers from identity theft and other illegal activities.
However, fraud becomes another matter entirely when sensitive information falls into the wrong hands because of human error.
Aegon, the insurance company recently transferred the personal details of around 35 clients to our firm due to an administrative error. This allowed us to see personal information of their customers over the internet and to the ability make changes to their investments.
The error came to our attention after noticing the value of investments managed for our clients was higher than expected. Further investigation identified over £1.2 million held across pension plans and other investments incorrectly assigned to our firm. We notified Aegon of the error immediately, but their response was very disappointing.
To put matters in perspective; on-line authority allows ‘advisers’ to change personal information, including investments held by clients. For example, investments held in a pension plan can be sold or switched to other investments using the internet.
Personal information such as bank account and home address details can be changed, including sight of national insurance number and date of birth. This kind of sensitive information would be extremely valuable to fraudsters on the black market.
Fortunately, for Aegon, The Whitehall Partnership is one of the ‘good guys’ and their customers information remained in safe hands.
Aegon agreed with our findings and recorded it as a data protection failure, but their response fell short of our expectations. Following our internal investigation, we wrote to them and requested that all affected clients be notified of the mistake. However, their reply made no mention of this and advised the matter would be dealt with internally.
Their response raises concern and I suspect they have inadequate procedures in place to prevent the same thing from happening again.
Identity theft has wrecked many lives and it starts with criminals obtaining simple information. However, it is far better to have preventative measures in place rather than handing information over on a silver platter.
Firms responsible for holding client data must consider the ‘human element’ to help prevent fraud. Sensitive information may be provided knowingly by rogue employees or unwittingly by incompetent ones. Either way, leads to the possibility that criminals use this information to defraud the public.
My opinions may be strong, perhaps slightly misanthropic, but data protection should remain flexible. Criminals continually look for weaknesses and will eventually find a gap if existing procedures have not changed or improved.
Firms must look beyond the data protection ‘rule book’ and consider measures to control human error.