Customer data loss leads to unprecedented fine for Zurich

26th Aug 2010

Zurich Insurance has been fined an unprecedented £2.3 million by the UK’s financial regulator for losing confidential data about 46,000 customers.

The Financial Services Authority (FSA) found that an unencrypted back-up tape containing customer information, which included identity data and bank account, credit card and insured asset details in some instances, was lost in 2008 while being transferred to a data storage centre in South Africa.

It took Zurich UK, which had outsourced the data processing activity to Zurich South Africa, a year to notice the error.

The FSA’s director of enforcement and financial crime Margaret Cole said: "Zurich UK let its customers down badly" because it had failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed.

The "cumulative impact" of the firm’s failings represented a "material risk to the FSA’s objectives of reducing financial crime and protecting customers" and companies from across the financial sector "would do well to look at the details of this case and learn from the mistakes that Zurich UK made", she added.

Although the loss of personal data could have resulted in customers losing money or being exposed to the risk of other crime such as burglary and theft, there was no evidence to suggest that the lost information had been compromised or otherwise misused, Cole said.

The fine, which is the single highest to be levied on an individual firm for a data security breach, would have been £3.25 million, but the fact that Zurich UK cooperated with the investigation meant that it qualified for a 30% discount.

Stephen Lewis, chief executive of Zurich Insurance, which is a subsidiary of Switzerland’s Zurich Financial Services Group, admitted: "This incident was unacceptable. It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers’ data."

The firm has since hired KPMG to undertake a review of its data security systems and has appointed a dedicated information security officer.

Replies (1)

Please login or register to join the discussion.

By User deleted
03rd Sep 2010 11:37

This fine for Zurich because of lost data on physical storage got me thinking about how people seem to be so worried about their data being in the cloud. In some cases your data is actually safer here. Firstly, I think you’ll find that the majority of SaaS providers take data security extremely seriously and we have built data security measures into not just our SaaS system, but also our HR and CRM processes.

I would also argue that information Security isn’t just about keeping your data secret: it’s also about ensuring it is available when you need it, and that it can be believed. In the industry jargon you ensure information’s ‘confidentiality, availability and integrity’.

To read more about our take on data security, visit


Thanks (0)