• Send us a message

    Fill in our form and we'll get back to you as soon as possible

    Please enter name
    Please enter your telephone number
    Please enter your email address
    Please let us know which of offices would most convenient for you?
    Please enter the details of your enquiry
    Please enter the verification code
    Send us a message
  • Services for you
  • Services for business

Estate Agency Fined £80,000 for Exposing 18,000 Tenants' Data to Hackers

Businesses that store their clients' personal data are under a strict legal duty to keep it secure and any failure to do so is likely to have serious financial and reputational consequences. An estate agency whose negligence and technical ineptitude left the details of more than 18,000 tenants exposed to hackers found that out when it was fined £80,000 by the Information Commissioner's Office (ICO).

The agency's difficulties began when it used a file transfer protocol server to share large quantities of tenant data with a partner organisation. It configured the server by following online instructions which were wholly inappropriate. Access restrictions were not implemented, so anyone – including anonymous users – could have full access to the data without having to enter a username or password.

The data, which remained exposed for almost two years, included not only tenants' names, addresses and employment details, but also images of their passports, tax returns, utility bills and driving licences. After the vulnerability was detected, it emerged that there had, over the relevant period, been over 500,000 anonymous user logon events involving more than 1,200 unique IP addresses.

Almost eight months after the vulnerability was corrected, the agency was contacted by a hacker who threatened to release personal data gleaned from the server unless he was paid a ransom. Only then did the agency report the matter to the ICO.

In imposing the financial penalty, the ICO found that the agency, as a data controller, had failed to take appropriate technical and organisational measures to ensure the security of the tenants' personal data. The breach, although not deliberate, was serious and had arisen through the agency's negligence. Tenants had been caused distress and the risk that hackers might make malign use of their data extended years into the future. The ICO directed that the penalty be reduced by 20 per cent, to £64,000, if the agency paid that sum within a month.

The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.