Anatomy of a Breach

Anatomy of a Breach: Zurich Insurance UK — A Lost Backup Tape and a £2.28 Million Fine

> series: anatomy_of_a_breach —— part: 020 —— target: zurich_insurance_uk —— records: 46,000 —— fine: £2,280,000<span class="cursor-blink">_</span>_

Hedgehog Security 31 August 2010 12 min read
data-breach zurich-insurance fsa-fine backup-tape financial-services uk-breach data-transfer series
Breach #020

46,000 customers. An unencrypted tape. Lost in transit.

In August 2008, Zurich Insurance UK lost a backup tape containing the personal details of approximately 46,000 general insurance customers during a routine data transfer to a data centre in South Africa operated by a third-party outsourcer. The tape was unencrypted. It was never recovered. Two years later, in August 2010, the Financial Services Authority (FSA, now the FCA) fined Zurich Insurance £2.28 million — at the time, one of the largest data protection fines ever imposed by a UK financial regulator.

The compromised data included customer names, addresses, dates of birth, and — for some customers — bank account details, credit card information, and insurance policy details. The FSA's investigation found that Zurich had failed to have adequate systems and controls to prevent the loss of customer data, failed to ensure that the outsourcer had adequate data security arrangements, and failed to adequately oversee the outsourced data management process. The fine was particularly significant because it was imposed by a financial regulator — not the ICO — signalling that data security failures in financial services would be treated as regulatory compliance failures, not just data protection issues.

The Failures
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Outsourcing the process, not the risk.

No Encryption on Backup Media
The backup tape was unencrypted. Encryption of data in transit and at rest — especially on portable media — is a fundamental control. Our <a href="/penetration-testing/infrastructure">infrastructure assessments</a> verify that backup media is encrypted, and <a href="/cyber-essentials">Cyber Essentials</a> requires encryption as a baseline control.
Inadequate Third-Party Oversight
Zurich outsourced the data management to a third party but did not ensure that the outsourcer had adequate security controls. The FSA was explicit: outsourcing a business process does not outsource the regulatory obligation. Our <a href="/blog/sector-under-the-microscope-financial-services">financial services sector analysis</a> examines third-party risk management as a critical concern.
Insecure Data Transfer
Physical backup tapes were shipped internationally without tracking, encryption, or chain-of-custody procedures. The same systemic failure we saw in the <a href="/blog/anatomy-of-a-breach-hmrc-child-benefit-data-loss">HMRC breach</a> — sensitive data on physical media, transported without adequate protection.
Two-Year Delay in Disclosure
The tape was lost in August 2008; the FSA fine was not imposed until August 2010. The delay in identifying, reporting, and resolving the breach extended the period during which affected customers were at risk without knowledge.
Financial Services Implications

When the FCA treats data loss as a regulatory failure.

The Zurich fine was significant because it came from the FSA (now FCA), not the ICO. This established the principle that data security failures in financial services are treated as regulatory compliance failures under the FSA's principles for business — specifically Principle 3 (management and control) and the requirement for firms to take reasonable care to organise and control their affairs responsibly. For FCA-regulated firms today, data security failures can result in enforcement action from both the FCA and the ICO — and under SMCR, individual senior managers can be held personally accountable.

Our financial services sector analysis covers these regulatory obligations in detail. For FCA-regulated firms, penetration testing and Cyber Essentials certification provide the evidence of security investment that regulators expect. SOC in a Box for Financial Services provides the continuous monitoring that detects data loss in real-time. And UK Cyber Defence provides the incident response capability that regulatory obligations require.

Financial Services Compliance

The FCA fines data security failures. Are you compliant?

Our <a href="/penetration-testing">penetration testing</a> and <a href="/cyber-essentials">Cyber Essentials certification</a> provide the evidence that FCA-regulated firms need. <a href="https://www.socinabox.co.uk/sectors/ifas-wealth-managers">SOC in a Box</a> provides continuous monitoring. Because in financial services, a data breach is not just a security incident — it is a regulatory event.

Commission a Test Next: ACS:Law / Anonymous
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 June 2020

Anatomy of a Breach: Blackbaud — The Charity Software Vendor That Exposed UK Universities, NHS Trusts, and Charities

Breach #138. In July 2020, Blackbaud — a cloud computing provider serving nonprofits, charities, and educational institutions — disclosed that ransomware attackers had accessed and exfiltrated customer data before the company detected and stopped the attack. Blackbaud controversially paid the ransom and stated it had received 'confirmation' the data had been destroyed. The breach affected hundreds of organisations worldwide — including UK institutions such as the National Trust, the University of Birmingham, De Montfort University, Young Minds charity, and multiple NHS trusts. Blackbaud later admitted that the breach was more extensive than initially disclosed.

data-breach blackbaud
13 min read
Anatomy of a Breach 31 May 2020

Anatomy of a Breach: EasyJet — 9 Million Customers and 2,208 Credit Cards Exposed

Breach #137. In May 2020, EasyJet disclosed that the personal data of approximately 9 million customers — including email addresses and travel details — had been accessed in a cyber attack, along with the credit card details of 2,208 customers. The attack, described by EasyJet as a 'highly sophisticated' intrusion, had been discovered in January 2020. The breach came during the COVID-19 pandemic, when airlines were already under severe financial stress, and resulted in a £15,000 class action claim per affected customer being filed. For the UK's largest budget airline, the breach added cybersecurity liability to an already existential business crisis.

data-breach easyjet
12 min read
Anatomy of a Breach 30 November 2016

Anatomy of a Breach: Tesco Bank — £2.5 Million Stolen from 9,000 Customer Accounts in a Weekend Attack

Breach #095. On the weekend of 5-6 November 2016, attackers exploited vulnerabilities in Tesco Bank's debit card systems to steal approximately £2.5 million from around 9,000 customer accounts — the first mass fraud event to affect a UK bank's current accounts. The attack caused Tesco Bank to temporarily halt all online transactions for its 136,000 current account holders. The FCA subsequently fined Tesco Bank £16.4 million for failing to exercise due skill, care and diligence in protecting its customers. The breach demonstrated that UK retail banking was not immune to the kind of systematic financial fraud previously associated with payment processors.

data-breach tesco-bank
13 min read
All Posts Get in Touch