The UK's Financial Services Authority has fined insurer Norwich Union £1.26 million for failing to protect confidential customer data - including bank account information - from fraudsters.
The City watchdog says Norwich Union's life assurance unit did not have effective systems and controls in place to protect customers' confidential information and manage financial crime risks. These failings resulted in a number of actual and attempted frauds against policyholders.
Slack call centre security allowed fraudsters to use publicly available information - including names and dates of birth - to impersonate customers and obtain sensitive customer data, says the FSA. In some cases criminals were able to ask for confidential customer records, such as addresses and bank account details, to be altered.
The fraudsters then used the information gleaned to request the surrender of 74 customers' policies totalling £3.3 million in 2006.
The FSA says its investigation found that Norwich Union Life failed to properly assess the risks posed by financial crime and as a result, its customers were more likely to fall victim to identity theft.
Furthermore, the insurer failed to address the issues properly, even when it had been alerted to the problem by its own compliance department.
"Norwich Union Life let down its customers by not taking reasonable steps to keep their personal and financial information safe and secure," says Margaret Cole, director of enforcement, FSA. "It is vital that firms have robust systems and controls in place to make sure that customers' details do not fall into the wrong hands. Firms must also frequently review their controls to tackle the growing threat of identity theft."
In a statement, Mark Hodges, chief executive of Norwich Union Life, says: "We have extensive procedures in place to protect our customers but in this instance weaknesses were exploited and we were the target of organised fraud."
"Whilst the number of customers affected is very small compared to the number of policies we manage overall, any breach in customer confidentiality is clearly unacceptable," he adds.
Hodges says the firm has "thoroughly reviewed" systems and controls following the FSA's investigation.
Norwich Union Life is the latest in a number of financial service providers that the FSA has fined for failing to protect confidential customer data. In the past two years the watchdog has slapped fines BNPP Private bank, Capita Financial Administrators and Nationwide Building Society for failings relating to information security lapses and fraud.
Details of the latest fine comes as UK Chancellor prepares to face questions from MPs about the loss of personal data on 25 million child benefit claimants was lost by HM Revenue and Customs (HMRC) last month. Darling will outline the preliminary findings of a review into the security breach.