Zurich Insurance confesses to data loss

Zurich has acknowledged serious security 'deficiencies'

The UK branch of Zurich Insurance has admitted losing data relating to 51,000 customers during a routine transfer in 2008.

The information was on a backup tape lost en route to South Africa, and Zurich Insurance acknowledged that the incident "revealed deficiencies in the management of data tape security procedures".

The company has written to its customers advising them of the loss, and informing them of what it is doing as a data guardian.

Zurich Insurance has also provided guidance in a special web page detailing what customers can do to further protect themselves.

"We apologise to any customers affected by this unfortunate matter. We take the security of our customers' data very seriously," said Annette Court, European chief executive of general insurance at Zurich Financial Services Group.

"What has happened is unacceptable to us. At this time, our first and foremost concern is our customers, and we are doing all we can to support and assist them in these circumstances and have put in place a dedicated response team to help support them."

Zurich has fulfilled its legal obligation of notifying the UK's Information Commissioner and the Financial Services Authority about the loss.

"We are implementing the necessary steps to minimise the impact of this situation on our customers. Protecting our customers' interests is at the top of our agenda," added Court.

"We are putting a great deal of investment into strengthening our internal processes to ensure that incidents of this nature do not happen again in the future."

The loss has once again raised the issue of how UK citizens' personal information is handled by the organisations in which they put their faith, something that data security firms have been quick to comment on.

"No company should have an excuse for failing to adhere to simple data management practices," said Phil Bridge, managing director at Kroll Ontrack.

"Data is a huge organisational asset, the loss of which is potentially ruinous to revenue and reputation. Companies have an obligation to securely manage personal data, and to implement safeguards to mitigate this information falling into the wrong hands."

A spokesperson for the Information Commissioner's Office (ICO) said: "The ICO takes breaches of individuals' privacy very seriously. Zurich has commenced an internal investigation into how the breach occurred, and will provide us with a copy of the report on completion. The ICO will then assess what regulatory action, if any, should be taken in the circumstances."