Redstone Mortgages breached the Data Protection Act by accidentally revealing 15,333 customers’ account details.
The Information Commissioner’s Office says the breach occurred when the lender emailed personal information relating to 15,333 mortgage accounts to a member of the public by mistake.
The information, which included personal data relating to individuals’ arrears or possession proceedings, was sent to Redstone’s head office and several other recipients as part of a monthly analysis report. It was not encrypted or password-protected and was initially intended for a consultant using a private email address. Instead, the information was sent to a member of the public who had a similar email address.
Redstone Mortgages chief executive officer David Lautier has now signed an undertaking to ensure all reports containing personal details will be password-protected before being sent to an external email address. The agreement also requires that Redstone Mortgages implements other security measures as deemed appropriate to ensure personal data is protected against unauthorised access.
From April 6, 2010, the ICO will have the power to levy fines for serious breaches of the Data Protection Act, which may be as high as £500,000.
In February, Skipton Building Society leaked 3,000 account details when they were accidentally printed on statements sent to other customers.
ICO head of enforcement and investigations Sally-Anne Poole says: “It is essential that the right procedure is followed and care is taken when sending out emails of this nature.
“If personal data falls into the wrong hands, individuals could experience considerable distress. It appears this method of sending out reports containing personal information has been common practice within Redstone for a while.”