Sep 17, 2020 | Articles, GDPR

Estate agency fined

Howard Freeman

Howard Freeman

Estate agency fined £80,000 for failing to keep tenants’ data safe.

The Information Commissioner’s Office (ICO) has fined a London estate agency £80,000 for leaving 18,610 customers’ personal data exposed for almost two years.

The security breach happened at Life at Parliament View Ltd (LPVL). The breach happened when it transferred personal data from its server to a partner organisation and failed to switch off an ‘Anonymous Authentication’ function. This failure meant access restrictions were not implemented. Consequently, this allowed anyone going online to have full access to all the data stored between March 2015 and February 2017.

The exposed details included large amounts of personal data. This included bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.


During its investigation, the ICO uncovered a catalogue of security errors. They found that LPVL had failed to take appropriate technical and organisational measures against the unlawful processing of personal data. In addition, LPVL only alerted the ICO to the breach when it was contacted by a hacker. The ICO concluded this was a serious contravention of the 1998 data protection act. The act has now been replaced by the UK GDPR and the Data Protection Act 2018.

Steve Eckersley, Director of Investigations at the ICO said:

“Customers have the right to expect that the personal information they provide to companies will remain safe and secure. That simply wasn’t the case here.

“As we uncovered the facts, we found LPVL had failed to adequately train its staff, who misconfigured and used an insecure file transfer system. They then failed to monitor it. These shortcomings left its customers exposed to the potential risk of identity fraud.

“Companies must accept that they have a legal obligation to both protect and keep secure the personal data they are entrusted with. Where this does not happen, we will investigate and take action.”

The lesson

Should you be retaining sensitive data? Whilst the detail in this case has not been revealed, there is a lesson here. Previous tenants’ data should have been archived and encrypted at least but certainly put beyond use and not left in the open.

We have a constant debate about whether passport details should be retained. Money laundering regulations demand that ID is checked but should YOU retain a passport image? There are companies who offer a manned ID check and are competent to hold passport images. If you cannot do this securely do not do it.

A supplier to use says he has to ID me and hold my record. I have refused. he can see my passport and certify that it is a true likeness in his opinion. If he were to lose my passport image, that is my identity at risk and with it my credit rating.

Therefore, it is safe to say that if your clients were to suffer at your hands like this, they would consider legal action, this represents high risk to YOUR business. Talk to us about how this risk can be mitigated.

GDPR and data protection isn’t a set and forget process, it is a living process, just like your business.

If you want to talk to us please call us on 03333 22 1011 or you can contact us here.


Can we help?