Data recovery provider implicated in Co-op breach
Details of 83,000 Co-operative Life Planning customers were stolen from the servers of a data recovery service provider, ICO finds
An unnamed data recovery service provider was the company from which details of 83,000 Co-operative Life Planning customer were stolen earlier this year, the Information Commissioner's Office has reported.
The company had been engaged to recover a customer data file but, unbeknownst to the Co-operative, it retained the data on its servers after the work was complete. That data was later "hacked into", and its contents were "accidentally made available online", the ICO said today.
Both the ICO and Co-operative Life Planning (CLP) declined requests to name the company in question.
"The ICO’s investigation found that the software support services provider had no authorisation to copy the data from the organisation’s servers and failed to delete the information once the file had been repaired," it said in a statement. "CLP also failed to realise that the data had been transferred on two separate occasions and were unaware that customers’ details had been made available online."
The ICO did not penalise CLP, which manages finance for funerals, as the data breach did not pose a significant risk to the customers in question.
Instead, it sought assurances from CLP that the data was deleted from the data recovery providers servers, that the data was no longer available online "as far as possible", and that precautions have been taken to prevent such an incident occurring again.
"Ian Mackie, managing director of CLP, has signed an undertaking to ensure that data loss prevention software ... will be introduced across all the company’s servers," the ICO said.
"CLP has agreed to take all the remedial action suggested by the commissioner,” the company said in a statement.