Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Dec 19, 2007

UK insurance firm fined for pretexting incidents

The UK's Financial Services Authority has fined insurer Norwich Union £1.26m as a result of inadequate protection of customers' personal data:

"The City watchdog says Norwich Union's life assurance unit did not have effective systems and controls in place to protect customers' confidential information and manage financial crime risks. These failings resulted in a number of actual and attempted frauds against policyholders. Slack call centre security allowed fraudsters to use publicly available information - including names and dates of birth - to impersonate customers and obtain sensitive customer data, says the FSA. In some cases criminals were able to ask for confidential customer records, such as addresses and bank account details, to be altered. The fraudsters then used the information gleaned to request the surrender of 74 customers' policies totalling £3.3 million in 2006. The FSA says its investigation found that Norwich Union Life failed to properly assess the risks posed by financial crime and as a result, its customers were more likely to fall victim to identity theft."

The official FSA report makes interesting reading, disclosing for instance that fraudsters were using information obtained legitimately from public records held at Companies House to respond to authentication questions.

The company has since smartened up its act with better policies, procedures and (hopefully) compliance activities but I doubt that even it would claim to be immune to social engineering risks. Pretexting is a relatively cheap and easy form of attack and the juicy personal data in such databases is clearly luring fraudsters.