Estate agency fined £80,000 for failing to keep tenants’ data safe
Estate Agency in London fined nearly STG£80,000 for Privacy Breach
The Information Commissioner’s Office (ICO) has fined a London estate agency £80,000 for leaving 18,610 customers' personal data exposed for almost two years.
LiFE Residential mainly acts as a letting and management services company for modern apartments in London, for clients worldwide, and it also has a re-sales department.
The ICO found that the company had failed to comply with the UK's Data Protection Act (DPA) 1998, implementing the EU Directive of 1995 (95/46/EC).
In 2015 the company joined with a partner to share and synch files with them for property lettings. They did this by setting up a FTP server which was intended to feature Microsoft Basic Authentication to secure the security and integrity of the data. But Life Residential inadvertently misconfigured the server to enable access without authentication and without restriction. The data included names and contact details, employer details, financial details and copies of ID documents such as passports.
Life Residential discovered the breach in February 2017 but didn't tell the ICO at the time. The breach was reported in October 2017 after a hacker threatened the company.
The overall lesson to be learnt from the above is that estate agents need to ensure that their practices and procedures do comply with the GDPR and with any locally applicable regulations in the countries they operate or they could face fines far in excess of STG£80,000, or an instruction from a Supervisory Authority to cease processing the data.
You can access the full ICO ruling on their website at