Life insurer Norwich Union was hit with a £1.26 million fine yesterday after a failure to protect customers' confidential details exposed almost seven million people to fraud.
Norwich Union Life was hit with the penalty after fraudsters netted £3.3 million using publicly-available data such as names and dates of birth to gain customer-sensitive information from its call centres.
The criminals used the details to cash in the policies of 74 customers. Norwich Union Life has 6.8 million UK customers.
Financial Services Authority enforcement director Margaret Cole said: "Norwich Union Life let down its customers by not taking reasonable steps to keep their personal and financial information safe and secure."
The FSA said fraudsters had in some instances been able to ask for confidential customer records, including addresses and bank account details, to be changed. The criminals targeted 632 customers in total.
Norwich Union Life failed to properly assess the risks to its business of financial crime and its customers were more likely to fall victim as a result, the City's watchdog added. The business even failed to act "in an appropriate and timely manner" when the risks were flagged up by its own compliance department, the FSA said.
Ms Cole added: "It is vital that firms have robust systems and controls in place to make sure that customers' details do not fall into the wrong hands. Firms must also frequently review their controls to tackle the growing threat of identity theft."
Mark Hodges, chief executive of Norwich Union Life, said the lapses were "clearly unacceptable".
He said: "We are sorry that this situation arose and apologised to the affected customers when this happened. We have extensive procedures in place to protect our customers but in this instance weaknesses were exploited and we were the target of organised fraud."
Mr Hodges added that Norwich Union had fully reimbursed the 74 customers hit, and cooperated with the FSA and police to tackle the fraud. There have been 11 arrests so far.
The fine has been imposed on the five companies which make up the Norwich Union Life group. It is the FSA's largest-ever collective fine against one body for fraud, but would have been even higher - £1.8 million - if not for the company's early settlement.
The watchdog has also imposed fines on three other banks and building societies of more than £1.6 million in total for security lapses in the past two years. Nationwide was fined £980,000 in February.
The FSA said the failings at Norwich Union Life happened "at a time of increasing awareness across the UK about the importance of information security".
In November, Chancellor Alistair Darling caused a furore after admitting that two discs containing the confidential details of all 25 million child benefit recipients had been lost in the post.
Last week the Driver and Vehicle Licensing Agency in Swansea was also hit with serious data losses. Two discs containing the details of more than 7,000 motorists went missing in the post between the Northern Ireland Driver and Vehicle Agency in Coleraine, Co Londonderry, and the DVLA.