Britain's financial regulator has fined a unit of insurer Aviva £1.26 million for exposing its customers to the risk of fraud, one of the largest UK penalties to date for information security failures.
The watchdog said weaknesses in systems and controls at Norwich Union Life, one of the UK's largest life insurers, allowed fraudsters to impersonate customers and obtain sensitive details from its call centres.
In some cases, they changed addresses and bank account details, helping them to then cash in policies totalling £3.3 million last year.
"During its investigation, the FSA found that Norwich Union Life had failed to properly assess the risks posed to its business by financial crime, including fraudsters seeking to obtain customers' confidential information," the FSA said. "As a result, its customers were more likely to fall victim to financial crimes such as identity theft."
The FSA also said the life insurer failed to address the issues swiftly, even after they were identified by its compliance department.
In a separate statement, Norwich Union said weaknesses in its internal controls had meant 74 policies were fraudulently cashed in and 558 other policies were placed at risk.
"Our customers can, however, be assured that we have taken this matter extremely seriously and have thoroughly reviewed our systems and controls as a result," Mark Hodges, Norwich Union Life chief executive said.
"All of our 7 million customers are protected by our promise that they will be fully reimbursed and will get help and support if they are the innocent victims of fraud."
Norwich Union Life cooperated with the probe and agreed to settle at an early stage, qualifying for a 30 per cent discount on the penalty. Without that, it would have faced a £1.8 million fine, according to the FSA.
The penalty is well behind the £17 million fine levied by FSA against Shell in 2004 for market abuse and is the eighth largest on record for the FSA.