Scottish Widows said it has strengthened its controls after sending a cheque for more than £14,000 to the wrong policyholder by mistake.
In 2018, a company owner, who was not a policyholder with Scottish Widows, received a pension statement from the provider.
The statement included details such as national insurance numbers, membership numbers as well as other sensitive information.
The owner of the company contacted Scottish Widows to flag the fact he was not a policyholder and the personal information did not belong to him, with the provider assuring it would not happen again.
According to the owner, the same incident happened a year later with Scottish Widows apologising and sending the owner a hamper for the inconvenience.
In February this year, the company owner was sent a third letter from the provider, seen by FT Adviser, containing a cheque addressed to his company for more than £14,000.
The letter said: “Following a review of your group personal pension, we found an error made on the policy and therefore are sending you a payment for £14,427.65.”
Scottish Widows was contacted by the company owner once again to flag his company did not have a policy with the provider and was sent the cheque by mistake.
According to the owner, the provider apologised and sent him a £250 cheque "for his time".
'Isolated incident'
Scottish Widows confirmed all three correspondence above were sent in error and said it was an “isolated case” which they apologised for.
It is understood in an attempt to return money to an employer over a historic scheme Scottish Widows used a third party company to help trace their current contact details and were provided with an exact match on the company name.
It is also understood the company Scottish Widows was attempting to send correspondence to was wound up in 2013.
A spokesperson for Scottish Widows said: “We take our GDPR responsibilities extremely seriously and are sorry that in this isolated case we sent information to a third party by mistake.
“We’ve carried out a comprehensive review of our processes and have introduced further control enhancements to ensure this won’t happen again.”
In 2018 the General Data Protection Regulation came into effect, which gave the Information Commissioner’s Office greater powers to tackle data breaches.
For example, in the most serious cases, companies can now be fined up to £20mn or 4 per cent of annual worldwide turnover, whichever is greater.
Before GDPR, the ICO could only fine up to a maximum of £500,000.
According to the owner, after contacting the ICO to report the data breach he was told Scottish Widows needed to self-report the breach themselves.
A spokesperson for the ICO told FT Adviser it has not received a breach report in connection to the above.
"The UK GDPR introduced a duty on all organisations to report certain personal data breaches to the ICO, and the onus is on the organisation to report a breach. Organisations have 72 hours from when they became aware of a breach to report to the ICO, unless it does not pose a risk to people’s rights and freedoms.