Financial Ombudsman Service decision

Royal London Mutual Insurance Society, Limited · DRN-6261932

Data BreachComplaint upheld
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mr M complains about Royal London Mutual Insurance Society, Limited (THE) (‘Royal London’) providing information about his pension policy to another firm, and Mr M says that Royal London didn’t have the authority to do this. What happened Mr M had a Royal London pension plan and monies from this were transferred to a different provider in 2020. An adviser at Firm K contacted Royal London in 2025 to request some information about this plan. Firm K had previously been Mr M’s financial adviser, but Mr M explains that it hadn’t been since July 2021. And Royal London hadn’t received authority from Mr M to discuss the plan with Firm K when it was contacted in 2025. Royal London sent an internal email, that a Firm K adviser was copied into, on 10 June 2025 at 10:23 in which it was noted that: “Hello team [first name of Firm K adviser] has to reply to the FCA and the Ombudsman imminently with the following information for his client: -[Mr M’s name detailed] (apologies if the spelling is incorrect, I cannot access the plan as I believe it has exited) -[Mr M’s policy number detailed] -[Mr M’s date of birth detailed] -[Mr M’s national insurance number detailed] -What was the actual amount transferred into the policy upon opening? -Was this crystalised or uncrystallised? -What was the charging structure eg Initial percentage, ongoing percentage and/or adviser fee? -At the time throughout the life of the policy from opening, were there any regular premium [sic] coming in? If we can send over to [first name of Firm K adviser], copied in above ASAP that would be appreciated, he can also be contacted on [telephone number] if you have any further queries.” (bold my emphasis) There is then a further internal email later the same day at 12:25, which the same Firm K adviser is copied into, where it’s explained that: “Hello team Slight addition from [first name of Firm K adviser] please see below: Hi slight correction please.

-- 1 of 5 --

The amount that was transferred out to [name of receiving scheme] and on what date. Regards [first name of Firm K adviser]” (bold my emphasis) There is then an internal email the same day, which the Firm K adviser isn’t copied into, where one Royal London employee asks another who the Firm K adviser is and whether the policy number listed in the initial 10 June 2025 email I’ve mentioned above is correct. It’s explained by the Royal London employee that they can’t see any reference to Firm K on the policy, so they are wanting to check they’re looking at the correct policy. This email is then replied to by a second Royal London employee who confirms that [first name of the Firm K adviser] is an adviser at Firm K and that “I have given the correct details as provided by [first name of the Firm K adviser].” The second Royal London employee also then goes on to inform his colleague that the Firm K adviser is shown “as an adviser at a firm on my panel. This is all I get to see so definitely speak directly to him to make sure you are happy with the details and his verification.” Following further internal conversations (which the Firm K adviser isn’t copied into), Royal London’s policy team notes, on 24 June 2025, that without a letter of authority signed by Mr M then Royal London can’t provide any information to Firm K. Royal London then sends a further internal email on 3 July 2025 which the Firm K adviser is copied into. In this email it’s explained that a request was sent to Royal London’s policy information team on 10 June 2025. The amount that was transferred from Mr M’s Royal London plan to the receiving scheme, including a crystallised and uncrystallised breakdown, and the date of transfer are set out in the email. It’s also stated that: “Not sure if Policy information has got back to you regarding the following two questions the [sic] [first name of Firm K adviser] asked, I have cc them into this email so they can respond. What was the charging structure eg Initial percentage, ongoing percentage and/or adviser fee? At the time throughout the life of the policy from opening, were there any regular premium coming in? I have cc in [first name of Firm K adviser] so he can see the response.” After Mr M contacted Royal London about a potential data breach, Royal London emailed Mr M on 22 August 2025. Royal London said that on 12 August 2025 Mr M had asked it to make sure no information about his policies was sent to Firm K. Royal London explained it had, in fact, already sent information to Firm K about the transfer of Mr M’s pension plan. Royal London said it had been asked for information about Mr M’s plan by Firm K in June 2025, and that Firm K told it that it wanted the information to answer questions from this Service. Royal London said that its policy team had (initially) correctly declined the request as there was no authority to share information with Firm K on its records. Royal London explained that one of its employees had (subsequently) internally emailed another Royal London employee in respect of the request and Firm K had been copied into that email. Royal London apologised for this failing and offered Mr M a £250 payment for the upset its error had caused. Royal London also confirmed that the failing would be recorded on its breach register.

-- 2 of 5 --

I can see Royal London also emailed Firm K on 22 August 2025 and explained to it that it had sent information to Firm K on 3 July 2025 when it shouldn’t have. Royal London asked Firm K to delete that email and to confirm to it that the email had been deleted. Firm K replied and said, amongst other things, that it had received the same information from a different firm (who wasn’t Royal London), so deleting the Royal London email would be “fine”. Mr M didn’t accept the offer of £250 and referred his complaint to this Service. In correspondence with Royal London, Mr M explained that this Service had previously made an award against Firm K in respect of unsuitable pension advice it gave him. Mr M highlighted that a previous Firm K adviser had moved elsewhere and taken client information with him, following which Firm K was left with very little information about that adviser’s previous clients (which included Mr M). Mr M said that this was why Firm K was unable to calculate the award this Service had made against it. Further, that as Firm K hadn’t settled the award against it, Mr M had applied to the Court “for a writ from non payment”. Mr M explained that Firm K had been told by this Service to contact Royal London to obtain a notional valuation. But Firm K had instead gone on a “fishing expedition” to gather information from Royal London and two other firms which has “resulted in 3 data breaches and 1 act of fraud [with Firm K] citing they had the authority of the FOS and FCA”. Mr M also explained, amongst other things, in previous submissions we’ve seen that: • The data breach has caused problems as there was an on-going Court case against Firm K. • He was in the last stages of a Court case about Firm K transferring him into an unsuitable pension arrangement. • Firm K hasn’t been his adviser since July 2021. • He was prepared to accept a payment of £500 and, if agreed, he would give this to a charity of his choice. • Compensation of £500 is a low figure compared to the upset and trouble the data breach had caused. • He has health issues and the failings he’s encountered have had a toll on his health. One of our investigators issued an assessment on Mr M’s complaint and concluded that there were failings by Royal London in respect of the data breach but that Royal London’s offer of £250 was fair and reasonable in the circumstances. Mr M wasn’t in agreement that £250 was an appropriate amount and he asked for his complaint to be reviewed by an Ombudsman. Amongst other things, Mr M said that: • The breach was deliberate in nature. • The breach was not a one-off. • The breach included details of the exact crystallised and uncrystallised values that were transferred and the date monies left the scheme. It also included confirmation of his national insurance number and date of birth, which are core personal identifiers, and this has increased the distress he experienced. • The evidence suggests the disclosure only occurred “after multiple unauthorised access events” to his record by an employee of Royal London. • Royal London “verified [his] identity and financial status” to Firm K after being told it shouldn’t do so. This represents a systemic failure of its data protection controls. • By providing this information, Royal London actively intervened in an ongoing legal dispute he had with Firm K.

-- 3 of 5 --

• A £250 award does not rectify the fact that his data is now in Firm K’s hands and that it’s using this information against him. • Where an incident involves “multiple unauthorised access events, the disclosure of key identity information, and circumstances suggesting [Firm K] was consciously included, it may reasonably be viewed as more serious than a simple administrative error.” What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. When considering what’s fair and reasonable in the circumstances, I need to take account of relevant law and regulations, regulator’s rules, guidance and standards, codes of practice and, where appropriate, what I consider to have been good industry practice at the relevant time. The parties to this complaint have provided detailed submissions to support their position and I’m grateful to them for doing so. I’ve considered these submissions in their entirety. However, I trust that they won’t take the fact that my decision focuses on what I consider to be the central issues as a discourtesy. To be clear, the purpose of this decision isn’t to comment on every individual point or question the parties have made, rather it’s to set out my findings and reasons for reaching them. Where the evidence is incomplete, inconclusive, or contradictory, I reach my decision on the balance of probabilities – in other words, what I consider is more likely than not to have happened in light of the available evidence and the wider circumstances. It’s accepted by Royal London that it provided information to Firm K when it shouldn’t have done, so the focus of this decision is the extent of the data breach and what, if any, compensation Royal London should pay Mr M in respect of this. Regarding the 10 June 2025 emails; I’ve emboldened sections of two of the emails from 10 June 2025 in the “What happened” section above, and my reason for highlighting these sections is I think it’s more likely than not that at least some of the emboldened information was information Royal London had received from the Firm K adviser (for example, I think it’s far more likely than not Mr M’s first and surname were given by the adviser), which Royal London was then passing on to the appropriate team to look into. That is how those sections read to me. However, on the available evidence, I can’t be sure whether all of Mr M’s policy number, date of birth and national insurance number was referenced in the Firm K adviser’s original request and was simply being relayed. Or, alternatively, whether some of this information (and, if so, which information) was introduced by Royal London into that email and hadn’t been referenced by the Firm K adviser. So, in the absence of clarity on this issue, I’ve proceeded on the basis that Mr M’s policy number, date of birth and national insurance number were introduced into the 10 June 2025 email correspondence (which the Firm K adviser was copied into) by Royal London. Regarding the 3 July 2025 email, I’m in agreement with Mr M that the Firm K adviser was consciously copied into that email, I think that’s clear from the content of the email. I’m satisfied Royal London acted negligently in providing the information to Firm K on 3 July 2025 (by copying the Firm K adviser into the email), but I don’t think it’s more likely than not the Royal London employee who sent the 3 July 2025 email was acting in bad faith when they did so. I think it’s more likely than not that the Royal London employee who sent the 3

-- 4 of 5 --

July 2025 email either hadn’t read the content of the previous internal correspondence about not providing information to Firm K without appropriate verification first being obtained, or else they negligently overlooked the content of that correspondence. So, I think the extent of the data breach was that it included, amongst other things: • Limited information about a transfer away from a plan that was effected over five years prior to July 2025 (including the plan number, amount, value and date of transfer and the proportion of the transfer value that consisted of crystallised and uncrystallised monies). • Mr M’s date of birth and his national insurance number. Some of the information was included in the initial 10 June 2025 emails that the Firm K adviser was copied into, some was in the 3 July 2025 email and some was in both (for example, Mr M’s name and plan number appeared in both). And I’m satisfied both the 10 June 2025 correspondence and the 3 July 2025 correspondence were in relation to the same Firm K request referenced in the 10 June 2025 emails. Having considered all of this, I’ve gone on to think about the impact of these disclosures and what, if any, compensation I think is appropriate in this complaint. I’ve taken into account the comments Mr M has made in respect of his ongoing Court case with Firm K. But, as our investigator highlighted to Mr M, we’ve not been provided with persuasive evidence that Royal London’s data breach, and the provision to Firm K of the limited information about the plan I’ve referenced above, has led to Mr M suffering a financial loss that wouldn’t otherwise have been suffered but for this disclosure. We haven’t, for example, seen any comment from the Court that the information Royal London provided to Firm K resulted in the Court reaching a conclusion on the case that it wouldn’t have arrived at in any eventuality (if, in fact, a conclusion has been reached). And I think the same is true about any provision to Firm K of Mr M’s date of birth, policy number and national insurance number. I was sorry to learn of Mr M’s health issues in the submissions he made to this Service. I recognise finding out about Royal London’s failings will have been very upsetting to him and that these failings did have an impact on him. I do think it’s appropriate that he receive some compensation for this. Having carefully considered all of the submissions Mr M has made about the impact Royal London’s actions had on him, and having regard to the nature and extent of the information Royal London provided, like our investigator I’m also of the opinion that the £250 Royal London previously offered is a fair level of distress and inconvenience payment in this complaint and I make no further award in addition to this. My final decision My final decision is that I uphold Mr M’s complaint and I direct Royal London Mutual Insurance Society, Limited (THE) to pay Mr M the £250 it previously offered him if it hasn’t done so already. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr M to accept or reject my decision before 27 April 2026. Alex Mann Ombudsman

-- 5 of 5 --