Insurance firm Norwich Union has been fined £1.26m ($2.5m) by the Financial Services Authority (FSA) after customers lost £3.3m through identity fraud.
Slack security checks at its call centre let fraudsters impersonate customers and cash in their policies.
The FSA said the company had failed to deal with the issue properly even when it had been alerted to the problem.
The regulator said Norwich Union’s controls had been “particularly poor”, leading to a record fine.
“Norwich Union Life let down its customers by not taking reasonable steps to keep their personal and financial information safe and secure,” said the FSA’s director of enforcement, Margaret Cole.
“It is vital that firms have robust systems and controls in place to make sure that customers’ details do not fall into the wrong hands.”
The fraudsters tried to steal money from 632 policies during 2006 and succeeded in 74 cases.
The money has now been repaid by the company and the policies have been reinstated.
Eleven people have been arrested by the police in connection with the crime.
Mark Hodges, chief executive of Norwich Union Life, said: “We are sorry that this situation arose and apologised to the affected customers when this happened.”
“We have extensive procedures in place to protect our customers but in this instance weaknesses were exploited and we were the target of organised fraud,” he said.
The Norwich Union said it had now stepped up its security checks.
“We have taken this matter extremely seriously and have thoroughly reviewed our systems and controls as a result,” said the company.
“All of our seven million customers are protected by our promise that they will be fully reimbursed and will get help and support if they are the innocent victims of fraud,” it said.
However, the FSA pointed out that if the company had done this when its own staff alerted it to the first successful frauds then most of the subsequent problems would have been prevented.
The only policy holders who were warned initially about the frauds against them were those who were current and past directors of Norwich Union companies.
The FSA took a very dim view of Norwich Union’s lax security.
The regulator has for several years been reminding financial services companies to be vigilant and to have robust security checks in place.
But at Norwich Union the fraudsters gained people’s names, addresses and dates of birth from public information, for instance Companies House, used this to impersonate them, and then persuaded call centre staff to divulge further information.
In some cases this led to addresses and bank account details being altered which in turn paved the way for a subsequent request for a life insurance policy to be cashed in.
Fraudsters managed to use information gathered from Companies House to trick Norwich Union into revealing details of customer policies.
They then notified the company of a change of address and arranged to surrender a policy worth £15,000, the proceeds of which were paid into a separate bank account before being withdrawn.
The money was refunded, but customers criticised the company and the police for not taking the issue more seriously.
One customer said “I got a sense from all parties that there was a lot of this going on, but they didn’t want people to know how much was going on, nor did the police, and it suited everybody not to make a big fuss about it,” he told the BBC.
The FSA said the danger went beyond those who had actually lost money.
“Regardless of whether a policy was surrendered or not, confidential customer information regarding the policy was disclosed to the fraudsters in almost all of those 632 cases,” said the FSA.
“In some cases, this included the customer’s full bank account details,” it added.