Data privacy watchdog the Information Commissioner’s Office (ICO) has handed out a £180,000 fine to The Money Shop after the nationwide money lender lost servers said to have contained the details of thousands of customers.
In two separate incidents reported to the regulator, one server was stolen from the company’s office in Lurgan, Northern Ireland and a month later a second server was lost by a courier firm in Swindon.
The Money Shop did not have strong enough encryption on either piece of hardware to be confident those customer records and employee details couldn’t be accessed, the ICO said in a statement.
The company’s policy was that servers should be kept in a locked room separate from the rest of the business, but the ICO claimed that in several stores there was no such room.
The firm also regularly transported unencrypted servers between its head office in Nottingham and its branches nationally and old customer records were not deleted, according to the watchdog.
ICO head of enforcement, Steve Eckersley said he hoped the case would serve as an example to other organizations.
“Customers of The Money Shop entrusted the company with their personal and financial details with the expectation that the information would be kept safely and securely. Our investigations discovered that this wasn’t the case and that this information was regularly left exposed when equipment was moved around the country,” he added in a statement.
“There was potential for fraud and financial loss to customers which is unacceptable and in both cases, had the data been properly encrypted, the damage and distress to customers and the monetary penalty could have been avoided.”
Jason du Preez, CEO of privacy firm Privitar, said the case highlights the fact that many firms need to evolve their “governance frameworks and technology solutions” to cope with a growing data security threat.
“After all, these data breaches are not just embarrassing to the organisations involved. They can have really serious financial and personal consequences for your users, destroying consumer trust and loyalty,” he added.
“Embracing a data-centric approach to data security and privacy and a process that ensures only essential data is visible in any given process – privacy-by-default – is essential if consumers are to continue to trust companies with, what should be, their very private financial data.”