Payday lender The Money Shop has been fined £180,000 by data protection watchdog the Information Commissioner’s Office (ICO) after the loss of two computer servers, each containing a great deal of customers’ personal information.
The firm first had a server stolen from its branch in Lurgan, Northern Ireland in April 2014. The second incident occurred in May 2014 when a courier firm lost a further server in Swindon. In neither case was there sufficiently rigorous encryption of the data in place. At Lurgan, the server was not stored in a locked room, separate from all the other servers, in spite of this being company policy. Unencrypted servers were also transported between Head Office and The Money Shop’s branches on a regular basis.
In each case the personal data of several thousand customers, and some of the firm’s employees, went missing. The two servers have still not been recovered, as of mid August 2015.
The Money Shop is entitled to appeal against the fine to the First-Tier Tribunal (Information Rights), but has not indicated whether it will do so.
The ICO’s Head of Enforcement, Steve Eckersley said:
“Customers of The Money Shop entrusted the company with their personal and financial details with the expectation that the information would be kept safely and securely. Our investigations discovered that this wasn’t the case and that this information was regularly left exposed when equipment was moved around the country. There was potential for fraud and financial loss to customers which is unacceptable and in both cases, had the data been properly encrypted the damage and distress to customers and the monetary penalty could have been avoided.
“Hopefully it’s an example to other organisations, whatever business they may be in, that the safety of personal information must be taken seriously. Policies and procedures must be put in place or we will take action.”
In a statement, The Money Shop’s parent firm Dollar UK said:
“Dollar UK reiterates its apologies to any customers who have been affected by these incidents.
“Since these events took place, Dollar UK has come under new ownership and management, implementing a complete review of IT and systems security including the replacement of those responsible for managing this essential element of business infrastructure and consumer confidence.”
The incidents serve as a warning to firms in all business sectors of the importance of having the very best IT security arrangements in place.
Measures a firm can take in this area include:
• Installing a firewall and virus checking software
• Ensuring staff only have access to the information required to perform their role
• Taking back-ups of information on a regular basis and keeping these in a separate place
• Not disposing of old computers until all the personal data on them has been securely removed
• Installing anti-spyware
• Instructing staff to use ‘strong’ passwords – passwords that have a combination of upper and lower case letters, numbers and other keyboard symbols
• Installing spam filtering software
• Ensuring staff are trained not to respond to emails or other communications asking for information such as PINs and passwords
The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.