ICO issues yet another hefty fine for a security breach

Companies are advised to encrypt their personal data as the UK’s Information Commissioner (ICO) fines yet another firm for a data breach caused by slack security measures. On 6 August, the ICO announced that it had issued a £180,000 civil monetary penalty to The Money Shop after the company lost computer servers containing details of several thousand customers.

One server was stolen from the company’s branch in Lurgan, Northern Ireland and a month later a second server was lost by a courier firm in Swindon. Neither server had sufficient encryption systems for the company to be confident that the information they contained could not be accessed, the ICO says.

Apparently the company policy was to store servers in a separate locked room, but an ICO investigation found that the Lurgan store, and a significant number of other Money Shop branches, did not have separate rooms that could be used in this way. The company also regularly transported unencrypted servers between its head office in Nottingham and its branches nationally.

ICO’s Head of Enforcement, Steve Eckersley said: “Customers of The Money Shop entrusted the company with their personal and financial details with the expectation that the information would be kept safely and securely. Our investigations discovered that this wasn’t the case and that this information was regularly left exposed when equipment was moved around the country. There was potential for fraud and financial loss to customers which is unacceptable and in both cases, had the data been properly encrypted, the damage and distress to customers and the monetary penalty could have been avoided.”

The Money Shop offers foreign exchange, short term loans, pawn-broking services and Western Union money transfers. Breaches of security (principle 7 in UK DP Act) are by far the most common reason for a data breach – see ICO statistics.

The July edition of PL&B UK Report has an article, “ICO’s Operation Spruce involves cooperation with other agencies” which explains the ICO’s enforcement methods, based on a presentation by ICO’s Head of Enforcement, Steve Eckersley, at PL&B’s 28th Annual International Conference, Cambridge, in July.