The Information Commissioner's Office (ICO) has announced that it has imposed a civil monetary penalty of £150,000 on Welcome Financial Services after it lost more than half a million customer details.
Following the publication of its annual report, the ICO said that the fine against the consumer lender was issued after its business division lost two back-up tapes that contained personal details of employees and customers. The tapes were lost in November last year and have never been recovered.
The ICO undertaking found that two business divisions of the data controller, Shopacheck and another that was unnamed, maintained back-ups of the Shopacheck local area network (LAN) for each working day to 1.6TB tapes, which could hold two complete back-ups. Following the back-up procedure, the tapes were transported to a secure IT room.
In November, a box of 20 tapes was moved to Shopacheck's communications room and used to back-up the LAN. However on the 23rd November 2011, two tapes were noticed to be missing from the box at the communications room and an investigation found that they had been missing since late October.
The ICO found that the data on the tapes consisted of personal information of current and former employees of Shopacheck from 2002 to 2010, as well as 8,000 agents. There were also 1.94 million customer records of the Welcome Financial Services and Shopacheck.
The ICO said that it understands that both tapes were unencrypted, although they could only be accessed using specialist IT hardware and software. Welcome Financial Services has now taken remedial action to include an internal review of its IT systems to identify and encrypt any remaining data and systems. The ICO also said that 26 formal complaints had been received in relation to this incident.