In two separate incidents, one server was stolen from the company’s branch in Lurgan, Northern Ireland and a month later a second server was lost by a courier firm in Swindon. Neither server had sufficient encryption systems for the company to be confident that the information they contained could not be accessed. The servers, which have still not been recovered, held large numbers of local and national customer records and employee details.
The ICO’s Head of Enforcement said:
“Customers of The Money Shop entrusted the company with their personal and financial details with the expectation that the information would be kept safely and securely.
“Our investigations discovered that this…information was regularly left exposed when equipment was moved around the country. There was potential for fraud and financial loss to customers which is unacceptable and in both cases, had the data been properly encrypted the damage and distress to customers and the monetary penalty could have been avoided.”