The Money Shop fined after data breach
The ICO issued the penalty after servers were lost in two separate instances. The organisation has identified several major security shortcomings on the part of the payday lender, including a failure to keep servers isolated in a locked room, a failure to properly encrypt customer data, and the “widespread practice” of transporting servers between the firm’s HQ in Nottingham, and nationwide branches.
The servers remain missing; the ICO deems the payday lender’s encryption standards to be poor, and believes it is possible the data has been accessed as a result.
“Customers of The Money Shop entrusted the company with their personal and financial details with the expectation that the information would be kept safely and secure – our investigations discovered that this wasn’t the case and this information was regularly left exposed when moved around the country,” said the ICO’s head of enforcement, Steve Eckersley.
“There was potential for fraud and financial loss to customers which is unacceptable and in both cases, had the data been properly encrypted the damage and distress to customers and the monetary penalty could have been avoided.
“Hopefully it’s an example to other organisations, whatever business they may be in, that the safety of personal information must be taken seriously. Policies and procedures must be put in place or we will take action.”
Dollar UK, the parent company of The Money Shop, apologised to customers.
“Since these events took place, Dollar UK has come under new ownership and management, implementing a complete review of IT and systems security including the replacement of those responsible for managing this essential element of business infrastructure and consumer confidence,” a spokesperson said.
“The ICO has acknowledged the steps taken by Dollar UK following the incidents in its findings, as well as recognising Dollar UK’s complete co-operation with its investigation. We continue to reform and develop Dollar UK towards being the most responsible lender in its market place.”
Commenting on the news, Jason du Preez, chief executive of privacy software provider Privitar, said the breach is a high-profile reminder that organisations are collecting ever-increasing amounts of sensitive customer data, and must equip themselves appropriately.
“These data breaches are not just embarrassing to the organisations involved – they can have really serious financial and personal consequences for your users, destroying consumer trust and loyalty,” he said.