Pay day lender The Money Shop has been fined £180,000 after losing computer servers containing details for thousands of customers
The Information Commissioner’s Office (ICO) issued the civil penalty following two incidents - one in Lurgan, in April 2014 and then a second a month later in Swindon.
The servers remain missing and the ICO said encryption standards were not strong enough to be confident the machines had not been accessed.
Head of Enforcement, Steve Eckersley said: “Customers of The Money Shop entrusted the company with their personal and financial details with the expectation that the information would be kept safely and securely.
“Our investigations discovered that this wasn’t the case and that this information was regularly left exposed when equipment was moved around the country.
“There was potential for fraud and financial loss to customers which is unacceptable and in both cases, had the data been properly encrypted the damage and distress to customers and the monetary penalty could have been avoided.
“Hopefully it’s an example to other organisations, whatever business they may be in, that the safety of personal information must be taken seriously. Policies and procedures must be put in place or we will take action.”
Among the problems identified was a failure by the firm to follow its own policy of keeping servers locked in their own room.
And the ICO found a “widespread practice” of The Money Shop regularly transporting unencrypted servers between its Nottingham Head Office and its branches around the country.