ICO issues consumer lender with monetary penalty following loss of data back-ups

Following a (long) run of monetary penalties for public sector bodies, the ICO has this morning imposed a monetary penalty of £150,000 on the consumer lender, Welcome Financial Services Limited, which trades under the “Shopacheck” name.

Once again, the monetary penalty relates to a data loss incident.

In this case, the data controller, a provider of consumer loans (at an eye-watering 399.7% representative APR), lost two backup tapes for its IT systems. The data controller used a series of 200 backup tapes to perform daily back-ups. Backups were performed at the data controller’s office and then transferred offsite for storage at an apparently secure facility.

However, after a period of time the tapes were then transported back to the office (unscrubbed), in batches of 20, in preparation for reuse. It was at this point that an IT administrator noticed that two back-up tapes were missing from the batch held at the data controller’s offices.

The data held on the tapes comprises personal information (including national insurance numbers and bank account details) relating to approximately 20,000 current and former employees and 8,000 agents over an eight year period, and just under 2m customers (including names, address,es dates of birth and loan account details of around 510,000 customers). Much of this information appears to have been retained unnecessarily, in breach of the third principle.

To make matters worse, the tapes have not been recovered and it appears that they were not encrypted, in breach of the data controller’s IT policy, although the ICO notes that specialist equipment and software would be required to access the data.

Interestingly, unlike a number of previous incidents leading to monetary penalties, the ICO states that it received 26 formal complaints and a number of calls to the ICO’s helpline following this incident. Given the large number of data subjects affected, this is perhaps unsurprising.

For that reason, and given the nature of the information held, I’m slightly surprised that this fine wasn’t a higher.

The notice highlights a number of concerning issues, including the failure to encrypt the back-ups in line with its IT policy, and the excessive (unnecessary) retention of a large amount of historic data. As the ICO notes, had appropriate IT security measures been implemented, then the loss could have been prevented.

As mitigating factors, the ICO notes that it is not aware of any previous similar security breach involving the data controller, and interestingly also notes the:

…significant impact on reputation of [the] data controller as a result of this security breach, which was publicised in the national press.

Does this indicate that if your breach leads to bad publicity, then the ICO will not be as hard on you?

Once again, however, the notice emphasises that simply having an IT security policy is not enough.

That policy needs to be robust and appropriate for the information being processed and (just as importantly) the organisation needs to be able to demonstrate not just the effectiveness of the policy, but that the organisation is actually complying with that policy.

Is your organisation able to do that?

0 Responses to “ICO issues consumer lender with monetary penalty following loss of data back-ups”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter: @BrodiesTechBlog feed

July 2012
« Jun   Aug »

%d bloggers like this: