Financial services firm loses 1.4 million customer records
Cattles Group admits losing backup tapes storing customer information, while the ICO investigates
A financial services firm has admitted losing backup tapes containing sensitive information relating to 1.4 million of its customers.
The Cattles Group owns Welcome Financial Services Limited and its business Shopacheck, and is based in Yorkshire. The firm said in a statement that the tapes went missing at the end of November 2011, and that investigations began as soon as the loss was discovered – although it has only recently written to customers to warn them.
"Cattles Group confirms that two IT back-up storage tapes are missing from its Kingston House [headquarters]. The tapes were discovered as missing at the end of November 2011 and an investigation started immediately," it said.
The firm has described the nature of the missing information as "low-level personal data". However, Computing understands that this includes names, addresses, dates of birth and payment histories.
The missing tapes also include some HR information relating to staff employed by the group up to October 2010.
The company said that there is nothing to suggest that the tapes were stolen.
"There is no evidence that the information has fallen into the wrong hands or been used maliciously. However, Cattles takes its obligations to protect the personal data of its customers and staff extremely seriously, and we deeply regret what has happened," it added.
Cattles group stated that a specialist data security firm has been employed to review data security across the group and to advise on any necessary improvements.
Financial services firm loses 1.4 million customer records
Cattles Group admits losing backup tapes storing customer information, while the ICO investigates
Christian Toon, head of information security for Europe at security firm Iron Mountain, said that the missing data should have been encrypted.
"An organisation large enough to have over a million customers should have policies and guidelines in place that ensure sensitive data is encrypted, protected and accounted for at every stage of its journey through the business," he said.
The Information Commissioner's Office (ICO) said it has been made aware of the breach and is investigating.
"We have recently been informed of a possible data breach which may involve Welcome Financial Services Limited including its business Shopacheck," the ICO said in statement.
"We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act (DPA) before deciding what action, if any, needs to be taken."
Given the extent of this breach, the Cattles Group could be hit with a six-figure fine. The ICO is empowered to fine organisations that breach the DPA as much as £500,000.
Having been criticised in the past for rarely handing out fines, and then only handing out relatively meagre penalties, the ICO has shown increased willingness in recent months to punish organisations more severely for breaches of the DPA.
Last month, Powys County Council was served a record £130,000 fine for accidentally sharing details of child protection cases with uninvolved parties.