The Information Commissioner’s Office (ICO) has served a monetary penalty notice on Jala Transport, a small money-lending business, after the theft of an unencrypted portable hard drive containing its customer database. The firm was regulated by the Financial Services Authority (FSA) at the time of the incident.
According to the notice, on August 3, 2012, Jala Transport’s sole proprietor was driving to work and had stopped at a junction. A thief reached in through an open window and stole his briefcase from a seat in the car. The briefcase contained an external hard drive, some documents and approximately £3,600 in cash.
Although protected by an 11-character alphanumeric password, the drive was not encrypted.
It contained a complete copy of the data controller’s customer database including the details of approximately 250 clients such as their name, address, contact number, date of birth, nationality, passport number, proof of address (utility bills and bank statements) and proof of identity (passports and driving licences).
The proprietor took the hard drive home each day for business continuity purposes and to reduce the risk of damage or theft.
In determining the amount of the penalty, the ICO took a number of factors into account, including that there has been no report of data misuse, no complaint from any customers, and the incident was self-reported. Jala Transport was fined £5,000, which is a small penalty compared to others it has issued.