The Information Commissioner’s Office (ICO) has issued civil monetary penalty (CMP) of £180,000 to the Money Shop in the wake of two incidents in 2014 that led to a fuller investigation of the Money Shop’s data protection policies and procedures.
As described in the notice, on April 16, 2014, a Money Shop store in Lurgan, Northern Ireland was burgled and a server stolen. The server had been left on a manager’s work station overnight, right next to a locked fire escape door through which the burglar gained entry.
Then in May, 2014, a second server was lost in transit between the Money Shop’s headquarters in Nottingham and its Swindon store. Although Money Shop had initiated an encryption program, the data on this server had not been fully encrypted at the time of the loss.
The servers involved in these incidents not only held personal and financial information on the store’s local customers, but they also held information on Money Shop employees and ALL Money Shop customers nationally.
In the course of its investigation, the ICO determined that: (1) the Money Shop routinely transported servers with unencrypted data on a weekly basis between its 521 stores and its headquarters, (2) the Money Shop did not delete customers’ information when that information was no longer required, and (3) in many stores, there was no secure area to store servers with personal information overnight.
You can read more in the notice. Although the number of customers and employees affected by these two incidents was redacted from the public copy, the number of spaces redacted suggest that it was over 1,000.