The Information Commissioner's Office (ICO) has fined insurance giant Royal & Sun Alliance (RSA) £150,000 for a major data loss incident.
The case related to the theft of a hard drive by either a member of staff or a contractor at an office in West Sussex between 18 May and 30 July hat contained details of 59,592 customers.
This information included names, addresses and bank account details including sort codes and account numbers. Credit card details of 20,000 customers were also on the device, although CVC and expiry dates were not included. The device has never been recovered.
An investigation by the ICO found that the firm lacked the necessary processes to mitigate against such thefts and that the hard drive was unencrypted.
They also said many of the staff who had access to the data server room where the device was stored did not require access, and that no CCTV installed in the room.
In light of this Steve Eckersley, ICO Head of Enforcement said a hefty fine warranted and that it should service as yet another reminder why basic security procedures such as encryption are vital for any firm handling sensitive data.
"When we looked at this case we discovered an organisation that simply didn't take adequate precautions to protect customer information. Its failure to do so has caused anxiety for its customers not to mention potential fraud issues," he said.
"There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment. RSA did not do any of this and that's why we've issued this fine."
In response RSA acknowledged that it had failed to put in place the necessary processes to protect customers' data and said it had worked hard to rectify these errors.
"Whilst there remains no evidence to suggest that the stolen storage device has resulted in any economic loss for the customers involved; we recognise that this should have never have happened and we would like to say sorry once again to those of our customers and partners who were impacted," a spokesperson said.
"We have reviewed and reinforced our data protection procedures to mitigate the risk of this happening again - the substantive work that has been undertaken since then to improve date protection in our company has been acknowledged by the ICO."
400 engineers have been working in secret on electric car project for the past two years, admits James Dyson
Russian Taiga smartphone promises snoop-proof communications - coming soon to employees of Russian state-owned firms
Eugene Kaspersky's ex outs smartphone that claims to prevent apps from spying on users
Deloitte accused of leaving its internal Active Directory server exposed to the internet with RDP open
Deloitte accused of lax systems administration and security practices over email hack
Lax systems administration practices blamed for exposing millions of sensitive client emails