ICO issues £180k fines, proving not all security is in fact secure

The Information Commissioner’s Office (ICO) has fined the Money Shop £180,000 for failing to prevent two data breach incidents.

Incident one

A Money Shop store in Northern Ireland had a server stolen during an overnight burglary. The server was left overnight on a workstation near a locked fire escape, which the thief used to gain entry.

Incident two

During transportation between Money Shop headquarters and a store, a server was lost. The Money Shop had an encryption programme, but the data on this particular server had not been fully encrypted at the time of the loss.

Security wasn’t effective

In both cases, there was some form of security in place but it just wasn’t effective. A locked door is a good start, but it’s vital that there is a second layer of security such as a locked room or safe, or a form of anchoring device.

Secondly, having an encryption policy and software in place is great. But if you’re not going to follow that policy and use that software – then you may as well not have it.

In the course of its investigation, the ICO determined that: (1) The Money Shop routinely transported servers with unencrypted data on a weekly basis between its 521 stores and its headquarters, (2) The Money Shop did not delete customers’ information when that information was no longer required, and (3) in many stores, there was no secure area to store servers containing personal information overnight.

I won’t divulge the processes and technology that The Money Shop should use; all I suggest is using common sense. While the common thief won’t have a care in the world for your customers’ personal details, they will have an interest in the expensive equipment it sits on. Whatever your customers’ data touches, make sure it’s not touched by others.