The ICO issued a £180,000 fine to Cash Loans Ltd (trading as The Money Shop) on the 6 August 2015, for failing to keep customers personal information secure, in breach of the seventh data protection principle under the Data Protection Act 1998.
The ICO found that the Money Shop had not encrypted the personal data held on its servers and that some of the Money Shop's branches did not have a safe haven, a secure point in which to lock a server holding personal data overnight, or alternative physical security measures.
A server was stolen from the Money shop in April 2014, and a second server was lost in May 2014 whilst being transported from the firms head office to a branch. Both servers contained information regarding customer records and records relating to employees of the Money Shop.
The ICO considered that given the number of affected individuals, the loss of unencrypted personal data amounted to a substantial distress and loss to the Money Shop's customers, especially if the data was used fraudulent purposes. The Money Shop has a right to appeal the ICO's decision to the First-tier Tribunal (Information Rights).