TWO tapes containing the personal details of 1.4 million customers and thousands of staff which are missing from a Yorkshire loan firm were not encrypted, which could make it easier to access the confidential data.
Batley-based Cattles said the IT back-up storage tapes were discovered missing from its Kingston House site in Birstall in late November.
The sub-prime lender is not sure if the tapes were lost or stolen but has written to affected customers and staff. Cattles has also started an investigation and told police, the Financial Services Authority and the Information Commissioner.
The data watchdog said it is taking a “keen interest” in the security breach, which “could potentially be serious”.
The former stock market-listed company, which lent to people with poor credit ratings, has admitted the missing data could be used fraudulently, but it insists there is no evidence it has “fallen into the wrong hands”.
Cattles said the tapes contained the names and addresses of 800,000 customers of two subsidiaries, Welcome Finance and Shopacheck, plus the names, addresses, payment histories and dates of birth of another 600,000 customers.
The tapes also held personal details including dates of birth, National Insurance numbers, home addresses and bank account details of “thousands” of staff employed by Cattles up to October 2010.
The Yorkshire Post understands the tapes were password-protected, but were not encrypted. This could make it easier to access the personal data.
“We cannot rule out the risk that the data has or may be accessed and so must warn you that there is the potential for your personal data to be misused,” said Welcome Finance chief executive Robert East in a letter to current and former staff.
A Cattles spokesman said: “There is no evidence that the information has fallen into the wrong hands or been used maliciously. However, Cattles takes its obligations to protect personal data of its customers and staff extremely seriously and we deeply regret what has happened.
“We have employed a specialist
Continued on Page 2.
data security firm with extensive experience in financial services, to review data security across the group and advise on any necessary improvements.”
Mr East told workers Cattles is also reviewing the personal data it holds, so that any “non-essential” personal data is deleted from its records.
He also advised staff to check their bank accounts for “irregular activity” and sign up with a credit monitoring company.
A spokeswoman for the Information Commissioner’s Office (ICO) said it will be taking a “keen interest” in the case.
“Any incidence of a data controller losing personal data is a concern and we will be making inquiries,” she said. “This could potentially be serious.”
She added penalties could include a fine of up to £500,000 and forcing the company to make changes to its procedures.
The FSA declined to comment.
In a separate development, it is understood Cattles recently fired an IT manager and a second senior IT worker from another subsidiary, The Lewis Group, for data security breaches. Their departure is not believed to be related to the missing tapes.
The embattled sub-prime lender is being wound down after an accounting scandal which led to a multi-million pound hole in its accounts. The company is closed to new customers.
The loss comes just weeks after civil liberties campaigners called for the Information Commissioner Christopher Graham to be given stronger powers to audit organisations amid concerns over the security of personal data.
And in October, Mr Graham warned the number of data security breaches in the private sector continues to rise – with 58 per cent more breaches having been reported to the ICO in the year to date, than in the same period last year.
Acknowledging that businesses knew their responsibilities, he said “now they just need to get on with doing it”.
And he added: “It’s not just the threat of a £500k fine that should provide the incentive. Companies need to consider the damage that can be done to a reputation.”