Last night the society said it was taking steps to improve its data security after the laptop, which contained a substantial part of Chelsea Building Society’s customer database, was stolen from the group’s office in Cheltenham, Gloucestershire, on April 19 this year, shortly after the two mutuals merged.
It was recovered within 48 hours after the Yorkshire hired private investigators to assist police in tracking it down.
Forensic computer experts said none of the data on the computer had been accessed when it was missing, although there had been several attempts to do so.
The laptop had been used by a Chelsea employee who was working from home. The worker returned it to a manager, who then returned it to Chelsea’s former head office in Cheltenham.
It was later discovered the manager had written down the passwords to the computer and left them in a bag with the laptop under a desk overnight.
The Information Commissioner’s Office (ICO) yesterday said it had found Yorkshire Building Society in breach of the Data Protection Act.
The head of enforcement at the ICO, Mick Gorrill, said: “It is extremely concerning that an unencrypted laptop containing large amounts of personal data was left unsecured overnight, together with details of its passwords.
“What’s more, the fact that the employee did not require all the information to carry out the task in hand created an unnecessary risk which could easily have been avoided.”
But he added the Yorkshire had taken “prompt and effective action” to prevent a similar incident happening again.
Yorkshire said the incident happened shortly after it had completed its merger with the Chelsea, when it was still rolling out its “more rigorous security procedures” to the society.
The group has agreed to take a number of steps to improve its data security, including that all portable devices, such as laptops, are encrypted, a measure which is already in place at the Yorkshire, and that all staff are aware of the company’s policies for the storage and use of personal data.
A spokeswoman said the stolen laptop was partially unencrypted.
She said: “Yorkshire Building Society takes its duty of care to its members very seriously and was in the process of rolling out the Yorkshire’s more rigorous security procedures to the Chelsea at the time of the theft.
“The society took immediate and appropriate remedial action and, as the Information Commissioner’s Office has acknowledged, there has been a full review of data security, new safeguards having been put in place to prevent a repeat of this incident.”
Earlier this week Zurich Insurance was fined 2.28m by the Financial Services Authority after losing personal details on 46,000 policyholders.
Data was lost in August 2008 when the South African branch of the company lost an unencrypted back-up tape during a transfer, but Zurich UK did not know until a year later.
The regulator has previously fined Nationwide 980,000 for after a laptop containing customer details was stolen from an employee’s home.