Payday lenders have had an awful lot of bad press recently – all of it justified in my opinion – over their arguably extortionate interest rates.
And today we have some news that may put a smile on the faces of some of those customers who’ve been compelled to rely on such short-term, high-cost loans: The Money Shop has been issued with a £180,000 fine.
The penalty has nothing to do with the lender’s business model though – the penalty was in fact levied by the Information Commissioner’s Office (ICO) after the company lost two servers packed with customers’ financial data.
The first server was stolen from a branch in Lurgan, County Armagh, in April 2014. One month later, another server was mislaid by a courier firm in Swindon, Wiltshire.
While those events by themselves were not deserving of a fine, an investigation by the ICO discovered that the encryption systems employed by The Money Shop were not sufficient to guarantee that the data contained on the servers could not be accessed.
The company has since apologised and says those responsible have been replaced.
Steve Eckersley, ICO head of enforcement, said:
Customers of The Money Shop entrusted the company with their personal and financial details with the expectation that the information would be kept safely and securely.
Our investigations discovered that this wasn’t the case and that this information was regularly left exposed when equipment was moved around the country. There was potential for fraud and financial loss to customers which is unacceptable and in both cases, had the data been properly encrypted the damage and distress to customers and the monetary penalty could have been avoided.
According to the BBC, The Money Shop broke its own rules which said servers should be kept under lock and key in a separate room. At the Lurgan branch that did not happen because no suitable room was available. The Beeb also reports how the payday lender was in the habit of shuffling servers between its Nottingham head office and a number of branches, all the time without wiping old customer data from them.
A spokesman for Dollar Financial UK, which runs The Money Shop, said:
Since these events took place, Dollar UK has come under new ownership and management, implementing a complete review of IT and systems security including the replacement of those responsible for managing this essential element of business infrastructure and consumer confidence.
So, what can we learn from this?
As I’m sure you have already spotted, there are several takeaways here.
Firstly, there is the question of encryption – if you store sensitive data you must ensure that it is adequately protected should it fall under a third party’s control.
Then there is the issue of data retention – why was The Money Lender ferrying servers around with old customer data on them?
And lastly there is the oft-overlooked topic of physical security.
It’s easy to forget this side as we see the news increasingly filled with stories of web-based attacks and remote breaches, but the old risks remain.
If your business handles sensitive data – and it almost certainly does – you need to consider more than just technical controls.
Despite all the ‘cyber’ headlines, we still live in a world populated by a small number of old-fashioned thieves, clumsy delivery companies and crafty social engineers – any one of which could cop you a huge fine should lady luck desert you for a while.