The UK's Information Commissioner's Office (ICO) has found Yorkshire Building Society in breach of the Data Protection Act after an unencrypted laptop containing customer data was stolen.
The laptop was stolen from the Cheltenham premises of the former Chelsea Building Society, which recently merged with YBS, in April and contained "a substantial part of the CBS customer database".
It was found within 48 hours after YBS hired private investigators and forensic investigations show that none of the data had been accessed during that time, although there had been several attempts to do so.
Before it was stolen, the laptop was being used by a CBS employee who had been working from home and had given it, on request, to a manager who returned it to CBS's former head office in Cheltenham.
The manager wrote down the passwords to the computer and left these in a bag with the laptop under a desk overnight.
The building society has now agreed to take steps to improve security, ensuing all portable devices are encrypted and that staff know the firm's policies on storing personal data and only have access to information that they need.
Mick Gorrill, head, enforcement, ICO, says: "It is extremely concerning that an unencrypted laptop containing large amounts of personal data was left unsecured overnight, together with details of its passwords. What's more, the fact that the employee did not require all the information to carry out the task in hand created an unnecessary risk which could easily have been avoided; employees should only have access to information that is absolutely vital to work which is being carried out."
Earlier this week the FSA hit Zurich Insurance's UK arm with a record £2.275 million fine over the loss of a backup data tape containing the details of 46,000 customers.