Marks & Spencer loses 26,000 staff details

Summary:The retailer may face prosecution by the Information Commissioner's Office after the theft of a laptop containing unencrypted data

Retailer Marks & Spencer could face prosecution if it does not comply within two months to the overhaul of its data-security procedures, after losing 26,000 employees' pension details.

The Information Commissioner's Office (ICO) has threatened the retail giant with prosecution after a laptop containing unencrypted data was stolen from a contractor in April 2007.

Affected UK employees' names, addresses, national insurance numbers and information about pension plans, including wages but not bank account details, were on the machine.

Marks & Spencer (M&S) now has until 1 April to ensure all laptop hard drives are fully encrypted.

The ICO served the enforcement notice on 23 January after M&S refused to allow the watchdog to publish the changes it demanded in data security at the company.

A spokesman for the ICO said: "There is no evidence that any employees suffered ID fraud but there is always that risk with this type of information."

Mick Gorrill, assistant commissioner at the ICO, added in a statement: "It is essential that, before a company allows personal information to leave its premises on a laptop, there are adequate security procedures in place to protect personal information — for example, password protection and encryption."

"If organisations fail to introduce safeguards to protect information, they risk losing the trust and confidence of both employees and customers," added Gorrill.

The laptop was stolen from the home of the managing director of a company that was preparing pension-change statements for M&S.

The ICO found that M&S breached the Data Protection Act by failing to make sure the data on the laptop was encrypted.

The enforcement notice states that the information commissioner, Richard Thomas, takes the view that damage or distress is likely as a result of personal data getting into the hands of unauthorised persons.

A spokeswoman for M&S said: "We have been working with the ICO since we knew what had happened. We have been encrypting all hard drives since October last year."

The spokeswoman said the firm had informed all employees by letter as soon as it found out about the theft, set up a helpline for affected workers and provided them with unlimited credit checks with Experian.

Last year, the prime minister, Gordon Brown, announced that the ICO would be given increased powers to conduct spot checks of government departments.

The information commissioner has called for these powers to be extended to cover all public bodies and private-sector organisations.

Topics: Security

About

Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.