Virgin Media has lost a CD containing 3,000 customers' unencrypted personal and banking details, it has emerged.
According to a spokesperson for the telecommunications company, the incident occurred on 29 May as part of a "data-reconciliation exercise", when a Virgin Media employee went to Carphone Warehouse's offices to collect the details of all the new Virgin Media customers that had signed up through Carphone Warehouse since January. Upon returning to his own office, that employee "realised… he was no longer in possession of said CD".
Virgin Media's spokesperson admitted that the transfer of such details, unencrypted, on a CD was in breach of his company's own policy, as such transfers are normally performed through secure FTP. The matter of why proper procedures were not followed is now the subject of "internal investigation", the spokesperson said.
According to the spokesperson, as soon as Virgin Media was aware of the loss it contacted the Information Commissioner's Office (ICO), which suggested that it let its customers know about the incident. The company has now managed to contact "the vast majority" of the affected customers, and is "paying for credit protection for every single customer", the spokesperson said.
"The process of contacting customers has been running for a couple of weeks now, and the reaction that we've had from the [affected] customers has generally been positive," Virgin Media's spokesperson claimed, adding that the company would be working on its data-protection training processes in the wake of the breach.
The ICO told ZDNet.co.uk on Wednesday that it had not yet decided what action it might take against Virgin Media for the data loss. A spokesperson reiterated, however, that organisations failing to treat people's personal information securely are in breach of the Data Protection Act and also "risk losing the confidence and trust of their customers".
"This case demonstrates that data protection must be a priority for all organisations in the public and private sector," the spokesperson said. "It is of great concern that Virgin Media did not encrypt the disc containing personal information, as this is one security measure that can help prevent data breaches from occurring. The information commissioner has called for stronger powers to enable the ICO to carry out inspections without consent, to ensure effective compliance with the Data Protection Act. It is important that these powers extend to the private sector, as well as to government departments."