The UK's Financial Services Authority (FSA) has hit stockbroker Merchant Securities with a £77,000 fine for failing to protect customers from the risk of identity fraud.
The FSA - which discovered the "weak data security controls" during a routine visit to the firm in September 2007 - says this is the first time it has fined a stockbroker for slack security.
The watchdog says Merchant Securities did not have proper procedures in place to identify customers over the phone. Instead the company relied on staff recognising customers' voices and chatting with customers about "personal matters such as holidays or hobbies".
The broker also included personal account numbers in routine letters. This data could be used - with a customer's name - to access account information.
Another lapse saw back-up tapes containing unencrypted customer information stored overnight in a bag at the home of a member of staff.
What's more, the firm made no effort to address the risk involved in staff being able to use instant messaging and Web-based email.
"It is unacceptable that despite increased awareness of data security issues, a firm should be so careless about its systems for protecting customers' personal details," says Margaret Cole, director of enforcement, FSA. "Reducing financial crime in the UK is a priority for the FSA and our recent data security report showed that many firms still need to do more to get it right. We will not wait until information has been lost or stolen before taking action against a firm. The level of the fine for a firm of this size should serve as a warning to others to take data security seriously."
Despite the slack security, the FSA says there is no evidence that customer data had been lost or stolen.
Merchant Securities was given a 30% discount on the fine - which would have been £110,000 - for co-operating with the FSA's investigation.
In April the FSA warned UK institutions to improve their data security practices after a review of systems and controls at 39 firms uncovered slipshod practices at banks, building societies, insurance companies and financial advisers.
The watchdog said "many firms" still underestimate the risk of data loss and fraud to their businesses and especially to their customers. This includes senior management at firms not recognising the value of their customers' data to fraudsters or that staff could pose a similar threat to data security as that posed by computer hackers and burglars.