Marks & Spencer loses personal information on 26,000 staff

Published 30 January 2008

A laptop belonging to Marks and Spencer was stolen in May 2007, joining a lengthening list of personal data breaches in the United kingdom; Information Commissioner’s Office takes action against company

Marks and Spencer has announced that a laptop containing the personal details of 26,000 staff member was stolen last year, prompting the U.K. data protection watchdog, the Information Commissioner’s Office (ICO), to take action against the firm. “We have issued Marks and Spencer with an Enforcement Notice. They have to encrypt all of their laptops containing personal data by April 2008. If they proceed not to do so, they will be prosecuted,” said an ICO spokeswoman. The spokeswoman went on to say, “We want companies to take data protection seriously, and it is good to see that companies are more frequently stepping forward to make sure they are securely protecting their data. In regards to the Marks and Spencer case, it has brought light to the issue of data protection.”

ITWeek reports that the ICO has once again called for more enforcement and investigation powers, following this, and other recent incidents. Other recent data losses include the loss of a Ministry of Defense Royal Navy laptop, containing the personal details of 600,000 people. It was then admitted that two other laptops had also gone missing in December 2000 and October 2006. The HMRC also lost 25 million child benefit-recipients data as well as the personal details of 6,500 pensioners in Cardiff. The Ministry of Justice has also had a recent data breach, losing four CDs containing the personal information of alleged victims and witnesses.

Experts say that some firms are wary of putting too much control on their data, with many admitting that they are wary of too much encryption. Geoffrey Finlay, chief executive at nCipher, said in a statement, “Companies fear encryption may open Pandora’s box.” He warned firms that the alternative is much worse, but added, “With a well planned deployment, supported by strong key management and access controls it is not a difficult barrier to overcome.”