The company said this week that an audit of its IT systems had shown an employee had accessed the company database without authorisation.
"Loans.co.uk has controls and systems in place to protect individuals' information, and this is evidenced by the fact that these systems detected unauthorised activity on the database," said a spokeswomen.
Customers had complained of receiving unwanted calls from other loan companies and their identities could be used by fraudsters. It then emerged that customer details, including names addresses and telephone numbers, had been passed on without authorisation.
"No organisation can guarantee that they are fully protected against data theft, and most will struggle if an individual in a trusted position decides to act without authority," the company said.
Mike Maddison, UK head of security and privacy services at analyst firm Deloitte, said all organisations face challenges from within, and there is no such thing as 100% security. "But putting the right sort of preventative and detective controls in place can act as a deterrent," he said.
Loans.co.uk initially passed details of the security breach to Hertfordshire Police and industry regulator the Financial Services Authority. They advised the company to consult the Information Commissioner's Office, which is now investigating the breach.
A spokesman for the ICO said it would help Loans.co.uk to ensure that this does not happen again. He added that individuals within companies can be prosecuted for breaching the Data Protection Act.