The Cattles financial services group has admitted losing unencrypted computer backup tapes containing personal details of 1.4 million customers.
The group owns personal loans and hire purchase firm Welcome Finance, small loans firm Shopacheck and The Lewis Group debt recovery and investigation services.
Two backup tapes went missing from the company’s headquarters near Leeds in November 2011, but Cattles notified customers of the data loss only recently.
“The tapes were discovered as missing at the end of November 2011 and an investigation started immediately," the company said in a statement.
The company also said that there is nothing to suggest that the tapes were stolen or that the information has been used maliciously.
“However, Cattles takes its obligations to protect the personal data of its customers and staff extremely seriously, and we deeply regret what has happened," the company said.
Cattles said it has employed a specialist data security firm with “extensive experience in financial services” to review data security across the group and to advise on any necessary improvements.
The Information Commissioner's Office (ICO) said it has been made aware of the breach and is investigating. “Any incidence of a data controller losing personal data is a concern and we will be making inquiries,” it said in a statement.
Cattles could face a monetary penalty of up to £500,000 and be required to make changes to its procedures.
In December, the ICO imposed a record £130,000 monetary penalty on Powys County Council after it sent details of a child protection case to the wrong recipient.
The ICO typically imposes monetary penalties where data controllers have failed to basic security precautions such as encrypting data.
The ICO said the monetary penalty imposed on the Powys County Council was higher than in previous similar cases as the breach could have been prevented if council had acted on the ICO's recommendations following an earlier incident in June 2010.
In October, the ICO’s annual tracking survey revealed that the number of data security breaches in the private sector continues to rise, with 58% more breaches reported to the ICO in 2011/12 than in the same period the year before.
Information Commissioner Christopher Graham said businesses seem to know what they need to do; now they just need to get on with doing it.
“It's not just the threat of a £500,000 fine that should provide the incentive. Companies need to consider the damage that can be done to a brand's reputation when data is not handled properly. Customers will turn away from brands that let them down," he said.