Stolen M&S laptop contains 26,000 pension details

Retailer Marks & Spencer (M&S) could face prosecution if it does not comply within two months to the overhaul of its data security after losing 26,000 employees' pension details.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

The Information Commissioner's Office (ICO) has threatened the retail giant with possible prosecution after the unencrypted data on a laptop was stolen from a contractor in April 2007.

Names, addresses, national insurance numbers and information about pension plans - including wages but not bank account details - of the UK workers were on the machine.

M&S now has until 1 April to ensure all laptop hard drives are fully encrypted.

The ICO served the enforcement notice on 23 January after M&S would not agree to the ICO publicising the changes it demanded in data security at the company.

A spokesman for the ICO said: "There is no evidence that any employees suffered ID fraud but there is always that risk with this type of information."

Mick Gorrill, assistant commissioner at the ICO, added in a statement: "It is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information, for example, password protection and encryption.

"If organisations fail to introduce safeguards to protect information they risk losing the trust and confidence of both employees and customers."

The data was stolen from the home of the MD of a company that was preparing pension change statements for M&S.

The ICO found that M&S breached the Data Protection Act by not taking appropriate measures to ensure the security of its data by making sure the laptop data was encrypted.

The enforcement notice says the Information Commissioner Richard Thomas takes the view that damage or distress is likely as a result of personal data getting into the hands of unauthorised persons.

A spokeswoman for M&S said: "We have been working with the ICO since we knew what had happened. We have been encrypting all hard drives since October last year."

She said the firm had informed all employees by letter the moment it found out about the theft, set up a helpline for affected workers and provided them with unlimited credit checks with Experian.

Last year Gordon Brown announced that the ICO would be given increased powers to conduct spot checks of government departments.

The Information Commissioner has called for these powers to be extended to cover all public bodies and private sector organisations.