The Information Commissioner's Office (ICO) said the Money Shop had inadequate data security measures in place and that it had been responsible for a serious breach of the Data Protection Act.
The Money Shop was fined after two data breach incidents, which involved servers that held the personal data of customers and staff, occurred within six weeks of each other last year.
The first server was stolen from a branch of the Money Shop in Lurgan, Northern Ireland on 16 April 2014. The second server was lost on either 27 or 28 May 2014 as it was being couriered from the company's head office in Nottingham to its store in Swindon. Both servers contained data including the names, contact details and payment card information of customers.
The ICO noted that the server that was taken during a burglary at the Lurgan store had been left on a desk in a manager's office overnight and that the data on it could be "accessed by a motivated expert user". It said that the second server lost when being couriered contained personal data that was only partially encrypted and "could be accessed by a user with forensic knowledge and the appropriate software".
The ICO's head of enforcement Steve Eckersley said the data breach had potential to lead to "fraud and financial loss to customers". He said this was "unacceptable".
"In both cases, had the data been properly encrypted the damage and distress to customers and the monetary penalty could have been avoided," Eckersley said. "“Hopefully it’s an example to other organisations, whatever business they may be in, that the safety of personal information must be taken seriously. Policies and procedures must be put in place or we will take action."
During its investigation the ICO also found that the Money Shop "did not delete customer details from their servers when they were no longer required".
"The amount of the fine tells all in terms of the ICO’s position – they clearly viewed the facts of the case as evidence of quite basic security failings for which evidently, on the facts in their view, no reasonable excuse existed," data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said.
"As a more general point, the level of this fine raises again the legal question of how these fines should be characterised – although described as 'civil', if their impact is punitive they are arguably criminal in nature. Expect data controllers to look much more carefully at this once the much larger fines under the proposed new EU General Data Protection Regulation come into effect," he said.