The Information Commissioner's Office (ICO) said Royal & Sun Alliance Insurance (RSA) had breached data security obligations under the Data Protection Act and fined the company £150,000.
RSA apologised for the breach and said it has taken steps to improve its data protection practices since the incident occurred in 2015.
"The ICO fined us for not foreseeing the risk that the theft of a storage device could cause and for not protecting it adequately," an RSA spokesperson said. "RSA serves nine million customers in over 100 countries and we take a breach of our security and protocols very seriously. Whilst there remains no evidence to suggest that the stolen storage device has resulted in any economic loss for the customers involved; we recognise that this should have never have happened and we would like to say sorry once again to those of our customers and partners who were impacted."
"We have reviewed and reinforced our data protection procedures to mitigate the risk of this happening again – the substantive work that has been undertaken since then to improve date protection in our company has been acknowledged by the ICO," it said.
According to the ICO's monetary penalty notice (17-page / 157KB PDF), the device that was stolen was "a portable ‘Network Attached Storage’ device". It was "taken offline" and removed from RSA's data server room at the company's premises in Horsham in England between 18 May and 30 July 2015.
The device contained information on 59,592 customers, including their names, addresses, bank account and sort code numbers, as well as some credit card data on 20,000 of those customers, the ICO said. Credit card expiry dates and CVV numbers were not stored on the device. The device, which has not been recovered, was password protected, but the data on it was unencrypted, the watchdog said.
Steve Eckersley, head of enforcement at the ICO, said: "There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment. RSA did not do any of this and that’s why we’ve issued this fine."