One of Britain’s biggest farm co-operatives is reviewing its security procedures after a USB memory stick containing customers’ personal details was lost in the post.
Mole Trading, which is part of the Mole Valley Farming group of companies, admitted the data breach in a letter to members.
The group’s website says it has 22,000 farmer shareholders and country members. The blunder involves the details of some 1,500 direct debit customers.
Company secretary Andrew Chapple said the breach occurred while Mole Trading was in the process of “addressing certain software issues”. The company was treating the breach “very seriously,” he wrote in the letter.
Mr Chapple said: “We were required to send a copy of the system to our software support provider, which we did on a high-capacity USB, using Royal Mail first class, recorded delivery. Unfortunately, the item was lost while in Royal Mail’s possession.”
Data on the USB stick included customer names, account numbers, addresses, emails and phone numbers, said the letter. Bank account numbers, sort codes, payment types, balances and transaction histories were also included in some cases, but not credit or debit card details.
One livestock producer, who asked not to be named, said she feared farmers could be scammed if the USB stick fell into the wrong hands. “The breach doesn’t instil confidence when many incidents of fraud and scamming, especially recently of farmers, [have been] reported,” she said.
Mole Valley said it was continuing to regularly monitor Bacs payment runs for any irregularities. It has asked Royal Mail to conduct an internal investigation into the loss of the memory stick. Mole Valley has also informed the Information Commissioner’s Office (ICO) of the data breach.
The ICO is the UK data privacy watchdog. It can fine organisations up to £500,000 for serious data breaches. In 2012, for example, the loss of a USB stick saw Greater Manchester Police fined £120,000. But Mole Valley said its own data breach was less serious.
The letter to Mole Valley members said it was “highly unlikely that the information on the USB could be used for any fraudulent payments to be taken from your account”. But it acknowledged that the error represented a “breach of data protection”.
Mr Chapple said: “We were notified promptly that the USB did not arrive at the intended recipient’s address and acted immediately. We are confident that we are taking the necessary steps to contain any risks associated with this breach.”
A Royal Mail spokeswoman said: “For items of value or importance, we would advise customers use our special delivery service, which provides a next-day guaranteed service and is tracked at every stage through our system and offers compensation in the rare event of any delivery issues.”