Zurich Insurance has been fined a record £2.28 million for losing personal details on 46,000 policyholders, the City watchdog said today.
The Financial Services Authority said the fine, which has been levied on the UK branch of the company, was the highest it had yet imposed for data security failings.
The data loss occurred in August 2008, when the South African branch of the company lost an unencrypted back-up tape during a routine transfer to a data storage centre, but Zurich UK did not learn about the incident until a year later.
The disc contained personal information on general insurance customers, including details of their identity and in some cases bank account and credit card information.
It also had details about the assets people had insured, and the security arrangements they had in place.
The FSA said the loss of the disc could have led to serious financial detriment for customers, as well as exposing them to the risk of being burgled.
But Zurich UK stressed it had seen no evidence that suggested the personal data on the disc had been compromised or misused.
The regulator said Zurich had failed to ensure customer data was secure, following its outsourcing arrangement with the South African arm of the company, which processed some general insurance data on its behalf.
It added that the firm also failed to have controls in place to prevent the lost data being used for financial crime.
Margaret Cole, the FSA's director of enforcement and financial crime, said: "Zurich UK let its customers down badly.
"It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA.
"To make matters worse, Zurich UK was oblivious to the data loss incident until a year later."
She added that Zurich would have been fined £3.25 million for the incident if it had not agreed to settle at an early stage and qualified for the FSA's 30% discount.
Zurich said it regretted the concern the incident had caused its customers, who were informed of the loss in October last year.
Stephen Lewis, chief executive of Zurich UK, said: "This incident was unacceptable. It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers' data."
The group had appointed KPMG to review its data security systems, and it had taken a number of steps to improve them, he added.
"We are appointing a dedicated information security officer to provide ongoing assurance that appropriate measures are in place and that they will continue to be effective.
"We believe our customers can be confident that we are doing everything we can to keep their data secure and protected," he said.
"The FSA has acknowledged that we fully cooperated with its investigation and recognised that we treated the incident with utmost seriousness and have demonstrated a commitment to take the necessary steps to ensure the ongoing security of our customer data."
The FSA has previously fined Nationwide £980,000 for data security failings after a laptop containing customer details was stolen from an employee's home.
Three HSBC firms were fined between £700,000 and £1.6 million each for not properly protecting customers' personal details, while Norwich Union was fined £1.26 million for similar failings which led to a number of its customers being the victims of fraud.Reuse content