Glasgow City Council has warned nearly 40,000 customers that their personal details may be at risk after a laptop was stolen during an office break-in.
Local police and the Information Commissioner’s Office (ICO) have been informed of the incident.
The council has confessed the laptop, which was one of two stolen during a robbery last month, was password protected but not encrypted.
Information on the laptop relates to 17,692 companies and 20,143 individuals. The council is now writing to all affected parties to warn them of the danger. The bank details of 10,382 companies and 6,069 individuals were included in the stolen data.
Affected customers are council suppliers and people who receive winter fuel payments and care grants.
"We are in the process of writing to the people affected by this theft to alert them to the data loss and offer them advice about what steps they might need to take," the council said in a statement.
"We are sorry that this has happened and apologise for the inconvenience it has caused. Anyone with any information on the theft should contact Strathclyde Police. Customers should remember that no one from the council would ever call at their home or telephone them to ask for personal information, such as banking details. A bank will never ask for a customer’s PIN or for a whole security number or password," the statement added.
Chris McIntosh, CEO of security firm ViaSat, says the case shows the need for businesses to have strong data protection policies in place.
"This recent data breach shows that the safeguarding of personal information is still a major issue, particularly within the public sector. While the council was only made aware of the breach last Wednesday, this will come as little consolation to the 16,451 customers whose bank account details are now in the public arena and at risk of theft. The fact that some of those affected were customers already looking for additional financial support from the council compounds this point and puts these individuals at greater risk," he said.
"It is imperative that all organisations have a rigorous data protection policy in place to avoid situations like this one and that sensitive customer information is stored securely and wherever possible encrypted. If avoidable cases of data breaches like these continue to happen, the public sector risks substantial fines from the ICO as well as irrevocable damage to its reputation," McIntosh added.