Stockbroker Merchant Securities (MS) was penalised by the Financial Services Authority (FSA) with a £77,000 fine for managing "weak data security controls" for customer information.

The holes in the firm’s security structure were discovered in September 2007 during a routine visit. The FSA then realised that MS’s staff used methods such as chatting to clients about "personal matters such as holidays or hobbies" because it didn’t have appropriate systems to identify them over the phone.

MS also sent personal account numbers in correspondence to clients, information that could be used by fraudsters in conjunction with customers' names. And back-up tapes with unencrypted customer data were found in a bag at the home of a member of staff.

Even though MS was reportedly given a 30 per cent discount on the fine for co-operating with the FSA's enquiry – it would have been £110,000 – the watchdog said the firm’s behaviour was unacceptable.

'It is unacceptable that despite increased awareness of data security issues, a firm should be so careless about its systems for protecting customers' personal details,” said FSA’s director of enforcement Margaret Cole.

“People have the right to expect their details to be kept secure and firms should be committed to treating their customers fairly in all aspects of their business.”

Data leakage is an issue that should top the list of priorities at organisations from the financial services sector, said Deloitte’s head of investment banking technology risk David Bettesworth.

“A substantial amount of time and money is being spent by a number of organisations to put mitigating controls in place, but it will take time to address that problem,” said Bettesworth.

“The point is that this is not just about IT, but business processing issues which make it hard for organisations to understand where risks are and finding effective solutions to protect customer data,” he said.