The Rochdale council has been found in breach of the Data Protection Act after losing a memory stick containing the financial details of 18,000 residents, the ICO announced.
According to the Information Commissioner's Office, the memory stick was lost by the council in May and has not been recovered yet, as reported by the Guardian.
The memory stick, which was not encrypted, contained the names and addresses of 18,000 residents along with the details of payments made to and by the council. Bank details were not stored on the memory stick.
The ICO said the council had breached the Data Protection Act by not encrypting the memory stick and for not providing sufficient data protection guidance to its employees. The council has been asked to improve its data protection policies by March 2012, after which the ICO will conduct a review.
"This incident could have been easily avoided if adequate security measures had been in place," said Sally Anne Poole, enforcement group manager at the ICO.
"Our investigation uncovered a number of failings at Rochdale, that's why we will follow up with the council, to ensure they're doing everything they can to prevent this type of incident happening again," she added.