The Yorkshire building society has admitted thousands of customers were exposed to potential loss when a laptop computer was stolen.
The unencrypted laptop was stolen in April from the offices of the Chelsea building society, which the Yorkshire had just taken over.
The computer, which was found two days later, held a large part of the Chelsea's customer database.
There had been several unsuccessful attempts to get at the data.
The Information Commissioner's Office (ICO) has decided that the Yorkshire broke the Data Protection Act.
"It is extremely concerning that an unencrypted laptop containing large amounts of personal data was left unsecured overnight, together with details of its passwords," said Mick Gorrill, head of enforcement at the ICO.
"What's more, the fact that the employee did not require all the information to carry out the task in hand created an unnecessary risk which could easily have been avoided."
Passwords written down
The Yorkshire said it had tightened up the data protection procedures at the former Chelsea operations, including a requirement that all laptops be encrypted, as was already the case at the Yorkshire.
"Yorkshire Building Society takes its duty of care to its members very seriously and was in the process of rolling out the Yorkshire's more rigorous security procedures to the Chelsea at the time of the theft," said a spokeswoman.
"The society took immediate and appropriate remedial action and, as the Information Commissioner's Office has acknowledged, there has been a full review of data security with new safeguards put in place to prevent a repeat of this incident."
The Yorkshire took over the Chelsea on 1 April 2010 and the laptop was stolen on 19 April.
A member of the Chelsea's staff had taken the laptop home to work and then returned it to a manager who left it under a desk overnight at the Chelsea's head office in Cheltenham.
However, the manager had written down the computer's passwords and left them in the same bag.
The loss of customer data has become a regular occurrence in the past few years.
This week, the Zurich insurance company was fined £2.3m for losing data on 46,000 customers.
And three years ago, the Nationwide building society was fined nearly £1m after a laptop with some details of 11 million customers was stolen from the home of an employee.