Finance firms such as banks, building societies and insurers have been urged to do more to protect customers' personal data.
The Financial Services Authority (FSA) has found many firms "underestimate the risk of data loss and fraud" to their customers.
The report states: "Overall, data security in financial services firms needs to be improved significantly.
"Many firms, particularly small firms, still need to make substantial progress to protect their customers from the risk of identity fraud and other financial crime."
Problems highlighted by the regulator included senior management at firms failing to recognise the value of data to fraudsters or that staff could pose a similar threat to data security as that posed by computer hackers and burglars.
The FSA report also finds some firms were more concerned about bad media coverage than on being open and transparent with customers.
Philip Robinson, FSA director of financial crime and intelligence, said: "It is worrying that, despite increased public awareness of the impact that identity theft can have on customers, many firms are still not taking this risk seriously.
"Customers have a right to be confident firms are doing everything reasonably possible to keep their personal and financial details safe."
He added some firms had made progress by adopting good practice but others needed to do more to ensure they are treating their customers fairly.
Mr Robinson also warned firms failing to protect data would face action, as one firm is set to do after the report.
Richard Thomas, the Information Commissioner, said: "I am disappointed but not altogether surprised that the FSA has found that financial services firms, in general, could significantly improve their controls to prevent data loss or theft.
"The blunt truth is that all organisations need to take the protection of customer data with the utmost seriousness."
A report earlier this week found since the security breach at HM Revenue and Customs in November last year, the Information Commissioners Office has been notified of almost 100 data breaches by public, private and third sector organisations.
Along with data going missing in the post, unencrypted laptops and computer discs, and memory sticks were found to be sources of problems.