Category Archives: ICO undertaking

News Group Newspapers

Posted on by

Breach details

What Customers’ personal data, some several years old.
How much ‘Thousands’ according to some press reports , a ‘large amount’ described in the undertaking and TechEye claimed 500,000.
When July 2011
Why A server hosting part of The Sun newspaper’s website had, unnoticed by the data controller, been repurposed several years earlier, and was subsequently compromised by a malicious attacker (Lulzsec). Further weaknesses had also been identified but remained unrectified prior to the attack.

BW Comments

It is surprising that a large organisation such as News Group Newspapers made such simple information security mistakes. Firstly in retaining data they no longer needed when they re-built a server for a new role, but more worryingly that they had previously had a penetration test but had not rectified the vulnerabilities identified by the tester.

Regulatory action

Regulator ICO
Action Undertaking to comply with the fifth and seventh data protection principles
When 9 November 2011
Details Along with the usual staff awareness and training, technical security controls on the web server were to be improved and implemented by 31 December 2011 (i.e. compliance with the seventh principle), and any customer data collected to be cleared regularly according to a defined retention and disposal policy (compliance with the fifth principle).

BW Observations

This undertaking was not released until the criminal trial of the UK-based Lulzsec hackers was concluded. It is interesting that the ICO didn’t see fit to consider a monetary penalty notice as the breach appears to meet the right criteria.
  • There was a breach of the fifth and seventh principles.
  • There had been a previous penetration test, so the Sun knew of the vulnerability.
  • It seems that a significant volume of data was lost and then circulated on the Internet. Although it wasn’t sensitive personal data, the volume of the data should be enough to pass the ‘likely to cause distress’ test especially given the data was posted to the Internet — i.e. the breach of confidentiality happened, it was not something that might happen if the lost data were exposed.

This undertaking should be contrasted with the Sony MPN that was also the result of Lulzsec’s activities and it will be informative to see if the ICO‘s choice of an undertaking for the Sun is mentioned at Sony’s appeal to the Information Tribunal. Less charitable commentators may view this soft approach to News Group Newspapers as another example of the Commissioner’s fear of the UK press.

Links

View PDF of the News Group Newspapers Undertaking (Breach Watch Archive)
View PDF of the News Group Newspapers Undertaking (Via ICO Website)

The Burnett Practice

Posted on by

Breach details

What Names and email addresses.
How much About 175 records.
When 3 October 2012 or earlier
Why The email service provider that the practice used wasn’t suitable to send sensitive medical results because it didn’t provide the appropriate technical security measures. As a result the practice’s email account was hacked.

BW Comments

Organisations should view this as an indication that if cloud-based, web-email services are used, services that offer two-factor authentication (e.g. Google Authenticator) should be selected.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 26 April 2013
Details The practice must use secure means of communication for test results – email can only be used if its security can be guaranteed. A security policy that is adequate to transfer patient data securely must be put in place, and staff must be made aware of this and trained.

BW Observations

Based on previous decisions, the loss of 175 medical records would seem to be a candidate for a Monetary Penalty rather than an undertaking. However, in this case the Commissioner would have struggled to satisfy the ‘known or should have known’ test given that most people (incorrectly) assume their email is generally safe from third party attack.

Links

View PDF of The Burnett Practice Undertaking (Breach Watch Archive)
View PDF of The Burnett Practice Undertaking (Via ICO Website)

East Riding of Yorkshire Council

Posted on by

Breach details

What Sensitive personal data was inappropriately disclosed.
How much One record and one verbal remark.
When April/May 2012
Why Sensitive personal data about one family was mistakenly included in the response to a subect access request made by another family; and in a seperate incident a student social worker revealed to the parent of a child under assessmet the first name of the peron who had made an anonymous referral about that parent.

BW Comments

To follow.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 4 April 2013
Details Both incidents indicated a general lack of data protection awareness and training, along with a lack of management or checking procedures relating to subject access requests and supervision of non-employees, such as students on placement. However in this instance, the risk of substantial damage or distress was considered remote. The data controller undertakes to comply with the Seventh Principle with special regard to training, checking responses to subject access requests, reviewing existing policies and implementing new security measures where necessary.

BW Observations

To follow.

Links

View PDF of the East Riding of Yorkshire Council Undertaking (Breach Watch Archive)
View PDF of the East Riding of Yorkshire Council Undertaking (Via ICO Website)

Leeds City Council

Posted on by

Breach details

What Personal and sensitive (health) personal data.
How much An unknown number of records contained in seven Excel spreadsheets, including name, address, date of birth and disability details.
When Not specified.
Why During migration of the Leeds Initiative website from one server to another, a private area was accessible to members of the public because a data processor failed to configure the new server identically to the old server. The site was then not sufficiently tested to identify the problem.

BW Comments

If there’s public and non-public information on any web server there’s always an increased risk of data loss, so any changes to internet-facing infrastructure should always be fully tested. Organisations that know the locations and classification of their data are less likely to suffer this type of breach.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 30 November 2012
Details The data controller is to ensure that clear contractual arrangements are in place with a data processor; that data processors are monitored for compliance with the seventh principle; that technically proficient staff are included at all stages of procurement; and that appropriate security measures are in place to protect personal data.

BW Observations

It looks like Leeds Council are following what appears to be a trend in reporting a breach, and also reporting sensible remedial action at the same time. It is interesting that the same council was also subject to a recent monetary penalty.

Links

View PDF of the Leeds City Council Undertaking (Breach Watch Archive)
View PDF of the Leeds City Council Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 20 May 2013
View PDF of the Leeds City Council Undertaking Follow Up (Breach Watch Archive)
View PDF of the Leeds City Council Undertaking Follow Up (Via ICO Website)

Mansfield District Council

Posted on by

Breach details

What Personal data of housing benefit claimants was disclosed to the wrong housing association.
How much An undisclosed number of records.
When August 2009 to November 2012
Why Correspondence containing personal data was sent in error by the council’s Revenues and Benefits service to a Mansfield housing association over an extended period.

BW Comments

What is interesting about this breach is that it was reported to the ICO by the housing authority that received the data in error, and not Mansfield Council. I suspect that the housing association will first have contacted the Council and after that had no effect on the incorrectly addressed correspondence (the breach continued for three years), alerted the Commissioner. The Council’s real failing was to not fix the problem when told about it.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 25 January 2013
Details Employees and any other staff with access to personal data must be made aware of, and trained in, the policy for storage and use of personal data. Training must be provided to contractors as well as staff, and records of training to be maintained.

BW Observations

The breach was almost certainly due to administrative human error; however our view is that the enforcement action was taken as a result of the council not fixing the problem when it was initially alerted. The core problem was that the council didn’t have a sufficiently robust plan to identify and rectify a data breach when it was first reported. The undertaking should have also included a requirement for the Council to develop and test a breach response plan, which identified data breaches and ensured they were rectified.

Links

View PDF of the Mansfield District Council Undertaking (Breach Watch Archive)
View PDF of the Mansfield District Council Undertaking (Via ICO Website)

Prospect

Posted on by

Breach details

What Loss of sensitive personal information (Union membership).
How much About 19,000 records.
When 08 Dec 2011
Why Two files containing member data were sent as part of a tendering process to an unknown email address in error. The files were encrypted but the password was also sent seperately to the same address.

BW Comments

This breach illustrates two issues that all Data Controllers need to be aware of. The first is that test data should always be anonymised, not only does it increase the risk of breaching the seventh principle, but it will also breach the first and second principles; although interestingly the ICO only took action in respect of the seventh principle. Secondly, any encryption is only as good as the key (password) management – passwords should always be sent at a minimum by a separate channel.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 16 Jan 2013
Details The data controller to ensure that adequate policies are in place to cover transfer of data to third parties, that such data is minimised and anonymised, that all staff receive data protection training, and that appropriate security measures are in place to protect personal data.

BW Observations

Although this was a sizeable breach of some 19,000 records of sensitive personal data, the ICO obviously decided that an undertaking was more appropriate given the potential harm that could result.

Links

View PDF of the Prospect Undertaking (Breach Watch Archive)
View PDF of the Prospect Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 15 May 2013
View PDF of the Leeds City Council Undertaking Follow Up (Breach Watch Archive)
View PDF of the Leeds City Council Undertaking Follow Up (Via ICO Website)

Isle of Anglesey County Council

Posted on by

Breach details

What Loss of personal data and in one case loss of sensitive personal data.
How much Unknown
When Several incidents in early 2012
Why Documents containing personal data were inappropriately disclosed or disposed of, or put at risk of unauthorised access. The council had an out of date data protection policy, and provided insufficient data protection training.

BW Comments

The undertaking is very vague, and doesn’t provide specific details of what happened to cause the data losses, or why.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 20 December 2012
Details The data conroller is to ensure that all policies and procedures are up to date and in place to support staff who handle personal data and that these will be communicated to all relevant staff along with information governance training.

BW Observations

It is almost as if the council, as part of its self-reporting, suggested the necessary remedial action.

Links

View PDF of the Isle of Anglesey County Council Undertaking (Breach Watch Archive)
View PDF of the Isle of Anglesey County Council Undertaking (Via ICO Website)

Marston Properties

Posted on by

What
Loss of personal data

How much
37 records.

Why
37 staff members’ details were lost when the filing cabinet the information was stored in was sent to a recycling centre and crushed.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to support staff who handle personal data and that these will be communicated to all relevant staff along with information governance training.

Reason for action
The data controller had established procedures, but did not have a specific written information handling policy in place and employees had not received formal data protection training.

When
6 August 2012

Links
View PDF of the Marston Properties Undertaking (Via ICO Website)

View PDF of the Marston Properties Undertaking (Breach Watch Archive)

West Lancashire Borough Council

Posted on by

What
Loss of personal data

How much
370 records.

Why
A business continuity bag containing emergency response documents and personal data relating to employees was stolen from a locked vehicle belonging to an officer.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the minimum amount of personal data necessary for emergency business is taken off site and that staff are fully training in data protection policy.

Reason for action
The data controller had some relevant guidance in place at the time of the incident, but could have provided clearer written instruction on the secure storage of hard copy personal data off site for emergency.

When
13 July 2012

Links
View PDF of the Lancashire Borough Council Undertaking (Via ICO Website)

View PDF of the Lancashire Borough Council Undertaking (Breach Watch Archive)

South Yorkshire Police

Posted on by

What
Loss of personal data

How much
600 records.

Why
Personal data, relating to drug offences by 600 arrested individuals, was accidently included in a spreadsheet given to a journalist following a Freedom of Information request.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all responses to FOI requests are double checked, preferably by a manager, to ensure that no personal data is included. Written procedures should be implemented and staff must be training in following that policy.

Reason for action
The Commissioner felt that the likelihood of identification was reduced as the offender’s names were not included in the attachment. Formal assurances were received that the email and spreadsheet were promptly deleted. All staff members have since been provided with comprehensive training relating to FOI requests.

When
26 June 2012

Links
View PDF of the South Yorkshire Police Undertaking (Via ICO Website)

View PDF of the South Yorkshire Police Undertaking (Breach Watch Archive)