Department of Education

Breach details

What Loss of personal information.
How much An unknown number of records.
When 28/29 June 2012
Why The Register reported that Email addresses, unencrypted passwords and individual’s answers to questions posed in a consultation were accesable due to a security flaw in the Department for Education’s website.

BW Comments

Judging by the description in The Register the vulnerability looked like a session management problem. Something that should have been caught be the most rudimentary penetration test.

Regulatory action

Regulator ICO
Action None taken. The Register reported that it had got in touch with the ICO which, while acknowledging that the Department had breached the seventh principle, stated “As the personal information compromised was not sensitive and any distress caused is likely to have been minimal, we have decided that no further enforcement action is required at this time.”

BW Observations

Just because an organisation breaks the DPA the ICO isn’t bound to take action, however BW would have expected the ICO to have sought an undertaking from the Department that it would properly test any web site that collected personal data.

Enfield Council: Confidential Files Found in Disused Building

What
Loss of sensitive personal data

How much
Unknown.

Why
Confidential social services files were found in an abandoned Enfield town hall currently in use as a film set. The files were labelled “Foster panel minutes” and “Adoption files”, and marked “strictly private and confidential”. They included details of parents turned down for adoption, the phone numbers and addresses of vulnerable people on the service’s register, and financial information.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
October 2012

Links

Personnel files found in Llandudno skip

What
Loss of sensitive personal data

How much
Unknown.

Why

Personnel files from a nightclub were found blowing out of a skip. A member of the public gave two sample files to the Daily Post. The files included phone numbers, addresses, National Insurance numbers, copies of riving licences with a photocopied photograph and an email address.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
October 2012

Links

CPS Mistakenly Releases Names of Student Protesters

What
Loss of sensitive personal data

How much
Unknown.

Why
After a Freedom of information request, the Crown Prosecution Service mistakenly released the names of 299 people arrested during protests over tuition fees in 2010 and 2011.

The FOI request by a member of the public was to provide figures for costs and resources used in the Metropolitan Police’s Operation Malone (the investigations following a series of demonstrations by students against tuition fees in 2010 and 2011). In response they received a spreadsheet detailing not only Operation Malone but also other disturbances, and containing the names and other sensitive data of 299 people, 44 of whom were under 18, and 116 of whom were not charged.

Regulator

None to date.

Regulatory action
None to date, however a spokesperson for the Information Commissioner told The Huffington Post UK that they were looking into the case.

Reason for action
None to date.

When
September 2012

Links

 

IEEE stored 100,000 usernames and passwords in plaintext on FTP server

What
Loss of personal data

How much
Unknown.

Why
Log files containing nearly 100,000 usernames and plain-text passwords were stored on an FTP server that did not require a login.

The log files, from ieee.org and spectrum.ieee.org, were stored in an unprotected directory on the server and were available to any public user.

Denmark-based Romanian computer scientist Radu Dragusin, who discovered the files, has undertaken not to make the raw data public, although it is not known whether the data set was downloaded by anyone else.

Analysis of the data is available on the website Dragusin created after discovering the files – ieeelog.com

The organisation has acknowledged the breach.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
September 2012

Links

Rio 2016 staff downloaded files illegally during Olympic transfer programme

What
Possible loss of personal data.

How much
Unknown.

Why
 Rio Olympics employees, thought to have been working in the London 2012 technology department, downloaded files without authorisation during the official Olympic knowledge transfer programme.

The original report by Brazilian journalist Juca Kfouri suggests the ‘hack’ was discovered by London 2012 staff when details of unauthorised access were found in log files. Kfouri’s blog entry suggests the files were highly confidential and included information about strategic planning and security. The nature and content of the files has not been confirmed by LOCOG, although officials, playing down the incident, said the documents would probably have been provided to the Rio team had they requested them.

The report of the incident in the Brazilian online portal UOL suggests no personal data was compromised.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
September 2012

Links

Edinburgh City Council Investigates Laptop Theft

What
Loss of senstive personal data.

How much
Unknown.

Why
 The Edinburgh Evening News reported that an unencrypted laptop containing sensitive personal data relating to vulnerable children was stolen from the home of a consultant who conducts reviews of foster and adoptive parents in Edinburgh.

The police believe that the data on the laptop was not targeted, and the Council claims to have contacted “as many as possible” of those whose details were contained on the laptop.

Working with BT the City of Edinburgh Council had taken measures to encrypt some 8000 computers belonging to the council, following an IT security review in 2010. It would appear that the issue here was a failure to ensure that third parties also handling this data followed the same security measures.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
September 2012

Links