Breach Watch

News Group Newspapers

BreachMaster — Tue, 21 May 2013 18:04:16 +0000

Breach details

What	Customers’ personal data, some several years old.
How much	‘Thousands’ according to some press reports , a ‘large amount’ described in the undertaking and TechEye claimed 500,000.
When	July 2011
Why	A server hosting part of The Sun newspaper’s website had, unnoticed by the data controller, been repurposed several years earlier, and was subsequently compromised by a malicious attacker (Lulzsec). Further weaknesses had also been identified but remained unrectified prior to the attack.

BW Comments

It is surprising that a large organisation such as News Group Newspapers made such simple information security mistakes. Firstly in retaining data they no longer needed when they re-built a server for a new role, but more worryingly that they had previously had a penetration test but had not rectified the vulnerabilities identified by the tester.

Regulatory action

Regulator	ICO
Action	Undertaking to comply with the fifth and seventh data protection principles
When	9 November 2011
Details	Along with the usual staff awareness and training, technical security controls on the web server were to be improved and implemented by 31 December 2011 (i.e. compliance with the seventh principle), and any customer data collected to be cleared regularly according to a defined retention and disposal policy (compliance with the fifth principle).

BW Observations

This undertaking was not released until the criminal trial of the UK-based Lulzsec hackers was concluded. It is interesting that the ICO didn’t see fit to consider a monetary penalty notice as the breach appears to meet the right criteria.

There was a breach of the fifth and seventh principles.

There had been a previous penetration test, so the Sun knew of the vulnerability.

It seems that a significant volume of data was lost and then circulated on the Internet. Although it wasn’t sensitive personal data, the volume of the data should be enough to pass the ‘likely to cause distress’ test especially given the data was posted to the Internet — i.e. the breach of confidentiality happened, it was not something that might happen if the lost data were exposed.

This undertaking should be contrasted with the Sony MPN that was also the result of Lulzsec’s activities and it will be informative to see if the ICO‘s choice of an undertaking for the Sun is mentioned at Sony’s appeal to the Information Tribunal. Less charitable commentators may view this soft approach to News Group Newspapers as another example of the Commissioner’s fear of the UK press.

Links

View PDF of the News Group Newspapers Undertaking (Breach Watch Archive)

View PDF of the News Group Newspapers Undertaking (Via ICO Website)

The Burnett Practice

BreachMaster — Mon, 13 May 2013 17:01:48 +0000

Breach details

What	Names and email addresses.
How much	About 175 records.
When	3 October 2012 or earlier
Why	The email service provider that the practice used wasn’t suitable to send sensitive medical results because it didn’t provide the appropriate technical security measures. As a result the practice’s email account was hacked.

BW Comments

Organisations should view this as an indication that if cloud-based, web-email services are used, services that offer two-factor authentication (e.g. Google Authenticator) should be selected.

Regulatory action

Regulator	ICO
Action	Undertaking to comply with the seventh data protection principle
When	26 April 2013
Details	The practice must use secure means of communication for test results – email can only be used if its security can be guaranteed. A security policy that is adequate to transfer patient data securely must be put in place, and staff must be made aware of this and trained.

BW Observations

Based on previous decisions, the loss of 175 medical records would seem to be a candidate for a Monetary Penalty rather than an undertaking. However, in this case the Commissioner would have struggled to satisfy the ‘known or should have known’ test given that most people (incorrectly) assume their email is generally safe from third party attack.

Links

View PDF of The Burnett Practice Undertaking (Breach Watch Archive)

View PDF of The Burnett Practice Undertaking (Via ICO Website)

East Riding of Yorkshire Council

BreachMaster — Tue, 16 Apr 2013 14:48:03 +0000

Breach details

What	Sensitive personal data was inappropriately disclosed.
How much	One record and one verbal remark.
When	April/May 2012
Why	Sensitive personal data about one family was mistakenly included in the response to a subect access request made by another family; and in a seperate incident a student social worker revealed to the parent of a child under assessmet the first name of the peron who had made an anonymous referral about that parent.

BW Comments

To follow.

Regulatory action

Regulator	ICO
Action	Undertaking to comply with the seventh data protection principle
When	4 April 2013
Details	Both incidents indicated a general lack of data protection awareness and training, along with a lack of management or checking procedures relating to subject access requests and supervision of non-employees, such as students on placement. However in this instance, the risk of substantial damage or distress was considered remote. The data controller undertakes to comply with the Seventh Principle with special regard to training, checking responses to subject access requests, reviewing existing policies and implementing new security measures where necessary.

BW Observations

To follow.

Links

View PDF of the East Riding of Yorkshire Council Undertaking (Breach Watch Archive)

View PDF of the East Riding of Yorkshire Council Undertaking (Via ICO Website)

DM Design Bedrooms

BreachMaster — Mon, 18 Mar 2013 17:15:46 +0000

Breach details

What	Serious breach of the Privacy and Electronic Communications Regulations (PECR). A high volume of unsolicited marketing calls to consumers that had registered with the Telephone Preference Service (TPS) that continued despite customer complaints and requests to unsubscribe.
How much	An unknown number of direct marketing calls resulting in 1,945 TPS complaints and an unspecified number of complaints directly to the ICO.
When	June 2011 to November 2012
Why	Ignored requirement to screen call lists against the Telephone Preference Service (TPS) or maintain an opt-out register.

BW Comments

After initial contact from the ICO, the unsolicited calls continued and some reported to the Commissioner were described as aggressive.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £90,000
When	20 March 2013

Why the regulator acted

Breach of act	Breach of Regulation 21: repeatedly ignored provisions that marketing calls should not be made to individuals who had registered with TPS.
Known or should have known	Concerns over PECR obligations were first raised by the Commissioner in 2004. The volume of complaints made before and after the Commissioner’s letter of May 2012 would have made the company aware that they were continually breaching regulations.
Likely to cause damage or distress	The overall level of distress was assessed as substantial due to the very large numbers of individuals affected. A small number of individuals also personally suffered substantial levels of distress.

BW Observations

That DM Design breached the PECR by not screening against the the TPS register and maintaining their own opt-out list is not debatable. The volume of calls and complaints are significant (although we are not told what the average or maximum level of complaints are to the TPS in respect of a company other than “they [DM Design] were one of the organisations about which the most complaints were received”). What’s interesting is the ICO again used the same justification as the Tetrus Telecommunications MPN to determine the s55A(1)(b) ‘substantial damage or distress test’ – that although the distress in each individual case was not considerable, the cumulative effect of the distress caused by the totality of all calls made in contravention of PECR met the Commissioner’s threshold of substantial distress.

Links

View PDF of the DM Bedroom Design Ltd Monetary Penalty Notice (Breach Watch Archive)

View PDF of the DM Bedroom Design Ltd Monetary Penalty Notice (Via ICO Website)

Nursing and Midwifery Council

BreachMaster — Fri, 15 Feb 2013 17:34:33 +0000

Breach details

What	Loss of sensitive personal data (medical and details relating to legal proceedings).
How much	Unspecified but small number of records including two vulnerable children’s details. Details and allegations against a medical practitioner.
When	07 October 2011
Why	In an echo of the infamous HMRC breach of 2007, three DVDs containing unencrypted data relating to a ‘fitness to practice hearing’ went missing somewhere between the Nursing and Midwifery Council’s offices and the hotel where the hearing was due to take place. Although the package was sent by courier, the data on the DVDs was unencrypted.

BW Comments

Two of the fundamental lesons that every Data Controller should have learned from the HMRC breach were:

Always use couriers when sending personal data on physical media.

Always encrypt data on physical media such as CDs or DVDs.

Although the Nursing and Midwifery Council use a courier, the sensitive personal data was not encrypted. As soon as anything went wrong, enforcement action was bound to follow.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 150,000
When	12 February 2013

Why the regulator acted

Breach of act	Breach of the seventh principle: the Council failed to take appropriate organisational measures against unauthorised processing of personal data, such as encrypting the data on the DVDs.
Known or should have known	The Council was used to dealing with sensitive data and was aware of the potential damage release of the data would cause. The Commissioner also highlighted his own guidance on the encryption of portable media, dating back to 2007.
Likely to cause damage or distress	The DVDs contained the medical information of third parties, including two vulnerable children. The Commissioner repeated his usual argument that data subjects would suffer from substantial distress knowing that their confidential and sensitive personal data has been disclosed to unauthorised third parties and that their data may be further disseminated and possibly misused.

BW Observations

Receiving the report of DVDs that appeared to go missing between a sender and recipient will have caused a stressful outbreak of déjà vu in Wilmslow. Although the data lost related to very few individuals, the sensitivity of the data had a bearing on the amount of the penalty. Organisations should be under no illusions that sending any unencrypted personal data on physical media will attract a monetary penalty.

Links

View PDF of the Nursing and Midwifery Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Nursing and Midwifery Council Monetary Penalty Notice (Via ICO Website)

Leeds City Council

BreachMaster — Sun, 27 Jan 2013 14:19:55 +0000

Breach details

What	Personal and sensitive (health) personal data.
How much	An unknown number of records contained in seven Excel spreadsheets, including name, address, date of birth and disability details.
When	Not specified.
Why	During migration of the Leeds Initiative website from one server to another, a private area was accessible to members of the public because a data processor failed to configure the new server identically to the old server. The site was then not sufficiently tested to identify the problem.

BW Comments

If there’s public and non-public information on any web server there’s always an increased risk of data loss, so any changes to internet-facing infrastructure should always be fully tested. Organisations that know the locations and classification of their data are less likely to suffer this type of breach.

Regulatory action

Regulator	ICO
Action	Undertaking to comply with the seventh data protection principle
When	30 November 2012
Details	The data controller is to ensure that clear contractual arrangements are in place with a data processor; that data processors are monitored for compliance with the seventh principle; that technically proficient staff are included at all stages of procurement; and that appropriate security measures are in place to protect personal data.

BW Observations

It looks like Leeds Council are following what appears to be a trend in reporting a breach, and also reporting sensible remedial action at the same time. It is interesting that the same council was also subject to a recent monetary penalty.

Links

View PDF of the Leeds City Council Undertaking (Breach Watch Archive)

View PDF of the Leeds City Council Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 20 May 2013

View PDF of the Leeds City Council Undertaking Follow Up (Breach Watch Archive)

View PDF of the Leeds City Council Undertaking Follow Up (Via ICO Website)

Mansfield District Council

BreachMaster — Fri, 25 Jan 2013 13:09:03 +0000

Breach details

What	Personal data of housing benefit claimants was disclosed to the wrong housing association.
How much	An undisclosed number of records.
When	August 2009 to November 2012
Why	Correspondence containing personal data was sent in error by the council’s Revenues and Benefits service to a Mansfield housing association over an extended period.

BW Comments

What is interesting about this breach is that it was reported to the ICO by the housing authority that received the data in error, and not Mansfield Council. I suspect that the housing association will first have contacted the Council and after that had no effect on the incorrectly addressed correspondence (the breach continued for three years), alerted the Commissioner. The Council’s real failing was to not fix the problem when told about it.

Regulatory action

Regulator	ICO
Action	Undertaking to comply with the seventh data protection principle
When	25 January 2013
Details	Employees and any other staff with access to personal data must be made aware of, and trained in, the policy for storage and use of personal data. Training must be provided to contractors as well as staff, and records of training to be maintained.

BW Observations

The breach was almost certainly due to administrative human error; however our view is that the enforcement action was taken as a result of the council not fixing the problem when it was initially alerted. The core problem was that the council didn’t have a sufficiently robust plan to identify and rectify a data breach when it was first reported. The undertaking should have also included a requirement for the Council to develop and test a breach response plan, which identified data breaches and ensured they were rectified.

Links

View PDF of the Mansfield District Council Undertaking (Breach Watch Archive)

View PDF of the Mansfield District Council Undertaking (Via ICO Website)

Sony Computer Entertainment Europe

BreachMaster — Thu, 24 Jan 2013 23:29:33 +0000

Breach details

What	Loss of personal data (names, addresses, email addresses, dates of birth, poorly-protected account passwords). Customers’ payment card details also potentially at risk.
How much	Redacted. Information Week stated 77 million records.
When	Detected 19 April 2011
Why	In what was perhaps one of the most infamous breaches in recent times, attackers deliberately breached the Sony Playstation Network Platform security and compromised the confidentiality of the information stored.

BW Comments

This is the most heavily redacted monetary penalty notice published by the Commissioner. The details of the breach in the MPN are superficial, although there is much general information available elsewhere on the Internet. Essentially the attackers exploited a system vulnerability and extracted data including personal data, poorly-hashed passwords and encrypted payment card data. The MPN makes it clear that the exploited vulnerabilities were publicly known, and that ‘appropriate updates were available’.
The lessons that all organisations can learn are simple:

Patch systems regularly.

Run regular external vulnerability scans against systems.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 250,000
When	14 January 2013

Why the regulator acted

Breach of act	Breach of the seventh principle: the data controller failed to ensure appropriate technical measures were taken against unauthorised or unlawful processing of personal data stored on the Newwork Platform, such as additional cryptographic controls to protect passwords and regular patching of vulnerabilities.
Known or should have known	Various Sony online networks had previously been the subjects of attacks from hacktivist organisations. Vast amounts of personal data including financial information were stored on the Network Platform, where system vulnerabilities had not been addressed. The data controller should have anticipated a further attack and, given Sony’s technical expertise, should have put the necessary technical measures in place.
Likely to cause damage or distress	It should have been obvious to the data controller that the loss of the substantial volume of personal data held on the Network Platform was likely to cause substantial harm or substantial distress to the data subjects.

BW Observations

A lack of basic security practices such as poor vulnerability management and what can only be assumed to be weak password hashes (at a guess, unsalted MD5) are sufficient to justify a MPN, especially when you consider the number of accounts and the attractiveness to an attacker. The amount could be seen as excessive given that no sensitive personal data was compromised, however it has to be remembered that some 77 million records were compromised. It is the sheer volume of the data breach that influenced the Commissioner.

The ICO correctly observed that the poorly-hashed passwords may be able to be used by the attackers to compromise customer’s accounts at other sites where the customer used the same username and password. This appeared to influence his thoughts on the size of the monetary penalty. However it is interesting to consider whether the poor password management practices of consumers should affect how an organisation chooses to value, and therefore protect, stored passwords. Should passwords be valued as a credential for just the single site, or valued (and protected accordingly) because it is known that many customers’ passwords will also be able to be used to access unrelated sites?

It has been reported that Sony intends to appeal the MPN to the Information Tribunal.

Links

View PDF of the Sony Computer Entertainment Europe Limited Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Sony Computer Entertainment Europe Limited Monetary Penalty Notice (Via ICO Website)

Prospect

BreachMaster — Tue, 22 Jan 2013 21:25:02 +0000

Breach details

What	Loss of sensitive personal information (Union membership).
How much	About 19,000 records.
When	08 Dec 2011
Why	Two files containing member data were sent as part of a tendering process to an unknown email address in error. The files were encrypted but the password was also sent seperately to the same address.

BW Comments

This breach illustrates two issues that all Data Controllers need to be aware of. The first is that test data should always be anonymised, not only does it increase the risk of breaching the seventh principle, but it will also breach the first and second principles; although interestingly the ICO only took action in respect of the seventh principle. Secondly, any encryption is only as good as the key (password) management – passwords should always be sent at a minimum by a separate channel.

Regulatory action

Regulator	ICO
Action	Undertaking to comply with the seventh data protection principle
When	16 Jan 2013
Details	The data controller to ensure that adequate policies are in place to cover transfer of data to third parties, that such data is minimised and anonymised, that all staff receive data protection training, and that appropriate security measures are in place to protect personal data.

BW Observations

Although this was a sizeable breach of some 19,000 records of sensitive personal data, the ICO obviously decided that an undertaking was more appropriate given the potential harm that could result.

Links

View PDF of the Prospect Undertaking (Breach Watch Archive)

View PDF of the Prospect Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 15 May 2013

View PDF of the Leeds City Council Undertaking Follow Up (Breach Watch Archive)

View PDF of the Leeds City Council Undertaking Follow Up (Via ICO Website)

Isle of Anglesey County Council

BreachMaster — Tue, 22 Jan 2013 21:12:56 +0000

Breach details

What	Loss of personal data and in one case loss of sensitive personal data.
How much	Unknown
When	Several incidents in early 2012
Why	Documents containing personal data were inappropriately disclosed or disposed of, or put at risk of unauthorised access. The council had an out of date data protection policy, and provided insufficient data protection training.

BW Comments

The undertaking is very vague, and doesn’t provide specific details of what happened to cause the data losses, or why.

Regulatory action

Regulator	ICO
Action	Undertaking to comply with the seventh data protection principle
When	20 December 2012
Details	The data conroller is to ensure that all policies and procedures are up to date and in place to support staff who handle personal data and that these will be communicated to all relevant staff along with information governance training.

BW Observations

It is almost as if the council, as part of its self-reporting, suggested the necessary remedial action.

Links

View PDF of the Isle of Anglesey County Council Undertaking (Breach Watch Archive)

View PDF of the Isle of Anglesey County Council Undertaking (Via ICO Website)