Halton Borough Council

Posted on 30 May 2013 by BreachMaster

Breach details

What	Details of adoptive parents accidentally disclosed to birth parents.
How much	1 record.
When	25 May 2012
Why	An employee mistakenly included the address of a child’s adoptive parents in a ‘letterbox’ letter to the birth mother. The birth mother passed the address on to her own parents, who wrote to the adoptive parents seeking contact with the child. The grandparents then made an application to the Court for direct contact with their grandchild, which was refused following two hearings, and the grandparents had to undertake only to use the Council’s ‘letterbox’ procedure for contact.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 70,000
When	30 May 2013

Why the regulator acted

Breach of act	Breach of the seventh principle: the Council failed to take appropriate organisational measures to prevent accidental disclosure, such as implementing a peer-checking process and a clear checklist of requirements.
Known or should have known	Because of the very nature of the ‘letterbox’ process which was designed to protect the identities of adoptive and birth parents, the council should have known that this type of issue was a risk, and that a breach of confidentiality would cause ‘substantial distress’. The council should therefore have taken steps to prevent the problem arising.
Likely to cause damage or distress	This contravention was of a kind likely to cause substantial distress and on this occasion resulted in what a court deemed to be ‘inappropriate contact’.

Links

View PDF of the Halton Borough Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Halton Borough Council Monetary Penalty Notice (Via ICO Website)

–>

Stockport Primary Care Trust

Posted on 30 May 2013 by BreachMaster

Breach details

What	Patient identifiable data was left in a decommissioned building.
How much	About 1000 records, including 200 containing highly sensitive personal data.
When	2010-2011
Why	Boxes of paper records were left in a decommissioned building, in full view of prospective purchasers of the building. The eventual purchaser opened the boxes and discovered the information, some relating to people known by the purchaser.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 100,000
When	30 May 2013

Why the regulator acted

Breach of act	Breach of the seventh principle: the Council failed to take appropriate organisational measures against the accidental loss of 1,000 documents, some of them containing sensitive personal data.
Known or should have known	The NHS trust was used to handling sensitive personal data and would have known such information was stored on the site but did not take ‘reasonable steps’ to safeguard the data such has having a decommissioning policy.
Likely to cause damage or distress	There was the potential for substantial distress as data subjects would know that their sensitive personal data had been accessed by an unauthorised party and that the data might be further disseminated. This was exacerbated as some data subjects were known to the data controller.

Links

View PDF of the Stockport Primary Care Trust Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Stockport Primary Care Trust Monetary Penalty Notice (Via ICO Website)

News Group Newspapers

Posted on 21 May 2013 by BreachMaster

Breach details

What	Customers’ personal data, some several years old.
How much	‘Thousands’ according to some press reports , a ‘large amount’ described in the undertaking and TechEye claimed 500,000.
When	July 2011
Why	A server hosting part of The Sun newspaper’s website had, unnoticed by the data controller, been repurposed several years earlier, and was subsequently compromised by a malicious attacker (Lulzsec). Further weaknesses had also been identified but remained unrectified prior to the attack.

BW Comments

It is surprising that a large organisation such as News Group Newspapers made such simple information security mistakes. Firstly in retaining data they no longer needed when they re-built a server for a new role, but more worryingly that they had previously had a penetration test but had not rectified the vulnerabilities identified by the tester.

Regulatory action

Regulator	ICO
Action	Undertaking to comply with the fifth and seventh data protection principles
When	9 November 2011
Details	Along with the usual staff awareness and training, technical security controls on the web server were to be improved and implemented by 31 December 2011 (i.e. compliance with the seventh principle), and any customer data collected to be cleared regularly according to a defined retention and disposal policy (compliance with the fifth principle).

BW Observations

This undertaking was not released until the criminal trial of the UK-based Lulzsec hackers was concluded. It is interesting that the ICO didn’t see fit to consider a monetary penalty notice as the breach appears to meet the right criteria.

There was a breach of the fifth and seventh principles.

There had been a previous penetration test, so the Sun knew of the vulnerability.

It seems that a significant volume of data was lost and then circulated on the Internet. Although it wasn’t sensitive personal data, the volume of the data should be enough to pass the ‘likely to cause distress’ test especially given the data was posted to the Internet — i.e. the breach of confidentiality happened, it was not something that might happen if the lost data were exposed.

This undertaking should be contrasted with the Sony MPN that was also the result of Lulzsec’s activities and it will be informative to see if the ICO’s choice of an undertaking for the Sun is mentioned at Sony’s appeal to the Information Tribunal. Less charitable commentators may view this soft approach to News Group Newspapers as another example of the Commissioner’s fear of the UK press.

Links

View PDF of the News Group Newspapers Undertaking (Breach Watch Archive)

View PDF of the News Group Newspapers Undertaking (Via ICO Website)

The Burnett Practice

Posted on 13 May 2013 by BreachMaster

Breach details

What	Names and email addresses.
How much	About 175 records.
When	3 October 2012 or earlier
Why	The email service provider that the practice used wasn’t suitable to send sensitive medical results because it didn’t provide the appropriate technical security measures. As a result the practice’s email account was hacked.

BW Comments

Organisations should view this as an indication that if cloud-based, web-email services are used, services that offer two-factor authentication (e.g. Google Authenticator) should be selected.

Regulatory action

Regulator	ICO
Action	Undertaking to comply with the seventh data protection principle
When	26 April 2013
Details	The practice must use secure means of communication for test results – email can only be used if its security can be guaranteed. A security policy that is adequate to transfer patient data securely must be put in place, and staff must be made aware of this and trained.

BW Observations

Based on previous decisions, the loss of 175 medical records would seem to be a candidate for a Monetary Penalty rather than an undertaking. However, in this case the Commissioner would have struggled to satisfy the ‘known or should have known’ test given that most people (incorrectly) assume their email is generally safe from third party attack.

Links

View PDF of The Burnett Practice Undertaking (Breach Watch Archive)

View PDF of The Burnett Practice Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 17 October 2013.

View PDF of the Burnett Practice Undertaking Follow Up (Breach Watch Archive)

View PDF of the Burnett Practice Undertaking Follow Up (Via ICO Website)

East Riding of Yorkshire Council

Posted on 16 April 2013 by BreachMaster

Breach details

What	Sensitive personal data was inappropriately disclosed.
How much	One record and one verbal remark.
When	April/May 2012
Why	Sensitive personal data about one family was mistakenly included in the response to a subect access request made by another family; and in a seperate incident a student social worker revealed to the parent of a child under assessmet the first name of the peron who had made an anonymous referral about that parent.

Regulatory action

Regulator	ICO
Action	Undertaking to comply with the seventh data protection principle
When	4 April 2013
Details	Both incidents indicated a general lack of data protection awareness and training, along with a lack of management or checking procedures relating to subject access requests and supervision of non-employees, such as students on placement. However in this instance, the risk of substantial damage or distress was considered remote. The data controller undertakes to comply with the Seventh Principle with special regard to training, checking responses to subject access requests, reviewing existing policies and implementing new security measures where necessary.

Links

View PDF of the East Riding of Yorkshire Council Undertaking (Breach Watch Archive)

View PDF of the East Riding of Yorkshire Council Undertaking (Via ICO Website)

DM Design Bedrooms

Posted on 18 March 2013 by BreachMaster

Breach details

What	Serious breach of the Privacy and Electronic Communications Regulations (PECR). A high volume of unsolicited marketing calls to consumers that had registered with the Telephone Preference Service (TPS) that continued despite customer complaints and requests to unsubscribe.
How much	An unknown number of direct marketing calls resulting in 1,945 TPS complaints and an unspecified number of complaints directly to the ICO.
When	June 2011 to November 2012
Why	Ignored requirement to screen call lists against the Telephone Preference Service (TPS) or maintain an opt-out register.

BW Comments

After initial contact from the ICO, the unsolicited calls continued and some reported to the Commissioner were described as aggressive.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £90,000
When	20 March 2013

Why the regulator acted

Breach of act	Breach of Regulation 21: repeatedly ignored provisions that marketing calls should not be made to individuals who had registered with TPS.
Known or should have known	Concerns over PECR obligations were first raised by the Commissioner in 2004. The volume of complaints made before and after the Commissioner’s letter of May 2012 would have made the company aware that they were continually breaching regulations.
Likely to cause damage or distress	The overall level of distress was assessed as substantial due to the very large numbers of individuals affected. A small number of individuals also personally suffered substantial levels of distress.

BW Observations

That DM Design breached the PECR by not screening against the the TPS register and maintaining their own opt-out list is not debatable. The volume of calls and complaints are significant (although we are not told what the average or maximum level of complaints are to the TPS in respect of a company other than “they [DM Design] were one of the organisations about which the most complaints were received”). What’s interesting is the ICO again used the same justification as the Tetrus Telecommunications MPN to determine the s55A(1)(b) ‘substantial damage or distress test’ – that although the distress in each individual case was not considerable, the cumulative effect of the distress caused by the totality of all calls made in contravention of PECR met the Commissioner’s threshold of substantial distress.

Links

View PDF of the DM Bedroom Design Ltd Monetary Penalty Notice (Breach Watch Archive)

View PDF of the DM Bedroom Design Ltd Monetary Penalty Notice (Via ICO Website)

Nursing and Midwifery Council

Posted on 15 February 2013 by BreachMaster

Breach details

What	Loss of sensitive personal data (medical and details relating to legal proceedings).
How much	Unspecified but small number of records including two vulnerable children’s details. Details and allegations against a medical practitioner.
When	07 October 2011
Why	In an echo of the infamous HMRC breach of 2007, three DVDs containing unencrypted data relating to a ‘fitness to practice hearing’ went missing somewhere between the Nursing and Midwifery Council’s offices and the hotel where the hearing was due to take place. Although the package was sent by courier, the data on the DVDs was unencrypted.

BW Comments

Two of the fundamental lesons that every Data Controller should have learned from the HMRC breach were:

Always use couriers when sending personal data on physical media.

Always encrypt data on physical media such as CDs or DVDs.

Although the Nursing and Midwifery Council use a courier, the sensitive personal data was not encrypted. As soon as anything went wrong, enforcement action was bound to follow.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 150,000
When	12 February 2013

Why the regulator acted

Breach of act	Breach of the seventh principle: the Council failed to take appropriate organisational measures against unauthorised processing of personal data, such as encrypting the data on the DVDs.
Known or should have known	The Council was used to dealing with sensitive data and was aware of the potential damage release of the data would cause. The Commissioner also highlighted his own guidance on the encryption of portable media, dating back to 2007.
Likely to cause damage or distress	The DVDs contained the medical information of third parties, including two vulnerable children. The Commissioner repeated his usual argument that data subjects would suffer from substantial distress knowing that their confidential and sensitive personal data has been disclosed to unauthorised third parties and that their data may be further disseminated and possibly misused.

BW Observations

Receiving the report of DVDs that appeared to go missing between a sender and recipient will have caused a stressful outbreak of déjà vu in Wilmslow. Although the data lost related to very few individuals, the sensitivity of the data had a bearing on the amount of the penalty. Organisations should be under no illusions that sending any unencrypted personal data on physical media will attract a monetary penalty.

Links

View PDF of the Nursing and Midwifery Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Nursing and Midwifery Council Monetary Penalty Notice (Via ICO Website)

Leeds City Council

Posted on 27 January 2013 by BreachMaster

Breach details

What	Personal and sensitive (health) personal data.
How much	An unknown number of records contained in seven Excel spreadsheets, including name, address, date of birth and disability details.
When	Not specified.
Why	During migration of the Leeds Initiative website from one server to another, a private area was accessible to members of the public because a data processor failed to configure the new server identically to the old server. The site was then not sufficiently tested to identify the problem.

BW Comments

If there’s public and non-public information on any web server there’s always an increased risk of data loss, so any changes to internet-facing infrastructure should always be fully tested. Organisations that know the locations and classification of their data are less likely to suffer this type of breach.

Regulatory action

Regulator	ICO
Action	Undertaking to comply with the seventh data protection principle
When	30 November 2012
Details	The data controller is to ensure that clear contractual arrangements are in place with a data processor; that data processors are monitored for compliance with the seventh principle; that technically proficient staff are included at all stages of procurement; and that appropriate security measures are in place to protect personal data.

BW Observations

It looks like Leeds Council are following what appears to be a trend in reporting a breach, and also reporting sensible remedial action at the same time. It is interesting that the same council was also subject to a recent monetary penalty.

Links

View PDF of the Leeds City Council Undertaking (Breach Watch Archive)

View PDF of the Leeds City Council Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 20 May 2013

View PDF of the Leeds City Council Undertaking Follow Up (Breach Watch Archive)

View PDF of the Leeds City Council Undertaking Follow Up (Via ICO Website)

Mansfield District Council

Posted on 25 January 2013 by BreachMaster

Breach details

What	Personal data of housing benefit claimants was disclosed to the wrong housing association.
How much	An undisclosed number of records.
When	August 2009 to November 2012
Why	Correspondence containing personal data was sent in error by the council’s Revenues and Benefits service to a Mansfield housing association over an extended period.

BW Comments

What is interesting about this breach is that it was reported to the ICO by the housing authority that received the data in error, and not Mansfield Council. I suspect that the housing association will first have contacted the Council and after that had no effect on the incorrectly addressed correspondence (the breach continued for three years), alerted the Commissioner. The Council’s real failing was to not fix the problem when told about it.

Regulatory action

Regulator	ICO
Action	Undertaking to comply with the seventh data protection principle
When	25 January 2013
Details	Employees and any other staff with access to personal data must be made aware of, and trained in, the policy for storage and use of personal data. Training must be provided to contractors as well as staff, and records of training to be maintained.

BW Observations

The breach was almost certainly due to administrative human error; however our view is that the enforcement action was taken as a result of the council not fixing the problem when it was initially alerted. The core problem was that the council didn’t have a sufficiently robust plan to identify and rectify a data breach when it was first reported. The undertaking should have also included a requirement for the Council to develop and test a breach response plan, which identified data breaches and ensured they were rectified.

Links

View PDF of the Mansfield District Council Undertaking (Breach Watch Archive)

View PDF of the Mansfield District Council Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 03 May 2013 (published by ICO on 01 November 2013).

View PDF of the Mansfield District Council Undertaking Follow Up (Breach Watch Archive)

View PDF of the Mansfield District Council Undertaking Follow Up (Via ICO Website)

Sony Computer Entertainment Europe

Posted on 24 January 2013 by BreachMaster

Breach details

What	Loss of personal data (names, addresses, email addresses, dates of birth, poorly-protected account passwords). Customers’ payment card details also potentially at risk.
How much	Redacted. Information Week stated 77 million records.
When	Detected 19 April 2011
Why	In what was perhaps one of the most infamous breaches in recent times, attackers deliberately breached the Sony Playstation Network Platform security and compromised the confidentiality of the information stored.

BW Comments

This is the most heavily redacted monetary penalty notice published by the Commissioner. The details of the breach in the MPN are superficial, although there is much general information available elsewhere on the Internet. Essentially the attackers exploited a system vulnerability and extracted data including personal data, poorly-hashed passwords and encrypted payment card data. The MPN makes it clear that the exploited vulnerabilities were publicly known, and that ‘appropriate updates were available’.

The lessons that all organisations can learn are simple:

Patch systems regularly.

Run regular external vulnerability scans against systems.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 250,000
When	14 January 2013

Why the regulator acted

Breach of act	Breach of the seventh principle: the data controller failed to ensure appropriate technical measures were taken against unauthorised or unlawful processing of personal data stored on the Newwork Platform, such as additional cryptographic controls to protect passwords and regular patching of vulnerabilities.
Known or should have known	Various Sony online networks had previously been the subjects of attacks from hacktivist organisations. Vast amounts of personal data including financial information were stored on the Network Platform, where system vulnerabilities had not been addressed. The data controller should have anticipated a further attack and, given Sony’s technical expertise, should have put the necessary technical measures in place.
Likely to cause damage or distress	It should have been obvious to the data controller that the loss of the substantial volume of personal data held on the Network Platform was likely to cause substantial harm or substantial distress to the data subjects.

BW Observations

A lack of basic security practices such as poor vulnerability management and what can only be assumed to be weak password hashes (at a guess, unsalted MD5) are sufficient to justify a MPN, especially when you consider the number of accounts and the attractiveness to an attacker. The amount could be seen as excessive given that no sensitive personal data was compromised, however it has to be remembered that some 77 million records were compromised. It is the sheer volume of the data breach that influenced the Commissioner.

The ICO correctly observed that the poorly-hashed passwords may be able to be used by the attackers to compromise customer’s accounts at other sites where the customer used the same username and password. This appeared to influence his thoughts on the size of the monetary penalty. However it is interesting to consider whether the poor password management practices of consumers should affect how an organisation chooses to value, and therefore protect, stored passwords. Should passwords be valued as a credential for just the single site, or valued (and protected accordingly) because it is known that many customers’ passwords will also be able to be used to access unrelated sites?

It has been reported that Sony intends to appeal the MPN to the Information Tribunal and although an appeal was initially launched, this was later withdrawn.

Links

View PDF of the Sony Computer Entertainment Europe Limited Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Sony Computer Entertainment Europe Limited Monetary Penalty Notice (Via ICO Website)

FCA/FSA (7)	£ 7,777,000
ICO DPA (55)	£ 5,573,500