Greater Manchester Police

Breach details

What Loss of sensitive personal data relating to criminal activities.
How much 1,075 records
When 17 July 2011
Why Theft of an unencrypted memory stick from an officer’s home.

BW Comments

It is really hard to stop the use of unencrypted media unless its use is blocked by an endpoint protection software and encrypted USB drives are issued to everyone that needs them. Having a written policy that is not enforced is useless.
This is most clearly illustrated by paragraph 8 of the Monetary Penalty Notice: after the security breach the police force had an ‘unencrypted USB memory drive amnesty’ and recovered 1,100 such USB drives – despite having a policy stating that such drives should not be used.

Regulatory action

Regulator ICO
Action Monetary penalty of £150,000.
When 13 September 2012

Why the regulator acted

Breach of act A number of officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access away from the office.
Known or should have known Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection.
Likely to cause damage or distress The memory stick contained highly sensitive personal data relating to people with links to serious crime investigations.

BW Observations

Given the apparent endemic use of unencrypted media by the force the fine appears to be on the low side of what the commissioner could have levied. The ICO reported the MPN when it was paid, as the original date of issue coincided with the loss of two of the force’s police officers.

Norwood Ravenswood Ltd

Breach details

What Loss of sensitive personal data.
How much Four records.
When 5 December 2011
Why A Social Worker left background reports relating to four young children outside the home of prospective adopters in a concealed place, since they were not in. When the prospective adopters arrived home about 30 minutes later the package had disappeared..

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 10 October 2012

Why the regulator acted

Breach of act Despite an existing policy, there was no specific guidance relating to sending personal data to prospective adopters. The social worker in question had not recieved any data protection training, despite a commitment to it being provided existing in the data controller’s policy.
Known or should have known The data controller had an overarching data protection policy which staff were aware of, even if specific guidence was not given. The sensitivity of staff’s work would have been self evident.
Likely to cause damage or distress The background reports contained detailed, confidential and highly sensitive personal data relating to the children and their birth families, including medical histories and details of any abuse or neglect. At this time, the reports have not been found.

Enfield Council: Confidential Files Found in Disused Building

What
Loss of sensitive personal data

How much
Unknown.

Why
Confidential social services files were found in an abandoned Enfield town hall currently in use as a film set. The files were labelled “Foster panel minutes” and “Adoption files”, and marked “strictly private and confidential”. They included details of parents turned down for adoption, the phone numbers and addresses of vulnerable people on the service’s register, and financial information.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
October 2012

Links

Personnel files found in Llandudno skip

What
Loss of sensitive personal data

How much
Unknown.

Why

Personnel files from a nightclub were found blowing out of a skip. A member of the public gave two sample files to the Daily Post. The files included phone numbers, addresses, National Insurance numbers, copies of riving licences with a photocopied photograph and an email address.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
October 2012

Links

CPS Mistakenly Releases Names of Student Protesters

What
Loss of sensitive personal data

How much
Unknown.

Why
After a Freedom of information request, the Crown Prosecution Service mistakenly released the names of 299 people arrested during protests over tuition fees in 2010 and 2011.

The FOI request by a member of the public was to provide figures for costs and resources used in the Metropolitan Police’s Operation Malone (the investigations following a series of demonstrations by students against tuition fees in 2010 and 2011). In response they received a spreadsheet detailing not only Operation Malone but also other disturbances, and containing the names and other sensitive data of 299 people, 44 of whom were under 18, and 116 of whom were not charged.

Regulator

None to date.

Regulatory action
None to date, however a spokesperson for the Information Commissioner told The Huffington Post UK that they were looking into the case.

Reason for action
None to date.

When
September 2012

Links

 

IEEE stored 100,000 usernames and passwords in plaintext on FTP server

What
Loss of personal data

How much
Unknown.

Why
Log files containing nearly 100,000 usernames and plain-text passwords were stored on an FTP server that did not require a login.

The log files, from ieee.org and spectrum.ieee.org, were stored in an unprotected directory on the server and were available to any public user.

Denmark-based Romanian computer scientist Radu Dragusin, who discovered the files, has undertaken not to make the raw data public, although it is not known whether the data set was downloaded by anyone else.

Analysis of the data is available on the website Dragusin created after discovering the files – ieeelog.com

The organisation has acknowledged the breach.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
September 2012

Links

Rio 2016 staff downloaded files illegally during Olympic transfer programme

What
Possible loss of personal data.

How much
Unknown.

Why
 Rio Olympics employees, thought to have been working in the London 2012 technology department, downloaded files without authorisation during the official Olympic knowledge transfer programme.

The original report by Brazilian journalist Juca Kfouri suggests the ‘hack’ was discovered by London 2012 staff when details of unauthorised access were found in log files. Kfouri’s blog entry suggests the files were highly confidential and included information about strategic planning and security. The nature and content of the files has not been confirmed by LOCOG, although officials, playing down the incident, said the documents would probably have been provided to the Rio team had they requested them.

The report of the incident in the Brazilian online portal UOL suggests no personal data was compromised.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
September 2012

Links

Edinburgh City Council Investigates Laptop Theft

What
Loss of senstive personal data.

How much
Unknown.

Why
 The Edinburgh Evening News reported that an unencrypted laptop containing sensitive personal data relating to vulnerable children was stolen from the home of a consultant who conducts reviews of foster and adoptive parents in Edinburgh.

The police believe that the data on the laptop was not targeted, and the Council claims to have contacted “as many as possible” of those whose details were contained on the laptop.

Working with BT the City of Edinburgh Council had taken measures to encrypt some 8000 computers belonging to the council, following an IT security review in 2010. It would appear that the issue here was a failure to ensure that third parties also handling this data followed the same security measures.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
September 2012

Links

 

Scottish Borders Council

Breach details

What Loss of sensitive personal data.
How much 676 records.
When 10 September 2011
Why A member of the public noticed that a paper recycling bank had been overfilled with discarded files that contained personal information. Investigation showed that eight boxes containing 676 files had been deposited in the recycling bank by a data processor working for the council.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 250,000£ 0
Overturned on appeal to the Information Rights Tribunal
When 11 September 2012

Why the regulator acted

Breach of act There was no contract in place between the data controller and the data processor. Documents scanned for the data controller by the data processor should have been disposed of securely, or returned in person.
Known or should have known The data controller was holding confidential and sensitive personal data relating to its employees, including financial data and details of a pension scheme. The seriousness of such data should have been self evident.
Likely to cause damage or distress Financial and Medical data. The arrangement had been in place since 2005 and approximately 9000 pension records would have been processed and possibly incorrectly disposed of.

Appeal

The MPN was overturned on appeal to the Information Tribunal.
View PDF of the Scottish Borders Council Appeal (Information Tribunal)

Torbay Care Trust

Breach details

What Loss of sensitive personal data.
How much 1,373 records.
When April 2011
Why Sensitive personal information relating to 1,373 employees was published on the Trust’s website in an excel spreadsheet intended to display equality and diversity metrics. This information was publicly available for over 19 weeks.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 175,000
When 6 August 2012

Why the regulator acted

Breach of act Staff received no guidance as to what information should not be published. No checking processes were in place to prevent excessive information being published.
Known or should have known The data controller was holding confidential and sensitive personal data relating to its employees and should have recognised the potential for human error when uploading data to its website in the absence of appropriate security measures.
Likely to cause damage or distress Financial and Medical data. May have been accessed by untrustworthy third parties.