British Pregnancy Advice Service

Breach details

What A hacker threatened to post the names and call back details of everyone who had submitted their contact details to the BPAS website.
How much 9,900 records.
When 08 March 2012.
Why The BPAS website was originally developed in 2007 and was to include an online ‘appointment booking service’. This was then scrapped due to security concerns, and BPAS mistakenly assumed that no call back data would be retained on the CMS. In 2008 another IT company was asked to host the website, but as BPAS was unaware that it was processing the call back data they did not ensure that administrative passwords were stored securely. BPAS also failed to carry out appropriate security testing so continued to remain ignorant of the website’s vulnerabilities. These vulnerabilities enabled an attacker to access the CMS and deface the website, threatening to publish the names of those whose call back details were held on the website. Fortunately, these were not published as the attacker was arrested the following day and the information was recovered following an injunction.

Regulatory action

Regulator ICO
Action Monetary penalty of £200,000.
When 07 March 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: BPAS failed to take appropriate measures against the unauthorised processing of personal data as they didn’t delineate specific parameters to ensure the website did not store personal data, nor set up appropriate security measures.
Known or should have known BPAS clearly knew that personal data of this nature needed to be held securely as they decided not to put in place their original ‘appointment booking system’ and provided promises of security in their privacy policy. They should have been able to prevent the contravention by having a detailed specification of the parameters of the CMS to either ensure that data was not stored on the website or provide adequate security for this information.
Likely to cause damage or distress The website’s privacy policy led users to believe that their information would remain secure and confidential, and the ability of a hacker to access this information is likely to cause substantial distress if this was known, particularly with the fear that this data could be further disseminated. If the data had been misused by the attacker or disclosed to untrustworthy third parties there is a risk that some individuals would have faced physical harm or even death given their ethnicity or social background and the nature of the advice they were seeking (including abortion and sterilisation).

Panasonic UK

Breach details

What Theft of an unencrypted laptop containing personal data including names, passport details, addresses and contact details.
How much 970 records.
When 08 August 2012.
Why An unencrypted, unsecured laptop containing the details of 970 individuals who had attended hospitality events organised by Panasonic UK was stolen from an unlocked hotel room. These events were being run by a third party company on behalf of Panasonic, and Panasonic’s comprehensive data protection policies that would have prevented this breach were therefore not automatically applied. However, it appears that these policies were not communicated to the company and the data protection provisions listed in the contract were extremely limited. Moreover, passport information was collected from all guests and then retained regardless of whether this information was necessary.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When Unknown.
Details Panasonic UK is to ensure that all third party company data controllers are governed by adequate contracts and checks to ensure that they are complying with data protection policies. Panasonic are also to ensure that personal data is only collected for a specified, valid purpose and is not retained for longer than is necessary. Other security measures should be implemented as appropriate.

Royal Veterinary College

Breach details

What Theft of a camera memory card containing passport images of multiple job applicants.
How much An unknown number.
When December 2012.
Why A memory card containing applicant passport photos was stolen from a camera owned by an employee, and thus fell outside the RVC’s policies and procedures. However, the possiblity of the use of personal devices in the workplace was not accounted for in these policies. Staff data protection training is also inadequate and is not being proactively addressed to prevent similar issues occurring in the future.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 15 October 2013.
Details The RVC is to implement mandatory induction and annual refresher training to all staff who routinely process personal information by 30 April 2014. This training is to be recorded and monitored, and follow-up procedures are to be implemented to ensure that all staff complete this training. In addition to training, all portable and mobile devices used to transmit personal data are to be encrypted and advice given on the use of personal devices.

Jala Transport Limited

Breach details

What Theft of an unencrypted hard drive containing sensitive personal data, including proofs of address and proofs of identity.
How much 250 records.
When 3 August 2012.
Why A briefcase containing an unencrypted hard drive, some documents and approximately £3,600 in case was stolen from the proprietor’s car when it was stuck in traffic. The external hard drive, as the only copy of the company’s customer database, was taken home each day to prevent theft and was protected by an 11-character password. It has not been recovered.

Regulatory action

Regulator ICO
Action Monetary penalty of £5,000.
When 24 September 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the company failed to take appropriate measures against the accidental loss or theft of personal data.
Known or should have known The company was used to dealing with large amounts of personal data on a daily basis and had taken some steps to protect it by having it password protected and taking it home overnight. However, the Commissioner’s office published guidance notes in 2007 promising enforcement action against companies suffering thefts of unencrypted data from vehicles, dwellings or inappropriate places. The company should have encrypted the data and transported it in a more secure way, such as in the boot of the car.
Likely to cause damage or distress The disclosure of personal information of the data subjects to unauthorised third parties is likely to cause them substantial distress, particularly as the hard drive has not been recovered. There is also the risk of identity fraud or financial loss.

Derbyshire, Leicestershire and Nottinghamshire Police Forces

Breach details

What The theft of laptops containing sensitive personal data including prison records and offender details.
How much Approximately 4,500 records held on eight laptops.
When 14 August 2010.
Why These police forces were part of the East Midlands Collaboration Unit (EMCU), whose offices were burgled in August 2010. Eight laptops belonging to seconded offices were stolen; they had not been stored in available lockable containers and two were unencrypted. Derbyshire and Leicestershire Police had not undertaken their own risk assessments and relied on the security measures of Nottingham Police. However, this did not specify that laptops should be encrypted, made no provision for locking them in containers, and did not monitor the offices during this period.

Regulatory action

Regulator ICO
Action Enforcement Notice issued to limit the sharing of personal data.
When 18 June 2013
Details These police forces shall only share personal data as part of a collaborative project if a Senior Information Risk Owner has been appointed to oversee the work and risk assess the premises; laptop and other portable electronic security devices are encrypted; and all officers involved in the project are given appropriate training. These measures should been implemented within 35 days.

Health & Care Professions Council

Breach details

What Documents containing personal data relating to a ‘fitness to practice’ hearing.
How much An unknown number of documents.
When 2011.
Why A suitcase containing documents relating to a ‘fitness to practice’ hearing was stolen from a train. The solicitors who had prepared these documents had not signed a contract to act only under instruction from the Data Controller, and had not been provided with specific guidance on the redaction of these documents for hearings.

BW Comments

It is strange the the ICO highlights the lack of an adequate contract between the Data Controller and their solicitor. Surely the normal contract of engagement between a client and solicitor would provide the necessary requirements of confidentiality and that the solicitor should only act on the client’s instructions?

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 09 July 2013.
Details The Data Controller is to immediately enter into a contract with its solicitors and issue instructions regarding the processing of personal data. In addition, agents and contractors given access to personal data are to be provided with specific guidance around data security; compliance with policies on data protection is to be regularly monitored; and security measures are to be implemented to protect personal data.

Greater Manchester Police

Breach details

What Loss of sensitive personal data relating to criminal activities.
How much 1,075 records
When 17 July 2011
Why Theft of an unencrypted memory stick from an officer’s home.

BW Comments

It is really hard to stop the use of unencrypted media unless its use is blocked by an endpoint protection software and encrypted USB drives are issued to everyone that needs them. Having a written policy that is not enforced is useless.
This is most clearly illustrated by paragraph 8 of the Monetary Penalty Notice: after the security breach the police force had an ‘unencrypted USB memory drive amnesty’ and recovered 1,100 such USB drives – despite having a policy stating that such drives should not be used.

Regulatory action

Regulator ICO
Action Monetary penalty of £150,000.
When 13 September 2012

Why the regulator acted

Breach of act A number of officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access away from the office.
Known or should have known Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection.
Likely to cause damage or distress The memory stick contained highly sensitive personal data relating to people with links to serious crime investigations.

BW Observations

Given the apparent endemic use of unencrypted media by the force the fine appears to be on the low side of what the commissioner could have levied. The ICO reported the MPN when it was paid, as the original date of issue coincided with the loss of two of the force’s police officers.