HSBC Life (UK)

What

  • Loss of personal data.
  • General lack of controls

How much

180,000 records.

Why

Loss of unencrypted CD in the post.

Regulator

FSA

Regulatory action

Monetary penalty – £1,610,000

Reason for action

Systemic organisational failings in InfoSec. No risk assessment. Repeated transmission of unencrypted data. Customer data held insecurely in office.

When

17 July 2009

Links

Press release on the FSA website

View PDF of the HSBC Life (UK) Final Notice (via FSA website)

View PDF of the HSBC Life (UK) Final Notice (Breachwatch archive)

HSBC Actuaries and Consultants

What

Loss of personal data.

How much

1,917

Why

Loss of unencrypted floppy disk in the post

Regulator

FSA

Regulatory action

Monetary penalty – £875,000

Reason for action

  • Inadequate risk analysis/assessment.
  • Ignored instructions from HSBC group following Nationwide breach

When

17 July 2009

Links

Press release on the FSA website

View PDF of the HSBC Actuaries and Consultants Final Notice (via FSA website)

View PDF of the HSBC Actuaries and Consultants Final Notice (Breachwatch archive)

Repair Management Services Ltd

What
Loss of sensitive personal data.

How much
36,800 records.

Why
A unencrypted laptop was stolen from a secure, but unattended, motor vehicle in a public car park.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Measures must be taken to ensure the physical security of all such devices containing personal information. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The laptop was unencrypted despite containing details relating to criminal convictions.

When
17 July 2009

Links
View PDF of the Repair Management Services Ltd Undertaking (Breach Watch Archive)

London Borough of Sutton

What
Loss of sensitive personal data.

How much
About 119 records.

Why
Numerous Incidents:

  • A paper file containing personal data relating to 73 individuals receiving social care went missing from an office.
  • A document package relating to childcare proceedings was left with the neighbour of an intended recipient and subsequently went missing.
  • An unencrypted laptop containing personal data to 9 children was stolen from a locked cupboard on a children’s hospital ward.
  • An unencrypted laptop containg social care data relating to 39 individuals was stolen from the home of an employee of the data controller.
  • 9 administration computers used to access dara in the data controller’s network were stolen, but some files may have been downloaded onto the computer’s hard drives in breach of policy.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Measures must be taken to ensure the physical security of all such devices containing personal information. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The various breaches demonstration a lack of security, both physical and technical. The sheer amount of breaches betrayed an overall organisational weakness.

When
29 July 2009

Links
View PDF of the London Borough of Sutton Undertaking (Breach Watch Archive)

Nightingale Practice

What
Loss sensitive of personal data.

How much
7,700 records.

Why
10 back up tapes and a USB portable hard drive were stolen. The USB hard drive and five of the back up tapes were not encrypted.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the physical security of personal data be ensured. All portable media devices containing personal data must be encrypted. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
Physical security was adequate, as the devices were kept in a locked firesafe in a locked and alarmed environment, but the lack of encryption was unacceptable.

When
10 July 2009

Links
View PDF of the Nightingale Practice Undertaking (Breach Watch Archive)

London Clubs International Limited

What
Loss of personal data.

How much
26,000 records.

Why
An unencrypted laptop was stolen from the data controller’s premises.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. The physical security of such devices must be ensured.

Reason for action
The laptop was password protected, but not encrypted.

When
10 July 2009

Links
View PDF of the London Clubs International Limited Undertaking (Breach Watch Archive)

Neath Port Talbot County Borough Council

What
Loss of personal data.

How much
65 records.

Why
An unencrypted USB memory stick containing the personal data of children looked after the data controller was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The memory stick was not encrypted or password protected.

When
9 July 2009

Links
View PDF of the Neath Port Talbot County Borough Council Undertaking (Breach Watch Archive)

Oldham Council

What
Loss of sensitive personal data.

How much
220 records.

Why
13 unencrypted laptops were stolen during a burglary at secure council offices, with the exception of one stolen from a staff members car and another that was stolen during the course of a youth activity evening.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
Three of these unencrypted laptops held sensitive personal data and the council did not take adequate steps to safeguard the data, either through encryption, or better physical security in respect of the two laptops stolen outside of council property.

When
7 July 2009

Links
View PDF of the Oldham Council Undertaking (Breach Watch Archive)

Sandwell Metropolitan Borough Council

What
Loss of sensitive personal data.

How much
About four records.

Why
An unencrypted memory stick containing data relating to children in care was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices are encrypted to a suitable standard. Staff must be made aware of the data controller’s policy for the storage and use of personal data and be appropriately trained to follow that policy.

Reason for action
Sensitive data was transferred to the memory stick in breach of Council procedure and was not password protected. The employee intended to use the data to work at home, but lost it during his commute.

When
29 July 2009

Links
View PDF of the Sandwell Metropolitan Borough Council Undertaking (Breach Watch Archive)

Hampshire Partnership NHS Trust

What
Loss of personal data.

How much
607 records.

Why
An unencrypted laptop containing personal data relating to staff and patients was stolen from an employee’s hotel room.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it. Compliance with these policies must be monitored.

Reason for action
The laptop was unencrypted and stolen from the employee while he was attending a conference.

When
26 June 2009

Links
View PDF of the Hampshire Partnership NHS Trust Undertaking (Breach Watch Archive)