Luton Borough Council

What

Discovery of flawed encryption.

How much

None

Why

A flaw in the encryption of memory sticks allowed them to be reformatted, removing the encryption.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all encryption is up to a sufficient standard.

Reason for action

Encryption was of an insufficient standard and this was only discovered during a recall of old devices.

When

02 September 2011.

Links

View PDF of the Luton Borough Council Undertaking (Via ICO Website)

View PDF of the Luton Borough Council Undertaking (Breach Watch Archive)

Bay House School

What

Loss of sensitive personal data.

How much

20,000 records.

Why

Malicious website intrusion.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that encryption is used, annual penetration tests are performed and password policies are updated to ensure security.

Reason for action

A member of staff was using the same password for the school’s website and management systems, allowing the attackers, including at least one pupil, with the system administration information required to attack the system.

When

08 August 2011.

Links

View PDF of the Bay House School Undertaking (Via ICO Website)

View PDF of the Bay House School Undertaking (Breach Watch Archive)

HCA international Limited

What

Loss of sensitive personal data.

How much

Unknown.

Why

Theft of an unencrypted laptop from one of the group’s hospitals.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that sufficient standard encryption is used and physical security is upgraded.

Reason for action

  • Laptop containing the data was unencrypted.
  • Physical security of the laptop was deemed insufficient to prevent theft.

When

05 August 2011.

Links

View PDF of the HCA International Limited Undertaking (Via ICO Website)

View PDF of the HCA International Limited Undertaking (Breach Watch Archive)

Lewisham Council and Wandle Housing Association

What

Loss of personal data.

How much

20,000 records.

Why

Loss of an unencrypted memory stick in a London pub.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that data is not transferred onto unencrypted personal media devices.

Reason for action

Staff were insufficiently trained and unaware of the dangers of copying sensitive information to personal, unsecure, devices.

When

04 August 2011.

Links

View PDF of the Lewisham Council Undertaking (Via ICO Website)

View PDF of the Lewisham Council Undertaking (Breach Watch Archive)

View PDF of the Wandle Housing Association Undertaking (Via ICO Website)

View PDF of the Wandle Housing Association Undertaking (Breach Watch Archive)

Cherubs Community Playgroup

What

Loss of sensitive personal data.

How much

47 records.

Why

Theft of an unencrypted laptop from the premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that laptops containing sensitive personal information are encrypted and sufficient physical security measures are implemented.

Reason for action

The playgroup’s premises were located in a publically used building and security measures were only implemented during playgroup hours.

When

28 June 2011.

Links

View PDF of the Cherubs Community Playgroup Undertaking (Via ICO Website)

View PDF of the Cherubs Community Playgroup Undertaking (Breach Watch Archive)

Internet Eyes Limited

What

Loss of personal data.

How much

One record.

Why

A short video from the data controller’s security feed was posted on YouTube in which an individual was clearly recognisable.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that  the transmission of data is sufficiently secure, and that an audit trail is implemented for all users.

Reason for action

The video stream of security footage across the internet was not encrypted and due to the lack of an audit trail it was impossible to determine how the video had been posted.

When

14 June 2011.

Links

View PDF of the Internet Eyes Limited Undertaking (Via ICO Website)

View PDF of the Internet Eyes Limited Undertaking (Breach Watch Archive)

Surbiton Children’s Central Nursery

What

Loss of personal data.

How much

21 records

Why

A teacher’s bag was stolen containing an unencrypted memory stick and paperwork.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable data devices are encrypted  and that staff only take data off site when absolutely necessary.

Reason for action

The memory stick, containing personal data, was unencrypted.

When

14 June 2011.

Links

View PDF of the Surbiton Children’s Central Nursery Undertaking (Via ICO Website)

View PDF of the Surbiton Children’s Central Nursery Undertaking (Breach Watch Archive)

Surrey Council

Breach details

What Loss of sensitive personal information on three occasions.
How much 241 records.
When May – June 2010
Why Records were accidently sent out in an email copied to a global distribution list, minutes of a confidential strategy discussion erroneously emailed to a newsletter distribution group. Additional records were erroneously emailed to an incorrect internal email group.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 120,000
When 9 June 2011

Why the regulator acted

Breach of act Emails were unencrypted and sent to the wrong recipients.
Inappropriate organisational and technical measures.
Known or should have known The risk of incorrect drop down boxes being selected were “self evident”.
Likely to cause damage or distress Records related to special needs.

Asperger’s Children & Carers Together (ACCT)

What

Loss of sensitive personal data

How much

Unknown.

Why

Theft of an unencrypted laptop from an employee’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable media devices are suitably encrypted

Reason for action

The stolen laptop was unencrypted and investigation revealed that the data controller’s policies and procedures did not fully comply with the Act’s requirements.

When

27 May 2011.

Links

View PDF of the Asperger’s Children & Carers Together Undertaking (Via ICO Website)

View PDF of the Asperger’s Children & Carers Together Undertaking (Breach Watch Archive)

Wheelbase Motor Project

What

Loss of sensitive personal data.

How much

50 records.

Why

Theft of an unencrypted portable hard drive.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable media devices are suitably encrypted.

Reason for action

Although the format of the hard drive would have been incompatible with most desktop systems and the sensitive files were password protected it was ruled that this was insufficient security

When

27 May 2011.

Links

View PDF of the Wheelbase Motor Project Undertaking (Via ICO Website)

View PDF of the Wheelbase Motor Project Undertaking (Breach Watch Archive)