Staysure.co.uk Limited

Breach details

What Customer records containing payment card data including CVV2/CVC2 data were extracted from a public-facing website by a malicious attacker.
How much 93,389 customer details containing 110,096 payment card records.
When 14 October 2013
Why A malicious attacker used a publicly known (since 2010) vulnerability in the JBoss Application Server to install a backdoor in the Staysure web server. This allowed the attacker to access and download all data stored within the system which included over three million customer records, although it appears that only payment card data was targeted by the attacker.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 175,000.
When 20 February 2015.

Why the regulator acted

Breach of act Breach of the fifth data protection principle in that it was recognised that old payment card data should have been deleted, this activity was planned however due to human error it was not completed.
Breach of the seventh data protection principle as systems and processes were not in place to update software. Additionally PCI DSS prohibits the storage of CCV2/CvC2 data.
Known or should have known The Data Controller was aware of the Payment Card Industry (PCI) Data Security Standard (DSS) which requires security update management and prohibits storage of CVV2/CVC2. The patch to JBoss was available from the RedHat distribution and so the Data Controller should have know about its availability. Given the Data Controller processed payment card data it should have been aware that a breach of this data would be liable to cause its customers substantial damage and distress.
Likely to cause damage or distress Of the payment card data stollen, the Commissioner was aware that over 5,000 such payment cards were used to commit fraudulent transactions. Although the fraudulent transactions were reimbursed by the Data Subject’s bank, the Commissioner is of the opinion that distress had in fact occurred.

Worldview Limited

Breach details

What Customer records containing encrypted payment card data including CVV2/CVC2 data were extracted from a public-facing website by a malicious attacker.
How much 3,814 records.
When 18 June 2013
Why A single web server also contained the customer database and the WordPress content management system. A malicious attacker used SQL injection techniques to extract the WordPress password hashes which the attacker was then able to brute force due to the use of weak passwords. The attacker was then able to extract records from the database including encrypted payment data, however the encryption keys were stored on the same drive as the encrypted data and therefore available to the attacker.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 7,500.
When 31 October 2014.

Why the regulator acted

Breach of act Breach of the seventh principle in that insufficient technical and organisational measures were taken. The ICO highlighted:

  • Developer training
  • Security testing of web pages
  • Use of default passwords
  • Encryption/Decryption key management
Known or should have known The Data Controller was aware of The Payment Card Industry (PCI) Data Security Standard (DSS) and therefore should have been aware of the risks and the recommended controls.Given the nature of the information stored, it should have also been obvious to the Controller that a breach in security would be liable to cause damage or distress to the data subjects.
Likely to cause damage or distress The ICO argues that the loss of payment card data could lead to fraud and substantial damage to the data subjects affected (even though there was no evidence of this). The knowledge of the loss of their personal data would cause ‘substantial distress’ to a data subject.

Think W3 Limited

Breach details

What A malicious hacker was able to access significant amounts of customer data, including credit card details, after targeting Think W3 Limited’s website.
How much 1,163,996 records containing credit or debit card details, of which 430,599 were current.
When 21 December 2012.
Why A system intended for internal purposes was installed on the same web-sever as the businesses e-commerce application containing customer data. In order to facilitate working from home this service could be accessed via a login page on a non-customer facing website which was publicly available over the internet. The login page was not secure due to a coding error that was missed, as no security testing had been done the basis that this page was not public facing. The hacker was able to exploit this vulnerability and gain administrative access to all the data on the web server.

Regulatory action

Regulator ICO
Action Monetary penalty of £150,000
When 23 July 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: Think W3 limited failed to take appropriate technical measures to ensue the security of personal data, predominately though failing to undertake suitable security testing, due to a failure to understand the extent to which the web server could be accessed via the internet, or to meet PCI DSS compliance requirements.
Known or should have known  By 2011 Think W3 Limited were aware of a number of issues with its PCI  DSS compliance, causing them to review their security practises. However they were slow in implementing improvements, despite being aware of the risk of contravention.
Likely to cause damage or distress Although CCV2 / CvC2 values were not obtained, the data obtained was clearly of interest to the attacker, due to the targeted nature of the attack, and could be used for fraudulent purposes. The data subjects would rightly be distressed to learn that their data had been accessed by a malicious third party.

British Pregnancy Advice Service

Breach details

What A hacker threatened to post the names and call back details of everyone who had submitted their contact details to the BPAS website.
How much 9,900 records.
When 08 March 2012.
Why The BPAS website was originally developed in 2007 and was to include an online ‘appointment booking service’. This was then scrapped due to security concerns, and BPAS mistakenly assumed that no call back data would be retained on the CMS. In 2008 another IT company was asked to host the website, but as BPAS was unaware that it was processing the call back data they did not ensure that administrative passwords were stored securely. BPAS also failed to carry out appropriate security testing so continued to remain ignorant of the website’s vulnerabilities. These vulnerabilities enabled an attacker to access the CMS and deface the website, threatening to publish the names of those whose call back details were held on the website. Fortunately, these were not published as the attacker was arrested the following day and the information was recovered following an injunction.

Regulatory action

Regulator ICO
Action Monetary penalty of £200,000.
When 07 March 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: BPAS failed to take appropriate measures against the unauthorised processing of personal data as they didn’t delineate specific parameters to ensure the website did not store personal data, nor set up appropriate security measures.
Known or should have known BPAS clearly knew that personal data of this nature needed to be held securely as they decided not to put in place their original ‘appointment booking system’ and provided promises of security in their privacy policy. They should have been able to prevent the contravention by having a detailed specification of the parameters of the CMS to either ensure that data was not stored on the website or provide adequate security for this information.
Likely to cause damage or distress The website’s privacy policy led users to believe that their information would remain secure and confidential, and the ability of a hacker to access this information is likely to cause substantial distress if this was known, particularly with the fear that this data could be further disseminated. If the data had been misused by the attacker or disclosed to untrustworthy third parties there is a risk that some individuals would have faced physical harm or even death given their ethnicity or social background and the nature of the advice they were seeking (including abortion and sterilisation).

Aberdeen City Council

Breach details

What Four documents containing sensitive personal information were accidentally uploaded to the internet by a member of staff working from home. The data includes names and addresses, dates of birth, details of alleged criminal offences, and information about Social Care cases concerning children.
How much Four documents totalling 39 pages.
When 8 November 2011 to 18 February 2012.
Why A Council employee inadvertently downloaded four sensitive documents onto her PC when accessing them from home (either by email or by USB) between 8 November and 12 November 2011. These were then uploaded to a website by an auto-upload program pre-installed on the computer thereby making the data available to the public. The documents were discovered on 15th February 2012 and were removed (along with all cached versions) within four hours. However, on 18th February a national newspaper published a story on this incident although personal data was not included after a discussion with the Council.

Regulatory action

Regulator ICO
Action Monetary penalty of £100,000.
When 27 August 2013

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the Council failed to introduce a secure home working policy or provide the training and equipment to make the home a secure place to work.
Known or should have known The Council was clearly aware that there were inherent risks with staff accessing sensitive personal data at home as it had an acceptable use policy. However, the Council did not supply the necessary equipment to make homes secure places to work from.
Likely to cause damage or distress The disclosure of personal information of the data subjects is likely to cause them substantial distress, particularly when this information was supposed to be dealt with in confidence. The data is particularly sensitive as it identifies vulnerable individuals.There is also the risk that the information may have been further disseminated and misused.

Janet Thomas

Breach details

What Personal data and sensitive personal data included in CVs.
How much 7,435 records.
When 11 April 2012.
Why CV documents were being stored unprotected on the website www.janetpage.com, in an area that was intended to be a secure portal for prospective employers. However, any member of the public could access and download these documents which included information about candidates’ ethnicity, religion, and sexuality.

BW Comments

A reminder that unless you work very hard, documents on a website are very easily accessible.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 16 July 2013.
Details The company shall implement and monitor technical security measures on its website to protect personal data. This data should only be collected when necessary. Staff should also receive data protection training.

BW Observations

Given the background to the ACS Law MPN it is perhaps surprising that an obviously poorly-configured and amateur website containing (sensitive) personal data didn’t receive more than an undertaking from the commissioner. However as a jobseeker typically wants their CV circulated as widely as possible it would be hard for the ICO to establish that the breach of CVs from such a site was likely to cause the Data Subjects damage or distress.

Central Bedfordshire Council

Breach details

What Sensitive personal data incorrectly made available on a planning portal
How much Two records. This included birth details, private telephone numbers and personal medical information in one case, and physical and mental health details in the other.
When Unknown.
Why An individual’s personal information was made publicly available via a planning portal on the Council’s website. This occurred after documents were given the wrong planning reference number and then placed in an open access, rather than secure, folder. As a result personal information was not deleted from the documents prior to them being posted. In addition to this incident, a record held in the Council’s social care database was compromised by the inappropriate actions of two employees. A local governmental reorganisation in April 2009 had left Central Bedfordshire Council and the data controller with non-relevant records which were in the process of being removed at the time of the incident.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 18 September 2012.
Details The Council were to ensure that staff were aware of the correct procedures for preparing planning application documentation, to be given appropriate training, and that the procedures were followed. The social care database was also to contain a completely cleansed dataset by 31 March 2013. Finally, appropriate security measures were to be implemented to protect personal data.

BW Observations

Although the undertaking was ‘signed’ on 18 September 2012, it was only published by the ICO on 12 June 2013. This is probably related to the appeal to the Information Tribunal by Central Bedfordshire Council being withdrawn.

News Group Newspapers

Breach details

What Customers’ personal data, some several years old.
How much ‘Thousands’ according to some press reports , a ‘large amount’ described in the undertaking and TechEye claimed 500,000.
When July 2011
Why A server hosting part of The Sun newspaper’s website had, unnoticed by the data controller, been repurposed several years earlier, and was subsequently compromised by a malicious attacker (Lulzsec). Further weaknesses had also been identified but remained unrectified prior to the attack.

BW Comments

It is surprising that a large organisation such as News Group Newspapers made such simple information security mistakes. Firstly in retaining data they no longer needed when they re-built a server for a new role, but more worryingly that they had previously had a penetration test but had not rectified the vulnerabilities identified by the tester.

Regulatory action

Regulator ICO
Action Undertaking to comply with the fifth and seventh data protection principles
When 9 November 2011
Details Along with the usual staff awareness and training, technical security controls on the web server were to be improved and implemented by 31 December 2011 (i.e. compliance with the seventh principle), and any customer data collected to be cleared regularly according to a defined retention and disposal policy (compliance with the fifth principle).

BW Observations

This undertaking was not released until the criminal trial of the UK-based Lulzsec hackers was concluded. It is interesting that the ICO didn’t see fit to consider a monetary penalty notice as the breach appears to meet the right criteria.
  • There was a breach of the fifth and seventh principles.
  • There had been a previous penetration test, so the Sun knew of the vulnerability.
  • It seems that a significant volume of data was lost and then circulated on the Internet. Although it wasn’t sensitive personal data, the volume of the data should be enough to pass the ‘likely to cause distress’ test especially given the data was posted to the Internet — i.e. the breach of confidentiality happened, it was not something that might happen if the lost data were exposed.

This undertaking should be contrasted with the Sony MPN that was also the result of Lulzsec’s activities and it will be informative to see if the ICO’s choice of an undertaking for the Sun is mentioned at Sony’s appeal to the Information Tribunal. Less charitable commentators may view this soft approach to News Group Newspapers as another example of the Commissioner’s fear of the UK press.

Leeds City Council

Breach details

What Personal and sensitive (health) personal data.
How much An unknown number of records contained in seven Excel spreadsheets, including name, address, date of birth and disability details.
When Not specified.
Why During migration of the Leeds Initiative website from one server to another, a private area was accessible to members of the public because a data processor failed to configure the new server identically to the old server. The site was then not sufficiently tested to identify the problem.

BW Comments

If there’s public and non-public information on any web server there’s always an increased risk of data loss, so any changes to internet-facing infrastructure should always be fully tested. Organisations that know the locations and classification of their data are less likely to suffer this type of breach.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 30 November 2012
Details The data controller is to ensure that clear contractual arrangements are in place with a data processor; that data processors are monitored for compliance with the seventh principle; that technically proficient staff are included at all stages of procurement; and that appropriate security measures are in place to protect personal data.

BW Observations

It looks like Leeds Council are following what appears to be a trend in reporting a breach, and also reporting sensible remedial action at the same time. It is interesting that the same council was also subject to a recent monetary penalty.

Department of Education

Breach details

What Loss of personal information.
How much An unknown number of records.
When 28/29 June 2012
Why The Register reported that Email addresses, unencrypted passwords and individual’s answers to questions posed in a consultation were accesable due to a security flaw in the Department for Education’s website.

BW Comments

Judging by the description in The Register the vulnerability looked like a session management problem. Something that should have been caught be the most rudimentary penetration test.

Regulatory action

Regulator ICO
Action None taken. The Register reported that it had got in touch with the ICO which, while acknowledging that the Department had breached the seventh principle, stated “As the personal information compromised was not sensitive and any distress caused is likely to have been minimal, we have decided that no further enforcement action is required at this time.”

BW Observations

Just because an organisation breaks the DPA the ICO isn’t bound to take action, however BW would have expected the ICO to have sought an undertaking from the Department that it would properly test any web site that collected personal data.