Torbay Care Trust

Breach details

What Loss of sensitive personal data.
How much 1,373 records.
When April 2011
Why Sensitive personal information relating to 1,373 employees was published on the Trust’s website in an excel spreadsheet intended to display equality and diversity metrics. This information was publicly available for over 19 weeks.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 175,000
When 6 August 2012

Why the regulator acted

Breach of act Staff received no guidance as to what information should not be published. No checking processes were in place to prevent excessive information being published.
Known or should have known The data controller was holding confidential and sensitive personal data relating to its employees and should have recognised the potential for human error when uploading data to its website in the absence of appropriate security measures.
Likely to cause damage or distress Financial and Medical data. May have been accessed by untrustworthy third parties.

Toshiba Information Systems UK Ltd

What

Loss of personal data.

How much

20 records.

Why

A security fault in an online competition meant that the personal details of individuals who registered could be accessed by user other than the data controller.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will obtain sufficient guarantees from the data processor that it will conduct appropriate web application security tests in relation to any web applications  and that compliance with these guarantees are ministered.

Reason for action

It was felt that insufficient security testing had been performed on the web application intended for the competition, despite a written contract being in place between the data controller and data processor.

When

17 Apr 2012

Links

View PDF of the Toshiba Information Systems UK Ltd Undertaking (Via ICO Website)

View PDF of the Toshiba Information Systems UK Ltd Undertaking (Breach Watch Archive)

Durham University

What

Loss of personal data.

How much

Unknown.

Why

Training manuals posted on the data controller’s website contained actual, rather than fictitious or anonymised personal data.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that no documents containing personal data shall be placed on the data controller’s website and that staff will be made aware of IT security policies by no later than the 30th of September 2012.

Reason for action

The breach was discovered in July 2011 but the manuals had been live on the website since February 2011. During the investigation it became clear that only around 20% of staff had made use of the training materials available to them.

When

01 March 2012.

Links

View PDF of the Durham University Undertaking (Via ICO Website)

View PDF of the Durham University Undertaking (Breach Watch Archive)

Dumfries and Galloway Council

What

Accidental online disclosure of staff’s personal information.

How much

887 records.

Why

Records were accidently published online in response to a Freedom of Information (Scotland) Act request.

Regulator

ICO

Regulatory action

Undertaking issued to undergo an externally commissioned audit and to put it place checks to prevent another such occurrence.

Reason for action

Insufficient measures were taken to prevent an accidental loss of unsecured personal information.

When

17 October 2011.

Links

View PDF of the Dumfries and Galloway Council Undertaking (Via ICO Website)

View PDF of the Dumfries and Galloway Council Undertaking (Breach Watch Archive)

Child Exploitation Online Protection Centre and the Serious Organised Crime Agency

What

The CEOP’s website reporting forms were being transmitted insecurely.

How much

None.

Why

A member of the public realised that the website’s reporting page was insecure.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the website is made secure and subject to regular checks.

Reason for action

Reports were transmitted unencrypted in plain text and this had been the case for several months.

When

15 September 2011.

Links

View PDF of the Child Exploitation Online Protection Centre and the Serious Organised Crime Agency Undertaking (Via ICO Website)

View PDF of the Child Exploitation Online Protection Centre and the Serious Organised Crime Agency Undertaking (Breach Watch Archive)

Lush Cosmetics

What

Compromise of credit card details.

How much

5,000 records.

Why

Malicious website intrusion.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the website is subject to continued penetration testing and kept to an appropriate level of security.

Reason for action

Security measures in place were deemed insufficient to prevent a determined attack.

When

09 August 2011.

Links

View PDF of the Lush Cosmetics Undertaking (Via ICO Website)

View PDF of the Lush Cosmetics Undertaking (Breach Watch Archive)

Bay House School

What

Loss of sensitive personal data.

How much

20,000 records.

Why

Malicious website intrusion.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that encryption is used, annual penetration tests are performed and password policies are updated to ensure security.

Reason for action

A member of staff was using the same password for the school’s website and management systems, allowing the attackers, including at least one pupil, with the system administration information required to attack the system.

When

08 August 2011.

Links

View PDF of the Bay House School Undertaking (Via ICO Website)

View PDF of the Bay House School Undertaking (Breach Watch Archive)

University of York

What

Loss of personal data.

How much

148 records.

Why

Failure to close a test area on the University’s website that contained student records.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that university IT staff ensure the appropriate security of all data following maintenance.

Reason for action

Insufficient managerial control was in place to ensure that the test version of the database was deleted.

When

20 July 2011.

Links

View PDF of the University of York Undertaking (Via ICO Website)

View PDF of the University of York Undertaking (Breach Watch)

Lancashire Police Authority

What

Loss of sensitive personal data.

How much

Unknown.

Why

Sensitive personal data was accidentally published on the data controller’s website.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that sufficient training and security measures are put into place to prevent accidental disclosure of sensitive data.

Reason for action

The data controller was insufficiently familiar with the relatively new system being used to publish their website and failed to take immediate action having been made aware of the error.

When

19 July 2011.

Links

View PDF of the Lancashire Police Authority Undertaking (Via ICO Website)

View PDF of the Lancashire Police Authority Undertaking (Breach Watch Archive)