Staysure.co.uk Limited

Breach details

What Customer records containing payment card data including CVV2/CVC2 data were extracted from a public-facing website by a malicious attacker.
How much 93,389 customer details containing 110,096 payment card records.
When 14 October 2013
Why A malicious attacker used a publicly known (since 2010) vulnerability in the JBoss Application Server to install a backdoor in the Staysure web server. This allowed the attacker to access and download all data stored within the system which included over three million customer records, although it appears that only payment card data was targeted by the attacker.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 175,000.
When 20 February 2015.

Why the regulator acted

Breach of act Breach of the fifth data protection principle in that it was recognised that old payment card data should have been deleted, this activity was planned however due to human error it was not completed.
Breach of the seventh data protection principle as systems and processes were not in place to update software. Additionally PCI DSS prohibits the storage of CCV2/CvC2 data.
Known or should have known The Data Controller was aware of the Payment Card Industry (PCI) Data Security Standard (DSS) which requires security update management and prohibits storage of CVV2/CVC2. The patch to JBoss was available from the RedHat distribution and so the Data Controller should have know about its availability. Given the Data Controller processed payment card data it should have been aware that a breach of this data would be liable to cause its customers substantial damage and distress.
Likely to cause damage or distress Of the payment card data stollen, the Commissioner was aware that over 5,000 such payment cards were used to commit fraudulent transactions. Although the fraudulent transactions were reimbursed by the Data Subject’s bank, the Commissioner is of the opinion that distress had in fact occurred.

Worldview Limited

Breach details

What Customer records containing encrypted payment card data including CVV2/CVC2 data were extracted from a public-facing website by a malicious attacker.
How much 3,814 records.
When 18 June 2013
Why A single web server also contained the customer database and the WordPress content management system. A malicious attacker used SQL injection techniques to extract the WordPress password hashes which the attacker was then able to brute force due to the use of weak passwords. The attacker was then able to extract records from the database including encrypted payment data, however the encryption keys were stored on the same drive as the encrypted data and therefore available to the attacker.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 7,500.
When 31 October 2014.

Why the regulator acted

Breach of act Breach of the seventh principle in that insufficient technical and organisational measures were taken. The ICO highlighted:

  • Developer training
  • Security testing of web pages
  • Use of default passwords
  • Encryption/Decryption key management
Known or should have known The Data Controller was aware of The Payment Card Industry (PCI) Data Security Standard (DSS) and therefore should have been aware of the risks and the recommended controls.Given the nature of the information stored, it should have also been obvious to the Controller that a breach in security would be liable to cause damage or distress to the data subjects.
Likely to cause damage or distress The ICO argues that the loss of payment card data could lead to fraud and substantial damage to the data subjects affected (even though there was no evidence of this). The knowledge of the loss of their personal data would cause ‘substantial distress’ to a data subject.

Think W3 Limited

Breach details

What A malicious hacker was able to access significant amounts of customer data, including credit card details, after targeting Think W3 Limited’s website.
How much 1,163,996 records containing credit or debit card details, of which 430,599 were current.
When 21 December 2012.
Why A system intended for internal purposes was installed on the same web-sever as the businesses e-commerce application containing customer data. In order to facilitate working from home this service could be accessed via a login page on a non-customer facing website which was publicly available over the internet. The login page was not secure due to a coding error that was missed, as no security testing had been done the basis that this page was not public facing. The hacker was able to exploit this vulnerability and gain administrative access to all the data on the web server.

Regulatory action

Regulator ICO
Action Monetary penalty of £150,000
When 23 July 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: Think W3 limited failed to take appropriate technical measures to ensue the security of personal data, predominately though failing to undertake suitable security testing, due to a failure to understand the extent to which the web server could be accessed via the internet, or to meet PCI DSS compliance requirements.
Known or should have known  By 2011 Think W3 Limited were aware of a number of issues with its PCI  DSS compliance, causing them to review their security practises. However they were slow in implementing improvements, despite being aware of the risk of contravention.
Likely to cause damage or distress Although CCV2 / CvC2 values were not obtained, the data obtained was clearly of interest to the attacker, due to the targeted nature of the attack, and could be used for fraudulent purposes. The data subjects would rightly be distressed to learn that their data had been accessed by a malicious third party.

British Pregnancy Advice Service

Breach details

What A hacker threatened to post the names and call back details of everyone who had submitted their contact details to the BPAS website.
How much 9,900 records.
When 08 March 2012.
Why The BPAS website was originally developed in 2007 and was to include an online ‘appointment booking service’. This was then scrapped due to security concerns, and BPAS mistakenly assumed that no call back data would be retained on the CMS. In 2008 another IT company was asked to host the website, but as BPAS was unaware that it was processing the call back data they did not ensure that administrative passwords were stored securely. BPAS also failed to carry out appropriate security testing so continued to remain ignorant of the website’s vulnerabilities. These vulnerabilities enabled an attacker to access the CMS and deface the website, threatening to publish the names of those whose call back details were held on the website. Fortunately, these were not published as the attacker was arrested the following day and the information was recovered following an injunction.

Regulatory action

Regulator ICO
Action Monetary penalty of £200,000.
When 07 March 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: BPAS failed to take appropriate measures against the unauthorised processing of personal data as they didn’t delineate specific parameters to ensure the website did not store personal data, nor set up appropriate security measures.
Known or should have known BPAS clearly knew that personal data of this nature needed to be held securely as they decided not to put in place their original ‘appointment booking system’ and provided promises of security in their privacy policy. They should have been able to prevent the contravention by having a detailed specification of the parameters of the CMS to either ensure that data was not stored on the website or provide adequate security for this information.
Likely to cause damage or distress The website’s privacy policy led users to believe that their information would remain secure and confidential, and the ability of a hacker to access this information is likely to cause substantial distress if this was known, particularly with the fear that this data could be further disseminated. If the data had been misused by the attacker or disclosed to untrustworthy third parties there is a risk that some individuals would have faced physical harm or even death given their ethnicity or social background and the nature of the advice they were seeking (including abortion and sterilisation).

First Financial (UK) Limited

Breach details

What Breach of the Privacy and Electronic Communications Regulations (PECR).
The sending of unsolicited marketing SMS.
How much 4,031 complaints.
When 01 February 2013 to 31 March 2013.
Why It appears that First Financial was set up in order to provide short-term loans, and was probably intended to be a transient company that could be closed before regulatory action was taken against them. During the period in question First Financial carried out a marketing campaign by sending text messages claiming the recipient was entitled to immediate cash claims through the First Financial website. The text messages were sent using unregistered SIM cards to avoid spam detectors. The individual who set up First Financial has since tried to dissolve the company, remove himself from the company register as director, and has refused to disclose the financial position of the company.

Regulatory action

Regulator ICO
Action Monetary Penalty of £175,000.
When 16 December 2013.

Why the regulator acted

Breach of act Breach of Regulation 22: sent unsolicited marketing SMS messages without asking for the consent of the individuals concerned.
Known or should have known The issue of unsolicited text messages has been widely publicized recently and so First Financial should have been well aware that they ran a high risk of contravening regulations by sending such a high volume of texts. The volume of texts indicates that there were no systems in place to ensure the consent of the recipients and by using unregistered SIM cards they were deliberately contravening PECR.
Likely to cause damage or distress The large numbers of individuals involved in this case ensured that the overall level of distress was substantial, particularly as only a very small percentage of recipients of texts such as these report them. Some individuals were concerned about the unsociable times they received these messages; others were troubled about where First Financial had obtained their details.

Panasonic UK

Breach details

What Theft of an unencrypted laptop containing personal data including names, passport details, addresses and contact details.
How much 970 records.
When 08 August 2012.
Why An unencrypted, unsecured laptop containing the details of 970 individuals who had attended hospitality events organised by Panasonic UK was stolen from an unlocked hotel room. These events were being run by a third party company on behalf of Panasonic, and Panasonic’s comprehensive data protection policies that would have prevented this breach were therefore not automatically applied. However, it appears that these policies were not communicated to the company and the data protection provisions listed in the contract were extremely limited. Moreover, passport information was collected from all guests and then retained regardless of whether this information was necessary.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When Unknown.
Details Panasonic UK is to ensure that all third party company data controllers are governed by adequate contracts and checks to ensure that they are complying with data protection policies. Panasonic are also to ensure that personal data is only collected for a specified, valid purpose and is not retained for longer than is necessary. Other security measures should be implemented as appropriate.

Jala Transport Limited

Breach details

What Theft of an unencrypted hard drive containing sensitive personal data, including proofs of address and proofs of identity.
How much 250 records.
When 3 August 2012.
Why A briefcase containing an unencrypted hard drive, some documents and approximately £3,600 in case was stolen from the proprietor’s car when it was stuck in traffic. The external hard drive, as the only copy of the company’s customer database, was taken home each day to prevent theft and was protected by an 11-character password. It has not been recovered.

Regulatory action

Regulator ICO
Action Monetary penalty of £5,000.
When 24 September 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the company failed to take appropriate measures against the accidental loss or theft of personal data.
Known or should have known The company was used to dealing with large amounts of personal data on a daily basis and had taken some steps to protect it by having it password protected and taking it home overnight. However, the Commissioner’s office published guidance notes in 2007 promising enforcement action against companies suffering thefts of unencrypted data from vehicles, dwellings or inappropriate places. The company should have encrypted the data and transported it in a more secure way, such as in the boot of the car.
Likely to cause damage or distress The disclosure of personal information of the data subjects to unauthorised third parties is likely to cause them substantial distress, particularly as the hard drive has not been recovered. There is also the risk of identity fraud or financial loss.

Foyle Women’s Aid

Breach details

What Confidential client information contained in a folder was left at a cafe.
How much A folder containing information on one case.
When June 2012
Why A lack of effective controls and procedures for taking information out of the office contributed to the loss of this personal data. Excessive information was also being transported as the folder contained personal data not relevant to the scheduled meetings. However, there were general polices and procedures in place and the support worker had received relevant training. The support worker was also acting against previous instructions given by Foyle Women’s Aid.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 13 August 2013.
Details Foyle Women’s Aid will immediately implement a formal policy covering the use of personal data outside of the office and provide training to their staff; compliance with these policies shall be regularly monitored. Portable devices used for the storage and transmission of personal data must be encrypted. Physical and other security measures must also be implemented to protect against unauthorised access to personal data.

Bank of Scotland

Breach details

What Personal information including national insurance numbers, bank details, and photocopies of passports and driving licenses was faxed to a number of incorrect recipients.
How much An unknown number of records.
When February 2009 to February 2013.
Why During this four year period a number of faxes containing personal information were sent to incorrect recipients rather than the bank’s certal processing systems. These breaches occurred on different faxes in different locations, and were made by a large number of staff from different branches. This was due to misdialling and in particular the transposition of the numbers 2 and 8. Although the employees concerned were given training on this issue and a communication was sent alerting all members of staff to the issue of misdialling, this particular error was not raised.

BW Comments

The ICO has on many occasions indicated his dislike of faxing, especially if the errors occurred because of manual misdialling which could be rectified by only allowing pre-programmed numbers.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 75,000.
When 30 July 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the bank failed to provide adequate training or to find a more secure means for the transmission of personal information.
Known or should have known The bank was aware that there were risks associated with sending information by fax as it had procedures in place to regulate this and instituted some training on the discovery of the first breach. However, the continuation of these breaches is testimony to the inefficacy of the taken measures.
Likely to cause damage or distress The disclosure of personal information of the data subjects is likely to cause them substantial distress, particularly when this information was supposed to be dealt with in confidence. It also carries the risk that the information could be further disseminated and misused, potentially leading to identity fraud and possible financial loss.

BW Observations

This is the third breach where a regulated firm where the FCA (FSA) has not taken action and has let the ICO take the lead in respect of a breach of personal data.

Janet Thomas

Breach details

What Personal data and sensitive personal data included in CVs.
How much 7,435 records.
When 11 April 2012.
Why CV documents were being stored unprotected on the website www.janetpage.com, in an area that was intended to be a secure portal for prospective employers. However, any member of the public could access and download these documents which included information about candidates’ ethnicity, religion, and sexuality.

BW Comments

A reminder that unless you work very hard, documents on a website are very easily accessible.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 16 July 2013.
Details The company shall implement and monitor technical security measures on its website to protect personal data. This data should only be collected when necessary. Staff should also receive data protection training.

BW Observations

Given the background to the ACS Law MPN it is perhaps surprising that an obviously poorly-configured and amateur website containing (sensitive) personal data didn’t receive more than an undertaking from the commissioner. However as a jobseeker typically wants their CV circulated as widely as possible it would be hard for the ICO to establish that the breach of CVs from such a site was likely to cause the Data Subjects damage or distress.