How much
Unknown.
Why
Personnel files from a nightclub were found blowing out of a skip. A member of the public gave two sample files to the Daily Post. The files included phone numbers, addresses, National Insurance numbers, copies of riving licences with a photocopied photograph and an email address.
Regulator
None to date.
Regulatory action
None to date.
Reason for action
None to date.
When
October 2012
Links
–
What
Loss of personal data
How much
Unknown.
Why
Log files containing nearly 100,000 usernames and plain-text passwords were stored on an FTP server that did not require a login.
The log files, from ieee.org and spectrum.ieee.org, were stored in an unprotected directory on the server and were available to any public user.
Denmark-based Romanian computer scientist Radu Dragusin, who discovered the files, has undertaken not to make the raw data public, although it is not known whether the data set was downloaded by anyone else.
Analysis of the data is available on the website Dragusin created after discovering the files – ieeelog.com
The organisation has acknowledged the breach.
Regulator
None to date.
Regulatory action
None to date.
Reason for action
None to date.
When
September 2012
Links
–
How much
37 records.
Why
37 staff members’ details were lost when the filing cabinet the information was stored in was sent to a recycling centre and crushed.
Regulator
ICO
Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to support staff who handle personal data and that these will be communicated to all relevant staff along with information governance training.
Reason for action
The data controller had established procedures, but did not have a specific written information handling policy in place and employees had not received formal data protection training.
When
6 August 2012
Links
View PDF of the Marston Properties Undertaking (Via ICO Website)
View PDF of the Marston Properties Undertaking (Breach Watch Archive)
| What | Loss of personal data. |
| How much | Approximately 2 million records. |
| When | 7 November 2011 |
| Why | Backup tapes of Shopacheck’s LAN were transported back and forth between the network site and an offsite storage room. On the 23rd of November 2011 it was discovered that two of these tapes, containing personal data, of millions of individuals were missing. |
| Regulator | ICO | Action | Monetary penalty of £ 150,000 |
| When | 5 July 2012 |
| Breach of act | Unencrypted tapes were lost, and have still not been recovered. Inappropriate organisational and technical measures. |
| Known or should have known | Data controller was aware of the possible consequences of the tapes going missing, since policies were in place requiring encryption. |
| Likely to cause damage or distress | Financial information of customers. |
| View PDF of the Welcome Financial Services Limited Monetary Penalty Notice (Breach Watch Archive) |
| View PDF of the Welcome Financial Services Limited Monetary Penalty Notice (Via ICO Website) |
Loss of sensitive personal data.
Approximately 2,000 records.
Theft of a patient medication record system.
ICO
Undertaking issued to ensure that adequate procedures are put in place to ensure that PMR pharmacy data is securely handled prior to any future transfer of pharmacy ownership. All staff must be made aware of the data controller’s procedures for the safe storage and retrieval of personal data.
The PMR system was stolen for the pharmacy while it was undergoing a transfer of ownership. Although the PMR was password protected the data controller had not taken adequate steps to safely retrieve the PMR system and return it to the wholesale company, whom they had been paying a monthly retainer to, prior to the transfer of ownership process.
27 Mar 2012
View PDF of the Pharmacyrepublic Ltd Undertaking (Via ICO Website)
View PDF of the Pharmacyrepublic Ltd Undertaking (Breach Watch Archive)
Loss of personal information.
All payment records for the data controller’s employees.
A data processor received a request from one of the data controller’s ex-employees for a copy of one of his payslips. In error, the data processor, which was acting on behalf of the data controller, emailed him a PDF document showing the relevant month’s payslips for all the data controller’s employees.
ICO
Undertaking issued to ensure that all staff are made aware of the data controller’s amended policy for the storage and use of personal data and are appropriately trained how to follow that policy. Personal data transmitted over email must be encrypted to a sufficient standard.
In the course of investigation, it emerged that the data controller did not have a formal contract in place governing the processing of personal data by this data processor. It was noted that job-related training was given which included emphasis on confidentiality and sensitivity of data where appropriate, although some improvements were identified in relation to policies and procedures. It was further noted that remedial action taken in response to this incident had been prompt and thorough and that no adverse consequences had resulted.
23 May 2012
View PDF of Holroyd Howe Independent Ltd Undertaking (Via ICO Website)
View PDF of Holroyd Howe Independent Ltd Undertaking (Breach Watch Archive)
Loss of personal data.
Unknown
A hard drive purchased from the Internet contained personal data relating to S&S clients.
ICO
Undertaking issued to ensure that any redundant hard drives and removable media devices used to store personal data are forensically wiped or completely destroyed before being disposed of or reused. The details of any such items must be logged.
S&S could not confirm how the hard drive had ended up in the public domain. It also transpired that the data controller did not have an adequate data protection policy in place at the time of the incident and further, that it did not have a drive disposal procedure. The data controller did not keep a record of any decommissioned equipment.
25 Apr 2012
View PDF of the Safe and Secure Insurances Services Limited Undertaking (ICO Website)
View PDF of the Safe and Secure Insurances Services Limited Undertaking (Breach Watch Archive)
Loss of personal data.
20 records.
A security fault in an online competition meant that the personal details of individuals who registered could be accessed by user other than the data controller.
ICO
Undertaking issued to ensure that the data controller will obtain sufficient guarantees from the data processor that it will conduct appropriate web application security tests in relation to any web applications and that compliance with these guarantees are ministered.
It was felt that insufficient security testing had been performed on the web application intended for the competition, despite a written contract being in place between the data controller and data processor.
17 Apr 2012
View PDF of the Toshiba Information Systems UK Ltd Undertaking (Via ICO Website)
View PDF of the Toshiba Information Systems UK Ltd Undertaking (Breach Watch Archive)
Loss of sensitive personal data.
101 records.
Two unencrypted memory sticks and papers containing the personal details of 101 individuals were stolen from an employee’s home.
ICO
Undertaking issued to ensure that laptops used to store or transmit personal data are encrypted to a sufficient standard by no later than 16 March 2012. Hard copy documentation must only be removed from the office when absolutely necessary and a specific policy must be put in place to cover working away from the office.
The laptop did not contain any personal data and was password protected, as well as having third software installed allowing its usage to be tracked. No usage has been logged since the threat. However the USB sticks contained sensitive personal information and at the time if the incident, encryption of such devices was not mandatory. There was no specific policy to cover working outside of the office.
09 March 2012.
View PDF of the Enable Scotland (Leading the Way) Undertaking (Via ICO Website)
View PDF of the Enable Scotland (Leading the Way) Undertaking (Breach Watch Archive)
What
Loss of personal data.
How much
6,800 records.
Why
Unencrypted backup tape lost by the data processor.
Regulator
ICO
Regulatory action
Undertaking issued to ensure that where any future movement of backup tapes is required appropriate data security measures, including encryption, are taken. Staff and external contractors must be made aware of security procedures and trained to follow them. Adequate checks must be carried out on contractor’s staff and effective controls must be put in place to monitor and report potential or actual data loss activity.
Reason for action
Zurich did not audit data processor (a Group company in South Africa) and relied on group policies procedures and controls rather than managing the outsourced relationship as with a normal data processor.
When
7 March 2010
Links
View PDF of the Zurich Insurance plc Undertaking (Breach Watch Archive)