Wheelbase Motor Project

What

Loss of sensitive personal data.

How much

50 records.

Why

Theft of an unencrypted portable hard drive.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable media devices are suitably encrypted.

Reason for action

Although the format of the hard drive would have been incompatible with most desktop systems and the sensitive files were password protected it was ruled that this was insufficient security

When

27 May 2011.

Links

View PDF of the Wheelbase Motor Project Undertaking (Via ICO Website)

View PDF of the Wheelbase Motor Project Undertaking (Breach Watch Archive)

Co-operative Life Planning Limited

What

Inappropriate disclosure of personal data.

How much

“A substantial volume”

Why

An electronic file containing customer data was sent to a software  support supplier, where it was copied onto the supplier’s own servers.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that procedures are implemented to record quality control checks prior to the distribution of documents.

Reason for action

Undertaking issued to ensure that procedures are implemented to record quality control checks prior to the distribution of documents.

When

26 May 2011.

Links

View PDF of the Co-operative Life Planning Limited Undertaking (Via ICO Undertaking)

View PDF of the Co-operative Life Planning Limited Undertaking (Breach Watch Archive)

Andrew Jonathan Crossley, formerly trading as solicitors firm ACS Law

Breach details

What Loss of sensitive personal information.
How much 6,000 records.
When 2009 – May 2010
Why Insufficient measures taken to protect spreadsheets containing personal data, which was made available online following a DDOS attack.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 1,000
When 10 May 2011

Why the regulator acted

Breach of act Unencrypted spreadsheets were placed on a torrent site following a denial of service attack. “Home-use” web service used rather than a business package.
Inappropriate organisational and technical measures.
Known or should have known Data controller was fully aware of the sensitive nature of the data he dealt with and that his business was controversial and unpopular with some. The risk of attack was clear, yet he set up his set without professional IT advice.
Likely to cause damage or distress Financial and medical information of many individuals.

Aramark Ltd.

What

Loss of personal information.

How much

109 records.

Why

Paperwork and an unencrypted laptop were stolen in-transit.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are sufficiently encrypted and are only taken off site when absolutely necessary.

Reason for action

Although the laptop was password protected, this was insufficient security, given the sensitive nature of the data it contained

When

24 February 2011.

Links

View PDF of the Aramark Ltd. Undertaking (Via ICO Website)

View PDF of the Aramark Ltd. Undertaking (Breach Watch Archive)

A4e Ltd

Breach details

What Loss of sensitive personal information.
How much 24,000 records.
When 18/19 June 210
Why Theft of an unencrypted laptop from staff member’s home.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 22 November 2010

Why the regulator acted

Breach of act Theft of an unencrypted laptop.
Inappropriate organisational and technical measures..
Known or should have known Data controller was aware of the possible consequences of laptops being stolen and had commenced a laptop encryption program.
Likely to cause damage or distress Financial and personal information of clients.

Google

What

Mistaken collection of payload data.

How much

Unknown, but likely to be minimal.

Why

Google Streetview Vans, adapted to pick up on publically available Wi-Fi signals had mistakenly collected payload data.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that Google puts in place improved training measures on security awareness and data protection issues for all employees. Project engineers will be required to maintain a privacy design document for every new project before it is launched. All the payload data must be deleted.

Reason for action

Google took rapid remedial action, however the fact that issue occurred at all was still of note. Google was required to facilitate a consensual audit by the ICO.

When

19 November 2010

Links

View PDF of the Google Undertaking (Via ICO Website)

View PDF of the Google Undertaking (Breach Watch Archive)

Rainforest Alliance Ltd

What

Potential loss of personal data.

How much

Unknown.

Why

Theft of an unencrypted Laptop during a domestic burglary.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are sufficiently encrypted and that staff are sufficiently trained and monitored in the Data controllers security policies.

Reason for action

Although the laptop was password protected and used with permission it was not encrypted and it emerged that only some of the data it contained had been backed up on the office server. It was concluded that the data controller had not provided adequate guidance on physical security.

When

11 November 2010

Links

View PDF of the Rainforest Alliance Ltd Undertaking (Via ICO Website)

View PDF of the Rainforest Alliance Ltd Undertaking (Breach Watch Archive)

Healthcare Locums PLC (HCL)

What

Loss of personal information .

How much

Unknown.

Why

A Network Storage device containing records relating to doctors employed by the data controller was lost or stolen in transit during a move and was sold on eBay. It was eventually recovered.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that contracts are put in place between the Data controller and any contractors it uses to process personal data on its behalf, who must be sufficiently checked. Sufficient physical security measures must be implemented and records of data contained on physical media must be kept.

Reason for action

Neither the network storage device or the personal data contained within it were encrypted. No inventory of equipment being transported was taken and therefore the loss/theft of the device went unnoticed until the eBay buyer contacted the Data controller.

When

14 October 2010

Links

View PDF of the Healthcare Locums PLC Undertaking (Via ICO Website)

View PDF of the Healthcare Locums PLC Undertaking (Breach Watch Archive)

Yorkshire Building Society

What

Loss of personal information.

How much

A “substantial” number.

Why

Theft of an unencrypted laptop.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are sufficiently encrypted and that appliance with IT security policies is appropriately and regularly monitored.

Reason for action

The laptop was unencrypted and, contrary to policies and procedures the manager had written down passwords and left these and the laptop under his desk overnight.

When

26 August 2010

Links

View PDF of the Yorkshire Building Society Undertaking (Via ICO Website)

View PDF of the Yorkshire Building Society Undertaking (Breach Watch Archive)

DSG Retail

What

Loss of personal information.

How much

Over 100 records.

Why

Paperwork related to credit agreements was found in a skip near the premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will review its security measures and implement any necessarily security and monitoring measures.

Reason for action

The documents related to transactions two years prior and had been retained beyond the period specified in the data controller’s procedures. The normal procedure for disposing such documents (sending them to a central facility for secure shredding) had not been followed.

When

25 August 2010

Links

View PDF of the DSG Retail Undertaking (Via ICO Website)

View PDF of the DSG Retail Undertaking (Breachwatch Archive)