UPS Limited

Posted on 7 August 2009 by BreachMaster

What
Loss of personal data.

How much
9,150 records.

Why
An unencrypted laptop containg payroll data was stolen from the home of an employee of the data controller

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The laptop was unencrypted, although the data controller has begun steps to introduce a policy to address this issue.

When
7 August 2009

Links
View PDF of the UPS Limited Undertaking (Breach Watch Archive)

Imperial College Healthcare NHS Trust

Posted on 29 July 2009 by BreachMaster

What
Loss of sensitive personal data.

How much
6,000 records.

Why
Six laptops were stolen from a secure area within the hospital on two separate occasions. In a separate incident a small number of paper records were lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Measures must be taken to ensure the physical security of all such devices containing personal information. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
One of laptops was unencrypted despite containing sensitive personal data.

When
29 July 2009

Links
View PDF of the Imperial College Healthcare NHS Trust Undertaking (Breach Watch Archive)

East Cheshire NHS Trust

Posted on 27 July 2009 by BreachMaster

What
Loss of sensitive personal data.

How much
About 60 records.

Why
Personal data relating to over 60 patients were found in a garden in Newcastle-under-Lyme. This followed an office move during which an external company was retained to clear out scrap and rubbish from vacated premises.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that in all cases where third party supplies of goods or services will have access to personal data, a written contract must be entered into prior to work beginning which covers data security requirements. Staff must be made aware of the data controller’s policy for the storage and use of personal data and be appropriately trained to follow that policy.

Reason for action
The data controller did not enter into any written contract with the external company, nor where its actions appropriately supervised. It was noted during the clearance operations that boxes of data were being disposed of in open skips, but the data controller failed to react to this in time to prevent loss of some records.

When
27 July 2009

Links
View PDF of the East Cheshire NHS Trust Undertaking (Breach Watch Archive)

NHS Lothian

Posted on 21 July 2009 by BreachMaster

What
Loss of personal data.

How much
162 records.

Why
A document wallet containing 25 paper files was temporarily left in a shop. In a second incident an unencrypted USB memory stick was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Network systems are to be introduced to prevent the use of unauthorised personal memory devices to download personal data being processed by NHS Lothian. Measures must be taken to ensure the physical security of all paper files containing personal information. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it. Compliance with these policies must be monitored.

Reason for action
The USB memory stick was unencrypted and was the personal property of an employee. In both cases the employees failed to comply with NHS Lothian security requirements.

When
21 July 2009

Links
View PDF of the NHS Lothian Undertaking (Breach Watch Archive)

HSBC Life (UK)

Posted on 17 July 2009 by BreachMaster

What

Loss of personal data.
General lack of controls

How much

180,000 records.

Why

Loss of unencrypted CD in the post.

Regulator

FSA

Regulatory action

Monetary penalty – £1,610,000

Reason for action

Systemic organisational failings in InfoSec. No risk assessment. Repeated transmission of unencrypted data. Customer data held insecurely in office.

When

17 July 2009

Links

Press release on the FSA website

View PDF of the HSBC Life (UK) Final Notice (via FSA website)

View PDF of the HSBC Life (UK) Final Notice (Breachwatch archive)

HSBC Insurance Brokers

Posted on 17 July 2009 by BreachMaster

What
No breach

How much

None

Why

FSA audit – probably as a result of other group breaches

Regulator

FSA

Regulatory action

Monetary penalty – £700,000

Reason for action

Ignored specific and repeated compliance recommendations.
Inadequate risk assessment
Weak controls

When

17 July 2009

Links

Press release on the FSA website

View PDF of the HSBC Insurance Brokers Final Notice (via FSA website)

View PDF of the HSBC Insurance Brokers Final Notice (Breachwatch archive)

HSBC Actuaries and Consultants

Posted on 17 July 2009 by BreachMaster

What

Loss of personal data.

How much

1,917

Why

Loss of unencrypted floppy disk in the post

Regulator

FSA

Regulatory action

Monetary penalty – £875,000

Reason for action

Inadequate risk analysis/assessment.
Ignored instructions from HSBC group following Nationwide breach

When

17 July 2009

Links

Press release on the FSA website

View PDF of the HSBC Actuaries and Consultants Final Notice (via FSA website)

View PDF of the HSBC Actuaries and Consultants Final Notice (Breachwatch archive)

Repair Management Services Ltd

Posted on 17 July 2009 by BreachMaster

What
Loss of sensitive personal data.

How much
36,800 records.

Why
A unencrypted laptop was stolen from a secure, but unattended, motor vehicle in a public car park.

Regulator
ICO

Reason for action
The laptop was unencrypted despite containing details relating to criminal convictions.

When
17 July 2009

Links
View PDF of the Repair Management Services Ltd Undertaking (Breach Watch Archive)

London Borough of Sutton

Posted on 12 July 2009 by BreachMaster

What
Loss of sensitive personal data.

How much
About 119 records.

Why
Numerous Incidents:

A paper file containing personal data relating to 73 individuals receiving social care went missing from an office.
A document package relating to childcare proceedings was left with the neighbour of an intended recipient and subsequently went missing.
An unencrypted laptop containing personal data to 9 children was stolen from a locked cupboard on a children’s hospital ward.
An unencrypted laptop containg social care data relating to 39 individuals was stolen from the home of an employee of the data controller.
9 administration computers used to access dara in the data controller’s network were stolen, but some files may have been downloaded onto the computer’s hard drives in breach of policy.

Regulator
ICO

Reason for action
The various breaches demonstration a lack of security, both physical and technical. The sheer amount of breaches betrayed an overall organisational weakness.

When
29 July 2009

Links
View PDF of the London Borough of Sutton Undertaking (Breach Watch Archive)

Dr Paul Thomas

Posted on 10 July 2009 by BreachMaster

What
Loss sensitive of personal data.

How much
“A large number” of records.

Why
The Suffolk Primary Care Trust’s Practice server was found in the Gipping Valley Practice car park by one of the data controller’s employees. The Server held data relating to a large number of patients and staff.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the decommissioning process regarding Practice servers and other such devices has been completed successfully in order to ensure the safety of any personal data.

Reason for action
The decommissioning process did not ensure the security of personal data.

When
10 July 2009

Links
View PDF of the Dr Paul Thomas Undertaking (Breach Watch Archive)

FCA/FSA (7)	£ 7,777,000
ICO DPA (55)	£ 5,573,500