Department of Education

Breach details

What Loss of personal information.
How much An unknown number of records.
When 28/29 June 2012
Why The Register reported that Email addresses, unencrypted passwords and individual’s answers to questions posed in a consultation were accesable due to a security flaw in the Department for Education’s website.

BW Comments

Judging by the description in The Register the vulnerability looked like a session management problem. Something that should have been caught be the most rudimentary penetration test.

Regulatory action

Regulator ICO
Action None taken. The Register reported that it had got in touch with the ICO which, while acknowledging that the Department had breached the seventh principle, stated “As the personal information compromised was not sensitive and any distress caused is likely to have been minimal, we have decided that no further enforcement action is required at this time.”

BW Observations

Just because an organisation breaks the DPA the ICO isn’t bound to take action, however BW would have expected the ICO to have sought an undertaking from the Department that it would properly test any web site that collected personal data.

Marston Properties

What
Loss of personal data

How much
37 records.

Why
37 staff members’ details were lost when the filing cabinet the information was stored in was sent to a recycling centre and crushed.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to support staff who handle personal data and that these will be communicated to all relevant staff along with information governance training.

Reason for action
The data controller had established procedures, but did not have a specific written information handling policy in place and employees had not received formal data protection training.

When
6 August 2012

Links
View PDF of the Marston Properties Undertaking (Via ICO Website)

View PDF of the Marston Properties Undertaking (Breach Watch Archive)

West Lancashire Borough Council

What
Loss of personal data

How much
370 records.

Why
A business continuity bag containing emergency response documents and personal data relating to employees was stolen from a locked vehicle belonging to an officer.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the minimum amount of personal data necessary for emergency business is taken off site and that staff are fully training in data protection policy.

Reason for action
The data controller had some relevant guidance in place at the time of the incident, but could have provided clearer written instruction on the secure storage of hard copy personal data off site for emergency.

When
13 July 2012

Links
View PDF of the Lancashire Borough Council Undertaking (Via ICO Website)

View PDF of the Lancashire Borough Council Undertaking (Breach Watch Archive)

Welcome Financial Services Limited

Breach details

What Loss of personal data.
How much Approximately 2 million records.
When 7 November 2011
Why Backup tapes of Shopacheck’s LAN were transported back and forth between the network site and an offsite storage room. On the 23rd of November 2011 it was discovered that two of these tapes, containing personal data, of millions of individuals were missing.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 150,000
When 5 July 2012

Why the regulator acted

Breach of act Unencrypted tapes were lost, and have still not been recovered. Inappropriate organisational and technical measures.
Known or should have known Data controller was aware of the possible consequences of the tapes going missing, since policies were in place requiring encryption.
Likely to cause damage or distress Financial information of customers.

South Yorkshire Police

What
Loss of personal data

How much
600 records.

Why
Personal data, relating to drug offences by 600 arrested individuals, was accidently included in a spreadsheet given to a journalist following a Freedom of Information request.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all responses to FOI requests are double checked, preferably by a manager, to ensure that no personal data is included. Written procedures should be implemented and staff must be training in following that policy.

Reason for action
The Commissioner felt that the likelihood of identification was reduced as the offender’s names were not included in the attachment. Formal assurances were received that the email and spreadsheet were promptly deleted. All staff members have since been provided with comprehensive training relating to FOI requests.

When
26 June 2012

Links
View PDF of the South Yorkshire Police Undertaking (Via ICO Website)

View PDF of the South Yorkshire Police Undertaking (Breach Watch Archive)

Holroyd Howe Independent Ltd

What

Loss of personal information.

How much

All payment records for the data controller’s employees.

Why

A data processor received a request from one of the data controller’s ex-employees for a copy of one of his payslips. In error, the data processor, which was acting on behalf of the data controller, emailed him a PDF document showing the relevant month’s payslips for all the data controller’s employees.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of the data controller’s amended policy for the storage and use of personal data and are appropriately trained how to follow that policy. Personal data transmitted over email must be encrypted to a sufficient standard.

Reason for action

In the course of investigation, it emerged that the data controller did not have a formal contract in place governing the processing of personal data by this data processor. It was noted that job-related training was given which included emphasis on confidentiality and sensitivity of data where appropriate, although some improvements were identified in relation to policies and procedures. It was further noted that remedial action taken in response to this incident had been prompt and thorough and that no adverse consequences had resulted.

When

23 May 2012

Links

View PDF of Holroyd Howe Independent Ltd Undertaking (Via ICO Website)

View PDF of Holroyd Howe Independent Ltd Undertaking (Breach Watch Archive)

Safe and Secure Insurances Services Limited

What

Loss of personal data.

How much

Unknown

Why

A hard drive purchased from the Internet contained personal data relating to S&S clients.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any redundant hard drives and removable media devices used to store personal data are forensically wiped or completely destroyed before being disposed of or reused. The details of any such items must be logged.

Reason for action

S&S could not confirm how the hard drive had ended up in the public domain. It also transpired that the data controller did not have an adequate data protection policy in place at the time of the incident and further, that it did not have a drive disposal procedure. The data controller did not keep a record of any decommissioned equipment.

When

25 Apr 2012

Links

View PDF of the Safe and Secure Insurances Services Limited Undertaking (ICO Website)

View PDF of the Safe and Secure Insurances Services Limited Undertaking (Breach Watch Archive)

Toshiba Information Systems UK Ltd

What

Loss of personal data.

How much

20 records.

Why

A security fault in an online competition meant that the personal details of individuals who registered could be accessed by user other than the data controller.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will obtain sufficient guarantees from the data processor that it will conduct appropriate web application security tests in relation to any web applications  and that compliance with these guarantees are ministered.

Reason for action

It was felt that insufficient security testing had been performed on the web application intended for the competition, despite a written contract being in place between the data controller and data processor.

When

17 Apr 2012

Links

View PDF of the Toshiba Information Systems UK Ltd Undertaking (Via ICO Website)

View PDF of the Toshiba Information Systems UK Ltd Undertaking (Breach Watch Archive)

Zurich Insurance plc

What
Loss of personal data.

How much
6,800 records.

Why

Unencrypted backup tape lost by the data processor.

Regulator
ICO

Regulatory action

Undertaking issued to ensure that where any future movement of backup tapes is required appropriate data security measures, including encryption, are taken. Staff and external contractors must be made aware of security procedures and trained to follow them. Adequate checks must be carried out on contractor’s staff and effective controls must be put in place to monitor and report potential or actual data loss activity.

Reason for action

Zurich did not audit data processor (a Group company in South Africa) and relied on group policies procedures and controls rather than managing the outsourced relationship as with a normal data processor.

When
7 March 2010

Links
View PDF of the Zurich Insurance plc Undertaking (Breach Watch Archive)

Community Integrated Care

What

Loss of personal and sensitive personal data.

How much

40 records.

Why

Theft of an unencrypted laptop from a locked ground floor office in the Newcastle area.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile devices including laptops are encrypted to a sufficient standard. Physical security standards must be adequate to prevent unauthorised access to personal data.

Reason for action

The stolen laptop was password protected, but had not been encrypted, However the data controller proposed to improve physical software and implement encryption as a result of the incident.

When

01 March 2012.

Links

View PDF of the Community Integrated Care Undertaking (Via ICO Website)

View PDF of the Community Integrated Care Undertaking (Breach Watch Archive)