Ministry of Justice

Breach details

What An unencrypted, non-password protected, portable hard drive stored in a prison’s Security Department and used to back up the prisoner intelligence database, was lost. This followed a virtually identical breach in 2011.
How much 16,000 records and 2,935 records.
When October 2011 and 24 May 2013.
Why The hard drive had last been used on 18 May 2013 for the weekly back up, but had not been locked up afterwards in a fireproof safe, as required. Following the previous breach in 2011 remedial action had been taken including the distribution of encrypted hard drives to 75 prisons that had previously been using unencrypted portable hard drives. However it was not realised that the encryption software on these new drives required manual activation. As a result prisoner intelligence information was being held on portable unencrypted devices in 75 prisons for a period of at least 12 months.

Regulatory action

Regulator ICO
Action Monetary penalty of £180,000
When 26 August 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: The Ministry failed to take appropriate technical measures against unauthorised processing and accidental loss of confidential and sensitive personal data, such as taking steps to ensure that the portable hard drives that were used to back up the prisoner intelligence database in 75 prisons had actually been encrypted.
Known or should have known The Ministry was aware that prisons across the entire estate were backing up this information on a weekly basis pending the implementation of a new intelligence system. As a result of a virtually identical security breach in October 2011, the data controller was also aware that the portable hard drives used to back up this intelligence information in 75 prisons were unencrypted. As it was routine to handle sensitive personal data relating to prisoners it should have been obvious that such a contravention would be of a kind likely to cause substantial damage and/or substantial distress to the data subjects
Likely to cause damage or distress This scale of the breach posed a significant risk of causing serious detriment to thousands of prisoners in England and Wales. The data subjects would be likely to suffer from substantial distress knowing that their confidential and sensitive personal data may be accessed by unauthorised third parties, aggravated by the fact that the hard drive has still not been recovered. If the data has in fact been accessed by untrustworthy third parties then it is likely that the contravention would cause further distress and substantial damage.

Panasonic UK

Breach details

What Theft of an unencrypted laptop containing personal data including names, passport details, addresses and contact details.
How much 970 records.
When 08 August 2012.
Why An unencrypted, unsecured laptop containing the details of 970 individuals who had attended hospitality events organised by Panasonic UK was stolen from an unlocked hotel room. These events were being run by a third party company on behalf of Panasonic, and Panasonic’s comprehensive data protection policies that would have prevented this breach were therefore not automatically applied. However, it appears that these policies were not communicated to the company and the data protection provisions listed in the contract were extremely limited. Moreover, passport information was collected from all guests and then retained regardless of whether this information was necessary.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When Unknown.
Details Panasonic UK is to ensure that all third party company data controllers are governed by adequate contracts and checks to ensure that they are complying with data protection policies. Panasonic are also to ensure that personal data is only collected for a specified, valid purpose and is not retained for longer than is necessary. Other security measures should be implemented as appropriate.

Jala Transport Limited

Breach details

What Theft of an unencrypted hard drive containing sensitive personal data, including proofs of address and proofs of identity.
How much 250 records.
When 3 August 2012.
Why A briefcase containing an unencrypted hard drive, some documents and approximately £3,600 in case was stolen from the proprietor’s car when it was stuck in traffic. The external hard drive, as the only copy of the company’s customer database, was taken home each day to prevent theft and was protected by an 11-character password. It has not been recovered.

Regulatory action

Regulator ICO
Action Monetary penalty of £5,000.
When 24 September 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the company failed to take appropriate measures against the accidental loss or theft of personal data.
Known or should have known The company was used to dealing with large amounts of personal data on a daily basis and had taken some steps to protect it by having it password protected and taking it home overnight. However, the Commissioner’s office published guidance notes in 2007 promising enforcement action against companies suffering thefts of unencrypted data from vehicles, dwellings or inappropriate places. The company should have encrypted the data and transported it in a more secure way, such as in the boot of the car.
Likely to cause damage or distress The disclosure of personal information of the data subjects to unauthorised third parties is likely to cause them substantial distress, particularly as the hard drive has not been recovered. There is also the risk of identity fraud or financial loss.

Sony Computer Entertainment Europe

Breach details

What Loss of personal data (names, addresses, email addresses, dates of birth, poorly-protected account passwords). Customers’ payment card details also potentially at risk.
How much Redacted. Information Week stated 77 million records.
When Detected 19 April 2011
Why In what was perhaps one of the most infamous breaches in recent times, attackers deliberately breached the Sony Playstation Network Platform security and compromised the confidentiality of the information stored.

BW Comments

This is the most heavily redacted monetary penalty notice published by the Commissioner. The details of the breach in the MPN are superficial, although there is much general information available elsewhere on the Internet. Essentially the attackers exploited a system vulnerability and extracted data including personal data, poorly-hashed passwords and encrypted payment card data. The MPN makes it clear that the exploited vulnerabilities were publicly known, and that ‘appropriate updates were available’.

The lessons that all organisations can learn are simple:

  1. Patch systems regularly.
  2. Run regular external vulnerability scans against systems.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 250,000
When 14 January 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the data controller failed to ensure appropriate technical measures were taken against unauthorised or unlawful processing of personal data stored on the Newwork Platform, such as additional cryptographic controls to protect passwords and regular patching of vulnerabilities.
Known or should have known Various Sony online networks had previously been the subjects of attacks from hacktivist organisations.
Vast amounts of personal data including financial information were stored on the Network Platform, where system vulnerabilities had not been addressed. The data controller should have anticipated a further attack and, given Sony’s technical expertise, should have put the necessary technical measures in place.
Likely to cause damage or distress It should have been obvious to the data controller that the loss of the substantial volume of personal data held on the Network Platform was likely to cause substantial harm or substantial distress to the data subjects.

BW Observations


A lack of basic security practices such as poor vulnerability management and what can only be assumed to be weak password hashes (at a guess, unsalted MD5) are sufficient to justify a MPN, especially when you consider the number of accounts and the attractiveness to an attacker. The amount could be seen as excessive given that no sensitive personal data was compromised, however it has to be remembered that some 77 million records were compromised. It is the sheer volume of the data breach that influenced the Commissioner.

The ICO correctly observed that the poorly-hashed passwords may be able to be used by the attackers to compromise customer’s accounts at other sites where the customer used the same username and password. This appeared to influence his thoughts on the size of the monetary penalty. However it is interesting to consider whether the poor password management practices of consumers should affect how an organisation chooses to value, and therefore protect, stored passwords. Should passwords be valued as a credential for just the single site, or valued (and protected accordingly) because it is known that many customers’ passwords will also be able to be used to access unrelated sites?

It has been reported that Sony intends to appeal the MPN to the Information Tribunal and although an appeal was initially launched, this was later withdrawn.

Prospect

Breach details

What Loss of sensitive personal information (Union membership).
How much About 19,000 records.
When 08 Dec 2011
Why Two files containing member data were sent as part of a tendering process to an unknown email address in error. The files were encrypted but the password was also sent seperately to the same address.

BW Comments

This breach illustrates two issues that all Data Controllers need to be aware of. The first is that test data should always be anonymised, not only does it increase the risk of breaching the seventh principle, but it will also breach the first and second principles; although interestingly the ICO only took action in respect of the seventh principle. Secondly, any encryption is only as good as the key (password) management – passwords should always be sent at a minimum by a separate channel.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 16 Jan 2013
Details The data controller to ensure that adequate policies are in place to cover transfer of data to third parties, that such data is minimised and anonymised, that all staff receive data protection training, and that appropriate security measures are in place to protect personal data.

BW Observations

Although this was a sizeable breach of some 19,000 records of sensitive personal data, the ICO obviously decided that an undertaking was more appropriate given the potential harm that could result.

Dacorum Borough Council

What

Loss of sensitive personal data.Loss of sensitive personal data.

How much

1,000 records.

Why

An unencrypted hard drive was stolen from an adventure playground following a burglary. It contained registration documents relating to about 1000 children who have attended the playground.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of the data controller’s policy for the storage and use of personal data. Personal data must not be retained any longer than relevant and must be disposed of in a secure manner once no longer needed.

Reason for action

The Commissioner’s enquiries revealed that the registration documents were stored on the desktop and were not password protected. The previous password protection had been removed when a member of staff left the Council and was not restored. It was also revealed that no annual review of the database had been performed, resulting is registration documents not being deleted in line with the Council’s retention policy.

When

10 February 2012.

Links

View PDF of the Dacorum Borough Council Undertaking (Via ICO Website)

View PDF of the Dacorum Borough Council Undertaking (Breach Watch Archive)

Manpower UK Ltd

What

Inappropriate disclosure of personal data.

How much

400 records.

Why

A spreadsheet containing 400 people’s personal details was accidentally email to 60 employees.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of policies regarding the transmission of personal data via email, included the need to password protect or encrypt the data according to the sensitivity of the data and the risk to the data subjects.

Reason for action

The employee had initially believed that the spreadsheet contained only the employee numbers of those 60 staff. However the data was transmitted unsecured over the internet and it could not be confirmed that all recipients had deleted the email as requested

When

20 January 2012.

Links

View PDF of the Manpower UK Ltd Undertaking (Via ICO Website)

View PDF of the Manpower UK Ltd Undertaking (Breach Watch Archive)

Bay House School

What

Loss of sensitive personal data.

How much

20,000 records.

Why

Malicious website intrusion.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that encryption is used, annual penetration tests are performed and password policies are updated to ensure security.

Reason for action

A member of staff was using the same password for the school’s website and management systems, allowing the attackers, including at least one pupil, with the system administration information required to attack the system.

When

08 August 2011.

Links

View PDF of the Bay House School Undertaking (Via ICO Website)

View PDF of the Bay House School Undertaking (Breach Watch Archive)

HCA international Limited

What

Loss of sensitive personal data.

How much

Unknown.

Why

Theft of an unencrypted laptop from one of the group’s hospitals.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that sufficient standard encryption is used and physical security is upgraded.

Reason for action

  • Laptop containing the data was unencrypted.
  • Physical security of the laptop was deemed insufficient to prevent theft.

When

05 August 2011.

Links

View PDF of the HCA International Limited Undertaking (Via ICO Website)

View PDF of the HCA International Limited Undertaking (Breach Watch Archive)

Forth Valley NHS Board

What

Loss of sensitive personal information.

How much

Unknown.

Why

An unencrypted and non-password protected memory stick containing sensitive personal data was handing in to a newspaper.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any board issued portable media devices are sufficiently encrypted and that sufficient physical security measures are taken.

Reason for action

It was unclear how the memory stick ended up in the possession of the Newspaper, but it was unencrypted and not password protected.

When

30 September 2010

Links

View PDF of the Forth Valley NHS Board Undertaking (Via ICO Website)

View PDF of the Forth Valley NHS Board Undertaking (Breach Watch Archive)