Think W3 Limited

Breach details

What A malicious hacker was able to access significant amounts of customer data, including credit card details, after targeting Think W3 Limited’s website.
How much 1,163,996 records containing credit or debit card details, of which 430,599 were current.
When 21 December 2012.
Why A system intended for internal purposes was installed on the same web-sever as the businesses e-commerce application containing customer data. In order to facilitate working from home this service could be accessed via a login page on a non-customer facing website which was publicly available over the internet. The login page was not secure due to a coding error that was missed, as no security testing had been done the basis that this page was not public facing. The hacker was able to exploit this vulnerability and gain administrative access to all the data on the web server.

Regulatory action

Regulator ICO
Action Monetary penalty of £150,000
When 23 July 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: Think W3 limited failed to take appropriate technical measures to ensue the security of personal data, predominately though failing to undertake suitable security testing, due to a failure to understand the extent to which the web server could be accessed via the internet, or to meet PCI DSS compliance requirements.
Known or should have known  By 2011 Think W3 Limited were aware of a number of issues with its PCI  DSS compliance, causing them to review their security practises. However they were slow in implementing improvements, despite being aware of the risk of contravention.
Likely to cause damage or distress Although CCV2 / CvC2 values were not obtained, the data obtained was clearly of interest to the attacker, due to the targeted nature of the attack, and could be used for fraudulent purposes. The data subjects would rightly be distressed to learn that their data had been accessed by a malicious third party.

Derbyshire, Leicestershire and Nottinghamshire Police Forces

Breach details

What The theft of laptops containing sensitive personal data including prison records and offender details.
How much Approximately 4,500 records held on eight laptops.
When 14 August 2010.
Why These police forces were part of the East Midlands Collaboration Unit (EMCU), whose offices were burgled in August 2010. Eight laptops belonging to seconded offices were stolen; they had not been stored in available lockable containers and two were unencrypted. Derbyshire and Leicestershire Police had not undertaken their own risk assessments and relied on the security measures of Nottingham Police. However, this did not specify that laptops should be encrypted, made no provision for locking them in containers, and did not monitor the offices during this period.

Regulatory action

Regulator ICO
Action Enforcement Notice issued to limit the sharing of personal data.
When 18 June 2013
Details These police forces shall only share personal data as part of a collaborative project if a Senior Information Risk Owner has been appointed to oversee the work and risk assess the premises; laptop and other portable electronic security devices are encrypted; and all officers involved in the project are given appropriate training. These measures should been implemented within 35 days.

Sony Computer Entertainment Europe

Breach details

What Loss of personal data (names, addresses, email addresses, dates of birth, poorly-protected account passwords). Customers’ payment card details also potentially at risk.
How much Redacted. Information Week stated 77 million records.
When Detected 19 April 2011
Why In what was perhaps one of the most infamous breaches in recent times, attackers deliberately breached the Sony Playstation Network Platform security and compromised the confidentiality of the information stored.

BW Comments

This is the most heavily redacted monetary penalty notice published by the Commissioner. The details of the breach in the MPN are superficial, although there is much general information available elsewhere on the Internet. Essentially the attackers exploited a system vulnerability and extracted data including personal data, poorly-hashed passwords and encrypted payment card data. The MPN makes it clear that the exploited vulnerabilities were publicly known, and that ‘appropriate updates were available’.

The lessons that all organisations can learn are simple:

  1. Patch systems regularly.
  2. Run regular external vulnerability scans against systems.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 250,000
When 14 January 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the data controller failed to ensure appropriate technical measures were taken against unauthorised or unlawful processing of personal data stored on the Newwork Platform, such as additional cryptographic controls to protect passwords and regular patching of vulnerabilities.
Known or should have known Various Sony online networks had previously been the subjects of attacks from hacktivist organisations.
Vast amounts of personal data including financial information were stored on the Network Platform, where system vulnerabilities had not been addressed. The data controller should have anticipated a further attack and, given Sony’s technical expertise, should have put the necessary technical measures in place.
Likely to cause damage or distress It should have been obvious to the data controller that the loss of the substantial volume of personal data held on the Network Platform was likely to cause substantial harm or substantial distress to the data subjects.

BW Observations


A lack of basic security practices such as poor vulnerability management and what can only be assumed to be weak password hashes (at a guess, unsalted MD5) are sufficient to justify a MPN, especially when you consider the number of accounts and the attractiveness to an attacker. The amount could be seen as excessive given that no sensitive personal data was compromised, however it has to be remembered that some 77 million records were compromised. It is the sheer volume of the data breach that influenced the Commissioner.

The ICO correctly observed that the poorly-hashed passwords may be able to be used by the attackers to compromise customer’s accounts at other sites where the customer used the same username and password. This appeared to influence his thoughts on the size of the monetary penalty. However it is interesting to consider whether the poor password management practices of consumers should affect how an organisation chooses to value, and therefore protect, stored passwords. Should passwords be valued as a credential for just the single site, or valued (and protected accordingly) because it is known that many customers’ passwords will also be able to be used to access unrelated sites?

It has been reported that Sony intends to appeal the MPN to the Information Tribunal and although an appeal was initially launched, this was later withdrawn.

Welcome Financial Services Limited

Breach details

What Loss of personal data.
How much Approximately 2 million records.
When 7 November 2011
Why Backup tapes of Shopacheck’s LAN were transported back and forth between the network site and an offsite storage room. On the 23rd of November 2011 it was discovered that two of these tapes, containing personal data, of millions of individuals were missing.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 150,000
When 5 July 2012

Why the regulator acted

Breach of act Unencrypted tapes were lost, and have still not been recovered. Inappropriate organisational and technical measures.
Known or should have known Data controller was aware of the possible consequences of the tapes going missing, since policies were in place requiring encryption.
Likely to cause damage or distress Financial information of customers.

Belfast Health and Social Care Trust

Breach details

What Loss of sensitive personal data.
How much About 10,000 records.
When May 2010
Why Confidential and sensitive personal data consisting of patient and staff records, dating as far back as the 1950s, were stored in a disused site. The site had security guards but the CCTV and intruder alarms had fallen into disuse and overall security was weak. Intruders gained access to the site and posted photographs of the physicals records there on the internet. Despite security upgrades following this incident intruders were able to gain access to the site on a second occasion. The security breaches were not reported to the ICO.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 225,000
When 19 June 2012

Why the regulator acted

Breach of act Site was insufficiently secure to prevent intrusion.
Inappropriate organisational and technical measures.
Known or should have known The insufficient amount of security was “clear”, and security upgrades after the first intrusion were clearly insufficient.
Likely to cause damage or distress Medical records and financial data of employees.

Brighton and Sussex University Hospitals NHS Trust

Breach details

What Loss of sensitive personal information.
How much 79,000 records.
When March 2008
Why Initially four hard drives sold eBay in October and November 2010 were found to contain were found to contain sensitive personal data of both patients and staff. Despite the Trust’s assurance that these were the only drives lost, further hard drives were recovered by the ICO after being sold on eBay. The Trust was unable to explain how an unnamed individual, who was sub-contracted by a sub-contractor to the IT supplier to the Trust to destroy the 1,000 hard drives, managed to remove at least 252 of the 1,000 hard drives he was supposed to be destroying from the hospital during his five days on the premises. Despite the security precautions taken there were insufficient records taken to provide a reliable audit trail of which hard drives were and were not destroyed.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 325,000
When 1 June 2012

Why the regulator acted

Breach of act Failure to select a data processor able to provide gurantees of technical security – loss of hard drives.
Inappropriate organisational and technical measures.
Known or should have known Data controller was used to dealing with such information on a daily basis and the huge volume of personal data on the hard drives was an obvious risk.
Likely to cause damage or distress Medical Data of Patients.

Brecon Beacons National Park Authority

What

Unauthorised disclosure of personal data.

How much

Two incidents.

Why

On the first occasion personal data of relatively low sensitivity held in local development plan consultation comment forms was disclosed. On the second occasion planning application documents were published on a website, containing personal data.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that adequate security measures are put in place to prevent unauthorised access to personal data from the data controller’s website.

Reason for action

It was felt that insufficient care was taken to prevent the disclosure of personal details such as telephone numbers and email addresses.

When

18 Apr 2012

Links

View PDF of the Brecon Beacons National Park Authority Undertaking (Via ICO Website)

View PDF of the Brecon Beacons National Park Authority Undertaking (Breach Watch Archive)

Toshiba Information Systems UK Ltd

What

Loss of personal data.

How much

20 records.

Why

A security fault in an online competition meant that the personal details of individuals who registered could be accessed by user other than the data controller.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will obtain sufficient guarantees from the data processor that it will conduct appropriate web application security tests in relation to any web applications  and that compliance with these guarantees are ministered.

Reason for action

It was felt that insufficient security testing had been performed on the web application intended for the competition, despite a written contract being in place between the data controller and data processor.

When

17 Apr 2012

Links

View PDF of the Toshiba Information Systems UK Ltd Undertaking (Via ICO Website)

View PDF of the Toshiba Information Systems UK Ltd Undertaking (Breach Watch Archive)

Worcestershire County Council

Breach details

What Inappropriate disclosure of sensitive personal information.
How much “A large number” of records.
When Unknown
Why A member of staff accidently clicked on an additional contact list while sending out an email intended for internal use and so two spreadsheets containing sensitive personal information were sent to 23 registered care providers.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 28 November 2011

Why the regulator acted

Breach of act Staff were not provided with sufficient training and internal and external email distribution lists were not clearly differentiated.
Inappropriate organisational and technical measures.
Known or should have known Employees routinely dealt with confidential and sensitive personal data and manages should have realised the potential for human error when selecting emails lists.
Likely to cause damage or distress Details of vulnerable young adults.

North Somerset Council

Breach details

What Inappropriate disclosure of sensitive personal information.
How much Two records.
When 12 November 2010
Why A council employee accidently sent five emails (on separate occasions), two of which contained highly sensitive information relating to a child’s serious case review, to the wrong NHS employee.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 28 November 2011

Why the regulator acted

Breach of act Staff not given sufficient information governance training and management should have signed off on emails, ensuring that all sensitive data was encrypted.
Inappropriate organisational and technical measures.
Known or should have known Data controller was used to handling confidential and sensitive data and should have been aware of the “self evident” risks of drop down email menus. Repeated breaches demonstrate this fact.
Likely to cause damage or distress Data related to vulnerable individuals and could be misused.