Log in

Posts Tagged ‘Data Protection Act 1998’

UK mobile phone operator O2 suffers data breach

January 30th, 2012

Every data breach is a wake-up call for all of us using the Internet. We just assume our data is safe but how about thinking twice before posting private information on the world wide web? There are technical things which we, laymen, do not understand. Our information gets leaked to third parties and we don’t even know about it. Guess what, every time you visit a site, your phone number is getting leaked through your mobile service provider!

The O2 Scandal

Customers of O2, the European mobile network, suffered a data breach as their phone numbers were exposed to web sites visited from their smartphones. Unfortunately the security breach went on for two weeks before it was fixed on Jan 25.

Mobile customers in the United Kingdom started tweeting Wednesday morning about the breach after mobile developer Lewis Peckover found out about a security loophole in devices carried by European mobile network O2. It appeared that after O2 had performed its routine maintenance on its network this month, some users’ mobile phones started sending their owners’ phone numbers to web sites that were visited using mobile browsers through a 3G/WAP connection. Fortunately those who used Wi-Fi were saved from this ordeal.

This post shows that customer privacy is at stake. The breached phone numbers could be used for SMS spam or for hacking purpose. They are a treat for hackers and just waiting to be exploited!

The mobile device security industry is going through a bad phase. Just last April, Apple iPhones (running iOS 3.2 and above) had a flaw wherein the bug logged users’ location data in unencrypted files stored on the phones themselves. Customers were at their wits end when they heard this and there was chaos in the mobile industry. As if that was not enough, just last month, phone-monitoring software maker Carrier IQ admitted that its data-tracking program was already installed on all its phones across the country!.

Comment by O2

O2 issued a statement last Wednesday and explained that the issue has been fixed.

“In between the 10th of January and 1400 Wednesday 25th of January…there has been the potential for disclosure of customers’ mobile phone numbers to further website owners,” O2′s statement read. “It was fixed as of 1400 on Wednesday 25th January 2012.”

The office of the Information Commissioner (The ICO is a public U.K. body that enforces and oversees activity pertaining to the Data Protection Act of 1998) is looking into this matter presently.

“When people visit a website via their mobile phone they would not expect their number to be made available to that website,” the ICO said in a statement issued Wednesday. “We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.”

Update from O2

According to O2, it regularly gives subscriber’s phone numbers to web-sites that offer age-restricted information and premium-rate billing without the user’s knowledge.

Apparently the company has been providing user phone numbers to web-sites that are browsed by millions of users from their phones using the 3G network. This has been happening since Jan 10. Obviously the site owners are having a ball with this piece of information.

What should a common man do to avoid such a pitfall?

Always read the terms and conditions of any mobile service that you choose to use. Better to be safe than sorry!

Alertsec comes to the rescue

80% of data loss is due to lost or stolen equipment. 50% of network breaches take place by using passwords from lost or stolen equipment. Laptop encryption is the solution to laptop theft problem. Small and big companies are now realizing the importance of tracking software. Alertsec offers laptop encryption service to secure your data.

Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

Alertsec Xpress

O2, the mobile phone service provider, suffers data breach

is backed up by Check Point Full Disk Encryption and is used by over 4 million users worldwide, with single deployments exceeding 150,000 laptops and PCs. This is the most deployed software of its kind and is seen as today’s market leader.

No comments »

Posted in Computer security, Data Protection, Uncategorized, computer security software, data breach, data encryption

Tags: AlertSec Xpress Business and Economy Carrier IQ Cellular network data breach Data Protection Act 1998 data security disk encryption ICO Information Commissioner Information Commissioners Office Information privacy IPhone Personal computer Ponemon Institute Telecommunications Telephone number Wednesday

Powys County Council to pay £130,000 fine to ICO for data breach

December 9th, 2011

Powys County Council in deep waters over data breach

Last few posts mentioned about fines being imposed on councils who have breached the data protection act. But this post breaks all records. It talks about how Powys County council was asked to pay a fine of £130,000 to ICO for data breach. This is the biggest fine ever!

The ICO’s office was conferred powers to impose fine on data breaching organizations on April 2010. Assistant Commissioner for Wales Anne Jones says”There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems,”.

The strange part is that Powys County Council had earlier breached this act twice but had not gotten caught. But this time luck was against the organization and it is expected to pay a hefty fine. Here is the ICO’s statement regarding the earlier data breaches “Two separate reports about child protection cases were sent to the same shared printer. It is thought that two pages from one report were then mistakenly collected with the papers from another case and were sent out without being checked. The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers. The recipient made a complaint to the council and a further complaint was also submitted by the recipient’s mother via her MP.”

The first incident was written off as an ‘once in a blue moon’ error but then a second one occured where a social worker sent data about another child to the same member of the public who was also familiar with the child.

Ann Jones further added”This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It’s the most serious case yet and it has attracted a record fine. The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.”

The ICO had given an warning to the council to revamp its security policies or be ready to face consequences. Not much has changed in terms of security, the latest breach makes that all too clear. Now the ICO has threatened to take the council to court if it does not get back on its feet and beef up its security measures. The ICO has further made it compulsory for the counil to train its staff on how to follow the council’s guidance on the handling of personal data by 31 March 2012, along with refresher training provided every three years.

Alertsec to the rescue

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

No comments »

Posted in Computer security, Data Protection, Identity and Information loss, Lawsuits and settlements, computer security software, data breach, data encryption, identity theft

Tags: Assistant Commissioner Check Point Child protection data breach Data Protection Act 1998 ICO Information Commissioners Office Information privacy Member of parliament Personal computer Powys Powys County Council

North Somerset Council and Worcestershire County Council pay penalties for data breach

November 29th, 2011

In the post dated Nov 27 we talked about local authorities under ICO’s radar. This is further to that post.

The Information Commissioner’s Office (ICO) has fined the North Somerset Council and Worcestershire County Council for ‘serious email errors’. According to the ICO in both the cases, the staff members sent highly sensitive personal data to the wrong email addresses. The first took place at North Somerset Council in November 2010 when a council employee sent five emails to the wrong NHS employee. Two of these emails had highly sensitive and confidential information related to a child’s serious case review.

Strangely enough, data was emailed to the same NHS employee three times again! And this was after the council employee was communicated about the error. The incidents took place in Nov and Dec last year.

The Worcestershire County Council – The Worcestershire County Council employee emailed highly sensitive personal data belonging to a large number of people to 23 wrong email addresses. The employee got in touch with the receipients immediately notifying them about deleting the email. These recipients worked for registered organisations and followed the council’s protocols about handling sensitive data.

Information Commissioner Christopher Graham, said: “Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable.

“It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils.

“It was fortunate that in both cases at least the e-mail recipients worked in a similar sector and so were used to handling sensitive information.

“This mitigating factor has been taken into account in assessing the amount of the penalties.”

The Worcestershire County Council was fined £80,000 penalty for a March 2011 breach and the North Somerset Council was fined £60,000 fine for a serious breach of the Data Protection Act that took place in Dec 2010.

The ICO has the power to fine organisations up to £500,000 for serious data breaches. It is now following up with the Ministry of Justice for more powers that can audit local councils’ data protection compliance.

It is the local authorities responsibility to protect highly sensitive information related to patients, kids, etc. The common man must sleep well at night thinking its information is safe with the local authorities. But realities shows that is not the case. UK citizens are getting sleepless nights after reading data breach cases. In order to prevent such data thefts, every council must revamp its security policies and train its staff members.

These cases are a wake-up call to all public sector organisations. The ICO has started penalizing councils who have breached the data protection act. If local authorities want to avoid this penalty, they better get back on their toes and act fast. After all sensitive data of vulnerable people is at stake here and such incidents cannot be taken lightly.

Cyber-security with Alertsec

Alertsec Xpress is a very easy and convenient service which enables securing valuable information on laptops.

Alertsec Xpress is powered by Check Point, the market leader in the field of mobile data protection. The software was launched 16 years ago and is the most robust software on the market today.

Alertsec Xpress provides:

• Fully managed service for your convenience.

• Very cost effective service.

• Market leading laptop protection service.

• Quick and easy implementation.

• Easy to use protection.

• Transparent solution.

• Global 24/7 helpdesk.

• 100% secure and reliable encryption

Worcestershire County Council fined for data breach

No comments »

Posted in Computer security, Data Protection, computer security software, data breach, data encryption

Tags: AlertSec Xpress Check Point Christopher Graham Confidentiality data breach Data Protection Act 1998 ICO Information Commissioners Office National Health Service NHS North Somerset North Somerset Council Personally identifiable information Worcestershire Worcestershire County Council

Southwark Council faces heat from ICO for data breach

November 23rd, 2011

If you remember, last blog post talked about a laptop theft incident that occurred years ago but was reported only recently. This post is based on the same lines.

Details from the Information Commissioner’s Office (ICO)

The Southwark council failed to manage its paperwork and a computer that contained data of 7,200 individuals when it moved from its site at the Spa Road Complex in December 2009. When the new company moved in, it found this data that contained addresses, names and information relating to medical history, criminal convictions and ethnicity.

Sally Anne Poole, Acting Head of Enforcement at the ICO, said “The fact that thousands of residents’ personal details went missing for over two years clearly shows that Southwark Council’s policies for handling personal information are below standard. As this information was lost before the ICO received the power to issue financial penalties we are unable to consider taking more formal action in this case,”.

Investigation report

The investigation revealed that this data was unencrypted and that the protocol supposed to be followed while moving was not up to the mark. Had this incident taken place recently, Southwark would have been fined by the ICO. Thus Southwark Council had breached the Data Protection Act.

According to an Information Commissioner’s Office (ICO) spokesman”The computer was an old Apple iMac,”. “It had some security features, like password protection, but no encryption. The vast majority of details were on the computer.”

More details emerge

It appears that the unencrypted iMac and other papers were left in the vacant building for two years. The new tenants discovered these documents in June and threw them into a skip.

What is Southwark doing post incident?

The Council is in the process of revamping its data security procedures and ready to be audited in 2012. It plans to join the other 105 councils, schools, trusts and businesses that have signed undertakings with the Commission since January 2010. The ICO has in addition, issued three enforcement notices, conducted two prosecutions, and has issued fines to six organisations ranging from £1,000.

A Southwark Council spokesman said: “As soon as this incident was reported to us, we instantly launched an internal investigation and worked closely with all other relevant authorities to ascertain exactly what had happened.

“We treat any reporting of a possible breach of data very seriously indeed. Throughout this issue the council advised and co-operated with the Information Commissioner’s Office and has now put in place a number of measures to improve its handling and storage of personal data.”

Southwark council in trouble for data breach

Secure your Data with Alertsec

Following the essential guidelines is very necessary for data security in any organization. This news exemplifies the need for data protection applications. In an incident which highlights the need of Data encryption software and recovery software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

No comments »

Posted in Computer security, Data Protection, computer security software, data breach, data encryption

Tags: Big Brother Watch Confidentiality Data Protection Act 1998 ICO iMac Information Commissioners Office Information sensitivity laptop Local government London Borough of Southwark Office Personally identifiable information Southwark Southwark council

Unencrypted laptop stolen from Ruth Crawford QC during Holiday

November 21st, 2011

We have mentioned before about laptop theft cases going unreported. In the following case laptop was stolen in 2009 but the incident came to light only now, after 2 years! To top it all, this laptop belonged to a Scottish lawyer who we expect should have been diligent enough to guard client’s data.

Ruth Crawford QC was on a holiday when her laptop went missing. The laptop contained personal information related to clients who were a part of Ms Crawford’s eight court cases. This data was specifically about the mental and physical health of the clients.

Ms Crawford was lucky that the incident took place in 2009. Had it taken place seven months later, she would have been fined for breaching the data protection Act as that was when the ICO was given new powers to impose fines of up to £500,000.

As of today Ms Crawford has signed an undertaking that says she is going to encrypt all her portable devices and secure them properly. These are the exact words of the undertaking ”The theft occurred while the data controller (Ms Crawford) was on holiday, having left plumbers to fit a new boiler at her home. The data controller provided the plumbers with keys and the code to her alarm. She highlighted the importance of keeping her front door locked and of activating the alarm when leaving the house.

“Upon returning from holiday on September 3 2009, the data controller discovered that the laptop and a purse were missing from her study. She subsequently reported the matter to the police. The commissioner has noted that physical security measures were in place at the time of the incident but that there was insufficient technical security employed on the laptop to protect the data.”

According to Ken Macdonald, Assistant Commissioner for Scotland: “The legal profession holds some of the most sensitive information available. It is therefore vital that adequate security measures are in place to keep information secure.”

“As this incident took place before the 6 April 2010, the ICO is unable to serve a financial penalty in this instance. But this case should act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000, it could affect their careers too. If confidential information is made public, it could also jeopardise the important work they do in court.

“The ICO would also like to assure the legal profession that any information reported to this office will not be disclosed unless there is specific legal authority for us to do so. Therefore all breaches should be reported to our office as soon as practically possible.”

Alertsec is a data encryption service company. Organisations, be it big or small, must have encryption in place. If you are an individual works independently or is not covered by the organisation can also use self-encrypted drives. Alertsec helps with the installation, the cost of this encryption service is negligible compared with the hassle, cost and embarrassment.