Log in

Posts Tagged ‘Data Protection Act 1998’

North Somerset Council and Worcestershire County Council pay penalties for data breach

November 29th, 2011

In the post dated Nov 27 we talked about local authorities under ICO’s radar. This is further to that post.

The Information Commissioner’s Office (ICO) has fined the North Somerset Council and Worcestershire County Council for ‘serious email errors’. According to the ICO in both the cases, the staff members sent highly sensitive personal data to the wrong email addresses. The first took place at North Somerset Council in November 2010 when a council employee sent five emails to the wrong NHS employee. Two of these emails had highly sensitive and confidential information related to a child’s serious case review.

Strangely enough, data was emailed to the same NHS employee three times again! And this was after the council employee was communicated about the error. The incidents took place in Nov and Dec last year.

The Worcestershire County Council – The Worcestershire County Council employee emailed highly sensitive personal data belonging to a large number of people to 23 wrong email addresses. The employee got in touch with the receipients immediately notifying them about deleting the email. These recipients worked for registered organisations and followed the council’s protocols about handling sensitive data.

Information Commissioner Christopher Graham, said: “Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable.

“It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils.

“It was fortunate that in both cases at least the e-mail recipients worked in a similar sector and so were used to handling sensitive information.

“This mitigating factor has been taken into account in assessing the amount of the penalties.”

The Worcestershire County Council was fined £80,000 penalty for a March 2011 breach and the North Somerset Council was fined £60,000 fine for a serious breach of the Data Protection Act that took place in Dec 2010.

The ICO has the power to fine organisations up to £500,000 for serious data breaches. It is now following up with the Ministry of Justice for more powers that can audit local councils’ data protection compliance.

It is the local authorities responsibility to protect highly sensitive information related to patients, kids, etc. The common man must sleep well at night thinking its information is safe with the local authorities. But realities shows that is not the case. UK citizens are getting sleepless nights after reading data breach cases. In order to prevent such data thefts, every council must revamp its security policies and train its staff members.

These cases are a wake-up call to all public sector organisations. The ICO has started penalizing councils who have breached the data protection act. If local authorities want to avoid this penalty, they better get back on their toes and act fast. After all sensitive data of vulnerable people is at stake here and such incidents cannot be taken lightly.

Cyber-security with Alertsec

Alertsec Xpress is a very easy and convenient service which enables securing valuable information on laptops.

Alertsec Xpress is powered by Check Point, the market leader in the field of mobile data protection. The software was launched 16 years ago and is the most robust software on the market today.

Alertsec Xpress provides:

• Fully managed service for your convenience.

• Very cost effective service.

• Market leading laptop protection service.

• Quick and easy implementation.

• Easy to use protection.

• Transparent solution.

• Global 24/7 helpdesk.

• 100% secure and reliable encryption

Worcestershire County Council fined for data breach

No comments »

Posted in Computer security, Data Protection, computer security software, data breach, data encryption

Tags: AlertSec Xpress Check Point Christopher Graham Confidentiality data breach Data Protection Act 1998 ICO Information Commissioners Office National Health Service NHS North Somerset North Somerset Council Personally identifiable information Worcestershire Worcestershire County Council

Southwark Council faces heat from ICO for data breach

November 23rd, 2011

If you remember, last blog post talked about a laptop theft incident that occurred years ago but was reported only recently. This post is based on the same lines.

Details from the Information Commissioner’s Office (ICO)

The Southwark council failed to manage its paperwork and a computer that contained data of 7,200 individuals when it moved from its site at the Spa Road Complex in December 2009. When the new company moved in, it found this data that contained addresses, names and information relating to medical history, criminal convictions and ethnicity.

Sally Anne Poole, Acting Head of Enforcement at the ICO, said “The fact that thousands of residents’ personal details went missing for over two years clearly shows that Southwark Council’s policies for handling personal information are below standard. As this information was lost before the ICO received the power to issue financial penalties we are unable to consider taking more formal action in this case,”.

Investigation report

The investigation revealed that this data was unencrypted and that the protocol supposed to be followed while moving was not up to the mark. Had this incident taken place recently, Southwark would have been fined by the ICO. Thus Southwark Council had breached the Data Protection Act.

According to an Information Commissioner’s Office (ICO) spokesman”The computer was an old Apple iMac,”. “It had some security features, like password protection, but no encryption. The vast majority of details were on the computer.”

More details emerge

It appears that the unencrypted iMac and other papers were left in the vacant building for two years. The new tenants discovered these documents in June and threw them into a skip.

What is Southwark doing post incident?

The Council is in the process of revamping its data security procedures and ready to be audited in 2012. It plans to join the other 105 councils, schools, trusts and businesses that have signed undertakings with the Commission since January 2010. The ICO has in addition, issued three enforcement notices, conducted two prosecutions, and has issued fines to six organisations ranging from £1,000.

A Southwark Council spokesman said: “As soon as this incident was reported to us, we instantly launched an internal investigation and worked closely with all other relevant authorities to ascertain exactly what had happened.

“We treat any reporting of a possible breach of data very seriously indeed. Throughout this issue the council advised and co-operated with the Information Commissioner’s Office and has now put in place a number of measures to improve its handling and storage of personal data.”

Southwark council in trouble for data breach

Secure your Data with Alertsec

Following the essential guidelines is very necessary for data security in any organization. This news exemplifies the need for data protection applications. In an incident which highlights the need of Data encryption software and recovery software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

No comments »

Posted in Computer security, Data Protection, computer security software, data breach, data encryption

Tags: Big Brother Watch Confidentiality Data Protection Act 1998 ICO iMac Information Commissioners Office Information sensitivity laptop Local government London Borough of Southwark Office Personally identifiable information Southwark Southwark council

Unencrypted laptop stolen from Ruth Crawford QC during Holiday

November 21st, 2011

We have mentioned before about laptop theft cases going unreported. In the following case laptop was stolen in 2009 but the incident came to light only now, after 2 years! To top it all, this laptop belonged to a Scottish lawyer who we expect should have been diligent enough to guard client’s data.

Ruth Crawford QC was on a holiday when her laptop went missing. The laptop contained personal information related to clients who were a part of Ms Crawford’s eight court cases. This data was specifically about the mental and physical health of the clients.

Ms Crawford was lucky that the incident took place in 2009. Had it taken place seven months later, she would have been fined for breaching the data protection Act as that was when the ICO was given new powers to impose fines of up to £500,000.

As of today Ms Crawford has signed an undertaking that says she is going to encrypt all her portable devices and secure them properly. These are the exact words of the undertaking ”The theft occurred while the data controller (Ms Crawford) was on holiday, having left plumbers to fit a new boiler at her home. The data controller provided the plumbers with keys and the code to her alarm. She highlighted the importance of keeping her front door locked and of activating the alarm when leaving the house.

“Upon returning from holiday on September 3 2009, the data controller discovered that the laptop and a purse were missing from her study. She subsequently reported the matter to the police. The commissioner has noted that physical security measures were in place at the time of the incident but that there was insufficient technical security employed on the laptop to protect the data.”

According to Ken Macdonald, Assistant Commissioner for Scotland: “The legal profession holds some of the most sensitive information available. It is therefore vital that adequate security measures are in place to keep information secure.”

“As this incident took place before the 6 April 2010, the ICO is unable to serve a financial penalty in this instance. But this case should act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000, it could affect their careers too. If confidential information is made public, it could also jeopardise the important work they do in court.

“The ICO would also like to assure the legal profession that any information reported to this office will not be disclosed unless there is specific legal authority for us to do so. Therefore all breaches should be reported to our office as soon as practically possible.”

Alertsec is a data encryption service company. Organisations, be it big or small, must have encryption in place. If you are an individual works independently or is not covered by the organisation can also use self-encrypted drives. Alertsec helps with the installation, the cost of this encryption service is negligible compared with the hassle, cost and embarrassment.

Safeguard your data with Alertsec Encryption Service

No comments »

Posted in Identity and Information loss, identity theft, laptop encryption, laptop theft

Tags: Crawford Cryptography Data Protection Act 1998 Encryption Hardware ICO Ken Macdonald laptop Mental health Notebooks and Laptops Personally identifiable information Ruth Crawford QC Scotland Theft

Massive Data Breach at University of York

March 21st, 2011

Frontage of Heslington Hall, York, the adminis...

Image via Wikipedia

The University of York (informally York University, occasionally abbreviated as Ebor. for post-nominals), is an academic institution located in the city of York, England. Established in 1963, the campus university has expanded to more than thirty departments and centres, covering a wide range of subjects

The same university has now been pleaded guilty of a massive data breach which involves publishing the personal details of over 17,000 students including their cellphone numbers, date of birth and qualification scores from previous examinations.

The breach incident had happened in the starting week of March has also been reported to the UK data protection registrar, the Information Commissioner’s Office (ICO). As part of the prevention measure, the university has already apologised from their side for data breach and are also reviewing their security system.

So what exactly happened?

Ever since the breach incident happened, the confidential information of students was exposed to public visitors of the university website. This meant that any one could access over 17,000 records of all university staff, faculty members and registered students. This happened because the site page was not secure using a password protection mechanism thereby providing easy and open access to the data.

What is all the more concerning is that apart from the students their emergency contacts information was also exposed there by indicating that the breach was not just limited to the students.

University Registrar Dr David Duncan, issued a statement which said: “We are also investigating all procedures and management systems and will undertake a thorough review of our data security arrangements. “The Information Commissioner has been informed. “I would like to apologise to everyone who has been affected by this breach.” David Duncan added, “We will contact these individuals over the next 24 hours to inform them and to discuss this matter”.

The data breach was first discovered by the university’s student run newspaper.

The Information Commissioner’s Office (ICO) is conducting enquiries into the data breach incident at University of York.

An ICO spokesperson said, “We will be making enquiries into the circumstances of this alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken”.

If found guilty the university could face punishment from the ICO. The Information Commissioner’s Office has the power to fine any organisation with up to £500,000 if they find any organization guilty of breaching the act.

Secure your Data with Alertsec

Worried with the above incident and think you could also be a potential victim? In-order to avoid such incidents, following essential guidelines is very necessary for data security in any organization. In an incident which highlights the need of Data encryption software and recovery software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data.

Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

System failure blamed for increasing data breach costs (go.theregister.com)
University in student data breach (bbc.co.uk)
University in ’serious’ data breach; Publishes 17,000 students’ data (zdnet.com)

No comments »

Posted in Data Protection, data breach

Tags: data breach data protection act Data Protection Act 1998 data security Information Commissioners Office security Symantec York University

Major Data Breach at Britain’s Identity and Passport Services

March 3rd, 2011

Bretain's Identity and Passport Service in data breach

It has been an ongoing problem for organizations to keep secure their sensitive data. Hacking of such information is an emerging issue and became common nowadays. Security threats are increasingly becoming focused on where the organization keeps its data and how to break data security. This time Britain’s Identity and Passport Services (IPS) is in a major data breach. 21 passport renewal applications went missing from the Britain’s Identity and Passport Office and it is still not confirm how the documents were lost. No one is there to confirm how the documents went missing neither the commissioner nor the IPS.

Information Commissioners Office

Identity and Passport Services has breached the country’s Data Protection Act and reprimanded by the Information Commissioners Office (ICO) for losing the applications. ICO informed that the documents were lost in May 2010 and all affected individuals were informed. The lost documents included personal data of both the applicants and the counter-signatories.

Mick Gorrill, head of enforcement at the ICO said, “A passport is an important identification document and it is clearly of concern that information relating to renewal applications has been lost”.

To be levied with a fine, the breach must either have been deliberate or the data controller must have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it. The ICO has got the additional powers of levying in April 2010. Since that ICO has fined a total of four organizations and have authority to fine up to £500,000 for the most serious breaches.

Identity and Passport Service Response

There was no evidence to suggest that the applications have fallen into the wrong hands but Identity and Passport Service taking steps to stop this happening again and has signed an undertaking to improve its data storage procedures and policies.

UK Passport

According to a spokesman for the Identity and Passport Service, “IPS takes the security of its customer data extremely seriously. Following the loss of details relating to 21 passport applications in May 2010, IPS took immediate action to cancel the application information. We are confident that customers were not subject to any risk of identity fraud”.

IPS agreed to regular audits and inspections of its procedures and an internal security review has been carried out since the lapse in data security. During the past five years IPS has safely handled more than 25 million passport applications but have significantly tightened its processes to prevent such an incident happening again.

A simple mistake or carelessness can cost substantial amounts of money and data loss. There is a need for organizations to use data encryption software or other data protection measures for the security of sensitive information.

Secure your Data with Alertsec

Following the essential guidelines is very necessary for data security in any organization. This news exemplifies the need for data protection applications. In an incident which highlights the need of Data encryption software and recovery software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data.

Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.