Log in

Posts Tagged ‘ICO’

ICO issues Midlothian Council record fine of £140,000 for disclosing sensitive personal data

February 4th, 2012

Midlothian Council pays hefty fine for data breach

ICO is leaving no stone un-turned to punish data breach culprits. It is levying fines to those who compromised private data, especially children’s sensitive data.

Recently the council fined the Midlothian Council a record fine of £140,000 for disclosing sensitive child data. And we are not talking here about just one breach. There were 5 breaches between Jan and June 2011.

The case in detail

Breach 1 – This happened when documents related to the status of a foster carer were sent to seven healthcare professionals, who had no reason to see this data.

This particular incident took place in January 2011 and details came to light only in March when the council started to investigate. In spite of the investigation similar incidents took place in May and June.

Breach 2 – Minutes of a child protection conference were sent by mistake to the former address of the mother’s partner, where they were opened and read by an unauthorized individual. The documents contained personal data about the mother, who made a complaint to her social worker about this case.

Assistant Commissioner for Scotland Ken Macdonald said “the serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months.’

“I hope this penalty acts as a reminder to all organizations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure.”

He further added that information about children’s care, details about their health and wellbeing, is the most sensitive information that is held by local authorities. It goes without saying that this information has to be protected and that strict policies are to be chalked out and followed.

The ICO’s investigation

According to the ICO all five breaches could have been avoided if the council had been strict about protection policies, training and had put checks in place. It has further ordered the council to take action to keep the personal data secure.

Since the incidents the council has recovered all of the information that was sent to the wrong recipients and is updating its security policies.

What the the ICO chiefly wants is that the government should give itstronger powers to audit local councils’ data protection compliance, if necessary without consent.

NHS bodies across the UK want the same kind of powers in light of the recent data protection breaches.

Midlothian Council comments:

Colin Anderson, chief social work officer for Midlothian Council, commented: “As soon as the council discovered the problem, it investigated and found eight letters or documents had been sent to the wrong recipients, for which the council is sincerely sorry.

“The council immediately took steps to retrieve the information, or have it destroyed, and voluntarily reported ourselves to the information commissioner. I must emphasise that there is no evidence that anyone was put at risk.

Cyber-security with Alertsec

Alertsec Xpress is a very easy and convenient service which enables securing valuable information on laptops.

Alertsec Xpress is powered by Check Point, the market leader in the field of mobile data protection. The software was launched 16 years ago and is the most robust software on the market today.

Alertsec Xpress provides:

Fully managed service for your convenience.
Very cost effective service.
Market leading laptop protection service.
Quick and easy implementation.
Easy to use protection.
Transparent solution.
Global 24/7 helpdesk.
100% secure and reliable encryption

No comments »

Posted in Computer security, Data Protection, Encryption, Identity and Information loss, computer security software, data breach, data encryption, identity theft

Tags: AlertSec Xpress BigPond business Check Point data breach data security ICO Information privacy Ken Macdonald Midlothian Council Personally identifiable information Social Security number Telstra Theft

UK mobile phone operator O2 suffers data breach

January 30th, 2012

Every data breach is a wake-up call for all of us using the Internet. We just assume our data is safe but how about thinking twice before posting private information on the world wide web? There are technical things which we, laymen, do not understand. Our information gets leaked to third parties and we don’t even know about it. Guess what, every time you visit a site, your phone number is getting leaked through your mobile service provider!

The O2 Scandal

Customers of O2, the European mobile network, suffered a data breach as their phone numbers were exposed to web sites visited from their smartphones. Unfortunately the security breach went on for two weeks before it was fixed on Jan 25.

Mobile customers in the United Kingdom started tweeting Wednesday morning about the breach after mobile developer Lewis Peckover found out about a security loophole in devices carried by European mobile network O2. It appeared that after O2 had performed its routine maintenance on its network this month, some users’ mobile phones started sending their owners’ phone numbers to web sites that were visited using mobile browsers through a 3G/WAP connection. Fortunately those who used Wi-Fi were saved from this ordeal.

This post shows that customer privacy is at stake. The breached phone numbers could be used for SMS spam or for hacking purpose. They are a treat for hackers and just waiting to be exploited!

The mobile device security industry is going through a bad phase. Just last April, Apple iPhones (running iOS 3.2 and above) had a flaw wherein the bug logged users’ location data in unencrypted files stored on the phones themselves. Customers were at their wits end when they heard this and there was chaos in the mobile industry. As if that was not enough, just last month, phone-monitoring software maker Carrier IQ admitted that its data-tracking program was already installed on all its phones across the country!.

Comment by O2

O2 issued a statement last Wednesday and explained that the issue has been fixed.

“In between the 10th of January and 1400 Wednesday 25th of January…there has been the potential for disclosure of customers’ mobile phone numbers to further website owners,” O2′s statement read. “It was fixed as of 1400 on Wednesday 25th January 2012.”

The office of the Information Commissioner (The ICO is a public U.K. body that enforces and oversees activity pertaining to the Data Protection Act of 1998) is looking into this matter presently.

“When people visit a website via their mobile phone they would not expect their number to be made available to that website,” the ICO said in a statement issued Wednesday. “We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.”

Update from O2

According to O2, it regularly gives subscriber’s phone numbers to web-sites that offer age-restricted information and premium-rate billing without the user’s knowledge.

Apparently the company has been providing user phone numbers to web-sites that are browsed by millions of users from their phones using the 3G network. This has been happening since Jan 10. Obviously the site owners are having a ball with this piece of information.

What should a common man do to avoid such a pitfall?

Always read the terms and conditions of any mobile service that you choose to use. Better to be safe than sorry!

Alertsec comes to the rescue

80% of data loss is due to lost or stolen equipment. 50% of network breaches take place by using passwords from lost or stolen equipment. Laptop encryption is the solution to laptop theft problem. Small and big companies are now realizing the importance of tracking software. Alertsec offers laptop encryption service to secure your data.

Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

Alertsec Xpress

O2, the mobile phone service provider, suffers data breach

is backed up by Check Point Full Disk Encryption and is used by over 4 million users worldwide, with single deployments exceeding 150,000 laptops and PCs. This is the most deployed software of its kind and is seen as today’s market leader.

No comments »

Posted in Computer security, Data Protection, Uncategorized, computer security software, data breach, data encryption

Tags: AlertSec Xpress Business and Economy Carrier IQ Cellular network data breach Data Protection Act 1998 data security disk encryption ICO Information Commissioner Information Commissioners Office Information privacy IPhone Personal computer Ponemon Institute Telecommunications Telephone number Wednesday

ICO wants to maintain location privacy so that data is not misused

December 13th, 2011

Most of our posts have been concentrating on data breach and laptop theft. This one talks in particular about strengthening data security laws which is the need of the hour, especially for private firms.

The recently held conference called ‘A fine balance 2011: location and cyber privacy in the digital age’ focused on maintaining data privacy just when smart phones, credit cards and other devices are tracking user locations.

Here is what Jonathan Bamford, the head of strategic liaison from the Information Commissioner’s Office (ICO), had to say”"We need to inspire public trust into the way information is issued. What do we do as a regulatory option?” “There is no doubt that human activities have a geographic component and some may be more sensitive than others. Your phone is with you all the time so anything that relates to a smartphone can be very powerful in terms of how I live my life.”

It si very important to manage location data carefully, especially those who develop operating systems and applications. Bamford further adds”"People who develop applications have a series of obligations as do those who create the operating systems. Everybody has a role to play.” “If location data is obtained how long do you retain it for? You can build up a picture of how I live my life if you retain it too long.”

Bamford also explained ICO’s role in data security, especially in terms of audit inspections of govt organizations. Currently the general public is under the impression that the information that they fill up on any website is completely secure. They need to carry this impression for long hence data security is of utmost importance. The people also need to know exactly what is being done about their data and where it is sent. This is where location based services come in. All advertisers want your zip code. A zip code allows a advertiser/provider to get more insight into your life. Companies are getting closer to you with technologies like iPhone.

It is time that the ICO keeps a tab over private sector as well. These private companies are using location based services and getting private data of customers. There is a very high chance of this data getting misused. Currently the ICO can only monitor govt bodies. Companies like Facebook, Google and Groupon are a potential threat to privacy. To add oil to the fire, the development of IPv6 networks could be even more threatening as it will be able to access more private data.

According to Richard Hollis, US group of Info systems audit and control association “As we match the physical world to the virtual world, by placing items such as fridges or even your car keys on the internet, firms could have even more access to your data, your location and your life”.

Use Alertsec

Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Use Alertsec
Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.
Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption

ICO wants to inspect private firms for data security issues

.

No comments »

Posted in Computer security, Lawsuits and settlements, computer security software, data breach

Tags: Check Point Credit card data breach data security disk encryption ICO Information Commissioner Information Commissioners Office Information privacy IPhone Operating system privacy Richard Hollis security

Powys County Council to pay £130,000 fine to ICO for data breach

December 9th, 2011

Powys County Council in deep waters over data breach

Last few posts mentioned about fines being imposed on councils who have breached the data protection act. But this post breaks all records. It talks about how Powys County council was asked to pay a fine of £130,000 to ICO for data breach. This is the biggest fine ever!

The ICO’s office was conferred powers to impose fine on data breaching organizations on April 2010. Assistant Commissioner for Wales Anne Jones says”There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems,”.

The strange part is that Powys County Council had earlier breached this act twice but had not gotten caught. But this time luck was against the organization and it is expected to pay a hefty fine. Here is the ICO’s statement regarding the earlier data breaches “Two separate reports about child protection cases were sent to the same shared printer. It is thought that two pages from one report were then mistakenly collected with the papers from another case and were sent out without being checked. The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers. The recipient made a complaint to the council and a further complaint was also submitted by the recipient’s mother via her MP.”

The first incident was written off as an ‘once in a blue moon’ error but then a second one occured where a social worker sent data about another child to the same member of the public who was also familiar with the child.

Ann Jones further added”This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It’s the most serious case yet and it has attracted a record fine. The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.”

The ICO had given an warning to the council to revamp its security policies or be ready to face consequences. Not much has changed in terms of security, the latest breach makes that all too clear. Now the ICO has threatened to take the council to court if it does not get back on its feet and beef up its security measures. The ICO has further made it compulsory for the counil to train its staff on how to follow the council’s guidance on the handling of personal data by 31 March 2012, along with refresher training provided every three years.

Alertsec to the rescue

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

No comments »

Posted in Computer security, Data Protection, Identity and Information loss, Lawsuits and settlements, computer security software, data breach, data encryption, identity theft

Tags: Assistant Commissioner Check Point Child protection data breach Data Protection Act 1998 ICO Information Commissioners Office Information privacy Member of parliament Personal computer Powys Powys County Council

North Somerset Council and Worcestershire County Council pay penalties for data breach

November 29th, 2011

In the post dated Nov 27 we talked about local authorities under ICO’s radar. This is further to that post.

The Information Commissioner’s Office (ICO) has fined the North Somerset Council and Worcestershire County Council for ‘serious email errors’. According to the ICO in both the cases, the staff members sent highly sensitive personal data to the wrong email addresses. The first took place at North Somerset Council in November 2010 when a council employee sent five emails to the wrong NHS employee. Two of these emails had highly sensitive and confidential information related to a child’s serious case review.

Strangely enough, data was emailed to the same NHS employee three times again! And this was after the council employee was communicated about the error. The incidents took place in Nov and Dec last year.

The Worcestershire County Council – The Worcestershire County Council employee emailed highly sensitive personal data belonging to a large number of people to 23 wrong email addresses. The employee got in touch with the receipients immediately notifying them about deleting the email. These recipients worked for registered organisations and followed the council’s protocols about handling sensitive data.

Information Commissioner Christopher Graham, said: “Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable.

“It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils.

“It was fortunate that in both cases at least the e-mail recipients worked in a similar sector and so were used to handling sensitive information.

“This mitigating factor has been taken into account in assessing the amount of the penalties.”

The Worcestershire County Council was fined £80,000 penalty for a March 2011 breach and the North Somerset Council was fined £60,000 fine for a serious breach of the Data Protection Act that took place in Dec 2010.

The ICO has the power to fine organisations up to £500,000 for serious data breaches. It is now following up with the Ministry of Justice for more powers that can audit local councils’ data protection compliance.

It is the local authorities responsibility to protect highly sensitive information related to patients, kids, etc. The common man must sleep well at night thinking its information is safe with the local authorities. But realities shows that is not the case. UK citizens are getting sleepless nights after reading data breach cases. In order to prevent such data thefts, every council must revamp its security policies and train its staff members.

These cases are a wake-up call to all public sector organisations. The ICO has started penalizing councils who have breached the data protection act. If local authorities want to avoid this penalty, they better get back on their toes and act fast. After all sensitive data of vulnerable people is at stake here and such incidents cannot be taken lightly.

Cyber-security with Alertsec

Alertsec Xpress is a very easy and convenient service which enables securing valuable information on laptops.

Alertsec Xpress is powered by Check Point, the market leader in the field of mobile data protection. The software was launched 16 years ago and is the most robust software on the market today.

Alertsec Xpress provides:

• Fully managed service for your convenience.

• Very cost effective service.

• Market leading laptop protection service.

• Quick and easy implementation.

• Easy to use protection.

• Transparent solution.

• Global 24/7 helpdesk.

• 100% secure and reliable encryption