Log in

Posts Tagged ‘organization’

ACS: Law Fined over Data Breach

May 25th, 2011

DATA Breach

Data breaching is one the most dangerous criminal offense in the case of internet and computer law. According to ICO every organization should encrypt their data, so that an unknown person can not access their data. The law says that the data stored in the computers and mobile data storage devices of every organization must be encrypted, because these are the main targets of the hackers. As most of the data contains personal details, so if anybody hacks the data or it is lost due to the fault of some people the organization will suffer as the hacker can misuse it for his own benefits.

Though every organization is aware about the effect of data loss and the importance of data encryption but most of them neglect this part. According to modern research the negligence towards the data encryption mainly happens due to the lack of commitment of the ICO. In most of cases it has been found that ICO released the accused person or the organization by just imposing a minimum fine, whereas the actual amount of fine is very high.

Recently Andrew Crossley, the controversial solicitor has been accused of data breach. It has been found that he and his organization was sharing files illegally. However the information security world was shocked when they found that Andrew had been fined only £1,000 by the ICO for data breach.

The ICO gave some reasons in their defense. In a press conference they announced that the way Andrew and his organization were using the personal details of other organizations and their clients that were totally illegal and unlawful. That was against the law of data breaching. As soon as it came to the sight of ICO they took immediate action against Andrew. But as ACS law had seized all the properties of Andrew so he was unable to pay the full amount. Taking this into consideration, ICO decreased the amount of fine.

But the people are not happy with this decision, because according to the law of data breach the amount of fine must be £400 * the number of people’s data has been misused. So the amount should have been much higher than £1,000. They have even questioned the impact and power of ACS law and ICO. Because according to the law ICO has no power to investigate the property of the accused person. They have to depend on the documents of that person and it is very easy to manipulate those documents. Though the case of Andrew went to the court and the court also announced him guilty of data breach and misusing but still the ICO failed to fine him more.

This is not the first time where a person has been released by the ICO after charging a very low amount of money. As a result of this the people are losing their faith in ICO day by day. So the government has to take some immediate steps to increase the power of ICO.

About Alertsec:
Alertsec is the front runner in offering data encryption as a fully managed service. We provide protection for all information stored on laptops and PCs in an easy, convenient, and cost-effective way. By using industry leading Check Point Full Disk Encryption (former Pointsec) software, Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption.

No comments »

Posted in Alertsec Express, Lawsuits and settlements, Security Flaw, data breach, data encryption

Tags: ACS:Law Cryptography data breach data breach incidents Data Breaches Data storage device disk encryption Encryption Law organization Personal computer

ING Compromises Customer Data

February 14th, 2010

Millions of people use search engines like Google to access all sorts of information every day. It’s become a common practice for users to search their names to see what comes up.

Imagine doing that and seeing your personal information show up in the search results, available for anyone to see. Everything including your address and social security number would appear. A security breach by the Internationale Nederlanden Groep (ING), a worldwide financial service provider, made this horror a reality for 106 of its customers. Though the file which hosted the compromised data has since been removed, the repercussions of the breach are still largely unknown.

Investigating the Breach

A filing [PDF] from the company to the the New Hampshire Attorney General’s Office explained:

On January 25, 2010 a customer alerted her securities broker to the fact she was able to access customer information through the ingfunds.com website. An electronic file containing customers’ personal information was inadvertently made accessible through the ingfunds.com website due to an isolated error, which has been resolved. The file was mistakenly posted to the website in August 2008. The error was quickly detected and the ability to access the file via link on the website was removed. The file, however, remained accessible through a specific search conducted via a web search engine. The file included the name, address, account number and social security number for 106 shareholders.

It’s remarkable that ING stored the private details of some of its customers on a file that wasn’t encrypted or even hosted on a private server. What’s really striking as dangerous is the fact that accessing this information wouldn’t require any complicated hacking- a clever search engine user could stumble on the social security numbers and do untold damage! Customers of financial institutions deserve a higher class of service- organizations like ING have a responsibility to ensure that the information they’re entrusted with remains well-protected.

Next Steps and Lessons for ING

While poor data security is hard to forgive, ING has acted quickly to resolve the issue and has done everything possible to help the customers affected. On top alerting the authorities in a timely manner, the company has conducted investigations into each customer’s account and announced that no suspicious activity had occurred. As an additional apology, ING offered a free year of credit monitoring and fraud coverage to the 106 customers to help prevent the future risk of identity theft.

Unfortunately, ING can’t get rid of this embarrassing situation that easily. Mainstream media will pick up the story and will end up damaging the business’s reputation and brand image. More so, the error may be a lot a more serious than the company realizes. It’s very likely that a number of the 106 victims will leave ING and take their business elsewhere. Some may even sue the company, especially if they incur damages due to the security breach. Identity theft may have already happened- sometimes it takes a while for the crime to be noticed. Even the Attorney General may end up imposing a fine for irresponsible business practices!

Keeping customer data secure should be an imperative for any business organization. Companies need to protect private information to avoid all the problems that ING will have to deal with in the coming weeks and months. Had ING encrypted the files which contained personal user details and stored them on a private server, this debacle could have easily been avoided.

Further Reading
ING Fund client data exposed on the web for 18 months [Office of Inadequate Security]

4 comments »

Posted in Data Protection, Encryption, Identity and Information loss, Lawsuits and settlements

Tags: business data breach ING lawsuit organization privacy unencrypted