UK information commissioner warns about growing data losses

LONDON – The U.K. has seen an “alarming number of security breaches” in the last six months involving public sector, private and charity organizations according to Information Commissioner Richard Thomas.

There have been 94 serious data breaches reported to the Information Commissioner’s Office (ICO) in the six months since HM Revenue and Customs lost two CDs containing 25 million records of child benefit recipients.

The public sector was the worst culprit, experiencing 62 breaches in the past six months. Almost a third of those occurred in Whitehall and its agencies, and a fifth happened in NHS trusts.

In the private sector, which had some 28 incidents, financial firms were responsible for half of security breaches. HSBC was one high profile culprit. Retailer Marks & Spencer was another. In January the Information Commissioner gave it two months to encrypt all its laptop hard drives. This followed the theft of an unencrypted laptop which contained the personal information of 26,000 M&S employees.

Thomas said it was “disappointing” that the HMRC breaches calamity had not stirred other bodies to prevent “unacceptable security breaches.”

“The government, banks and other organizations need to regain the public’s trust by being far more careful with people’s personal information. Once again I urge business and public sector leaders to make data protection a priority in their organization,” Thomas said.

Information that has gone missing includes unencrypted laptops and computer discs, memory sticks and paper records. Data has been stolen, gone missing in the post and whilst in transit with a courier. The material that has been lost includes a wide range of personal details, including financial and health records.

In 16 cases the ICO has required the organization to make procedural changes to improve data security, such as encryption. In three instances the lost information has been recovered.

The Commissioner’s findings coincide with the release of the 2008 Information Security Breaches Survey, which was conducted by Price Waterhouse Coopers on behalf of the Department for Business Enterprise and Regulatory Reform.

The survey revealed that 78 percent of those surveyed reported having a laptop stolen where the data on hard drive was not encrypted while 13 percent had detected unauthorized outsiders within their network.

As that report was released the Bank of Ireland reported it had four company laptops stolen last year containing around 10,000 customer details.

The bank confirmed that four laptop computers – containing information on customers’ names and addresses, medical backgrounds, life assurance details and bank account details – were stolen between June and October. The data held was not encrypted.

The laptops contained information relating to some customers who either obtained a quote or took out a life assurance policy. It is believed three were stolen from cars from sales managers, and one from a bank branch. The breach affected branches in Drogheda, Dunleer, Bagnelstown, Stephen’s Green, Tallaght, Montrose and Court Place in Carlow.

A spokesperson declined to comment on the ongoing investigation into recovering the lost information or engaging third parties into a review.

“We are conducting a review of what happened and looking at what will happen in the future,” she said. Although the computers were stolen last year, Ireland’s data protection commissioner was only informed of the breach last Friday. The commissioner has begun an inquiry.

In a statement, the commissioner said: “A more detailed report has been sought from Bank of Ireland into the exact circumstances surrounding the loss of the personal data.

The investigation will focus on the justification for the personal data, including sensitive medical data in some cases, being placed on the laptops in the first place, the security arrangements in place and the exact circumstances which led to the delay in the reporting of this matter internally within the Bank of Ireland to the appropriate personnel for the taking of further action.

“Consideration will then be given as to what further action will be sought from Bank of Ireland to ensure that the obligations contained in the Data Protection Acts in this area are met.”

The bank spokesperson said the bank has plans to start rolling out encryption for its laptops in May. “In the unlikely event that any customers lose money following the laptop thefts, they will be reimbursed,” the spokesperson said.

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now