Shostack + Friends Blog Archive

Six breach reports in the UK: the floodgates are open

In Dissent’s weekly roundup of breaches [link to http://www.pogowasright.org/blogs/dissent/?p=741 no longer works], there were six breaches reported for the UK, versus nine in the US. It seems that the duty of care approach is really taking off.

Newly reported incidents in the U.K. and Ireland:

• In Ireland, the Driver and Vehicle Licensing Agency has lost the personal details of 6,000 people. The unencrypted data were on two discs that went missing after being sent to the agency’s headquarters in Swansea. This was the second incident involving the DVLA in a month.
• The Leeds Building Society [link to http://www.clickajob.co.uk/news/building-society-loses-data--8044.html no longer works] has warned its staff of 1,000 to be vigilant after admitting to losing their personal details including bank and salary details when the company’s human resources department was moved during a refurbishment of its head office.
• In the UK: government officials mistakenly sent confidential personal details consisting of names, dates of birth and criminal histories of dozens of inmates set to be released; the data were sent to a private business. The personal details also reveal the addresses the prisoners will move to after leaving jail.
• Hundreds of people have had personal pension details sent to the wrong addresses after an error by a Herts County Council contractor, Serco [link to http://www.hertsad.co.uk/content/herts/news/story.aspx?brand=HADOnline&category=News&tBrand=herts24&tCategory=newshadnew&itemid=WEED13%20Dec%202007%2011%3A40%3A19%3A500 no longer works]. Serco sent 1,400 statements for staff, former staff and councillors to the wrong destinations because of an “administrative error”. The statements included the person’s name, date of birth, national insurance number, and pensionable pay. So far, only 400 of the statements have been returned to the county council leaving 1,000 still missing.
• A laptop with the names, addresses, phone numbers and dates of birth of 950 diabetes patients of NHS patients was stolen from the St Julian’s GP surgery. Data on the stolen laptop also include a link to a picture of patients’ retinas — already they have a problem with the security of biometric data before they have implemented any ID system, it seems — Dissent.
• Sefton Primary Care Trust has accidentally sent about 1800 of its staff’s records to four organisations it is refusing to name. Staff details including dates of birth, national insurance numbers, pensions and salary details. The four companies were bidding for work with the trust. The Trust is reportedly not revealing the names of the four companies because of “commercial confidentiality”. They seem to take “commercial confidentiality” more seriously than employee confidentiality — Dissent.

In related news, BoingBoing covered a petition [link to http://petitions.pm.gov.uk/databreaches/ no longer works] for mandatory disclosure in the UK. It’s for British citizens and residents only. If you’re in the UK, or a citizen, in an overseas territory or Crown dependency, you may and should sign.

Originally published by adam on 17 Dec 2007
Last modified on 6 Feb 2023
Categories:   breach analysis   Uncategorized