Six breach reports in the UK: the floodgates are open
In Dissent’s weekly roundup of breaches [link to http://www.pogowasright.org/blogs/dissent/?p=741 no longer works], there were six breaches reported for the UK, versus nine in the US. It seems that the duty of care approach is really taking off.
Newly reported incidents in the U.K. and Ireland:
- In Ireland, the Driver and Vehicle Licensing Agency has lost the personal details of 6,000 people. The unencrypted data were on two discs that went missing after being sent to the agency’s headquarters in Swansea. This was the second incident involving the DVLA in a month.
- The Leeds Building Society [link to http://www.clickajob.co.uk/news/building-society-loses-data--8044.html no longer works] has warned its staff of 1,000 to be vigilant after admitting to losing their personal details including bank and salary details when the company’s human resources department was moved during a refurbishment of its head office.
- In the UK: government officials mistakenly sent confidential personal details consisting of names, dates of birth and criminal histories of dozens of inmates set to be released; the data were sent to a private business. The personal details also reveal the addresses the prisoners will move to after leaving jail.
- Hundreds of people have had personal pension details sent to the wrong addresses after an error by a Herts County Council contractor, Serco [link to http://www.hertsad.co.uk/content/herts/news/story.aspx?brand=HADOnline&category=News&tBrand=herts24&tCategory=newshadnew&itemid=WEED13%20Dec%202007%2011%3A40%3A19%3A500 no longer works]. Serco sent 1,400 statements for staff, former staff and councillors to the wrong destinations because of an “administrative error”. The statements included the person’s name, date of birth, national insurance number, and pensionable pay. So far, only 400 of the statements have been returned to the county council leaving 1,000 still missing.
- A laptop with the names, addresses, phone numbers and dates of birth of 950 diabetes patients of NHS patients was stolen from the St Julian’s GP surgery. Data on the stolen laptop also include a link to a picture of patients’ retinas — already they have a problem with the security of biometric data before they have implemented any ID system, it seems — Dissent.
- Sefton Primary Care Trust has accidentally sent about 1800 of its staff’s records to four organisations it is refusing to name. Staff details including dates of birth, national insurance numbers, pensions and salary details. The four companies were bidding for work with the trust. The Trust is reportedly not revealing the names of the four companies because of “commercial confidentiality”. They seem to take “commercial confidentiality” more seriously than employee confidentiality — Dissent.
In related news, BoingBoing covered a petition [link to http://petitions.pm.gov.uk/databreaches/ no longer works] for mandatory disclosure in the UK. It’s for British citizens and residents only. If you’re in the UK, or a citizen, in an overseas territory or Crown dependency, you may and should sign.
That’d be Northern Ireland.
(Hey, what’s the holiday season without fanning some sectarian flames?)
There were three more newly revealed UK breaches today. I had to blink a few times to make sure that they weren’t previously reported breaches.
In today’s news, I thought it somewhat ironic how Pearson Driving Assessments Ltd’s “secure facility” in Iowa was responsible for a UK breach affecting 3 million Brits. As if the UK didn’t have enough problems of its own without a U.S. facility chipping in. 🙂
I doubt if we would have found out about the Iowa data loss without the UK reporting it.
That’d be Northern Ireland.
I was just about to post that
“Ireland” is part of the quote. Go pick on Pogo. They’re not afraid of you.
Gah.. fixed it on the original. I am so geographically challenged sometimes….
But the only thing that scares me these days is any phone call that begins, “Hey Mom, is my car insurance paid up?”
Related to the breaches themselves it seems that some quasi-government branches start coming down more heavily upon private entities that `lose’ data. Norwich Union Life was fined £1.26 millions (= a lot of money) by the UK Financial Services Authority for leaks in personal information.
More info at:
http://www.inf-sec.com/news/071217_norwich_union.html
My comments at:
http://conspicuouschatter.wordpress.com/2007/12/21/privacy-technologies-can-save-you-money/
The NHS has been much criticised in recent years for centralising data with no meaningful security.
http://news.bbc.co.uk/1/hi/uk/7158019.stm