A UK local council has lost the personal details of hundreds of residents when a memory stick fell out of an employee’s pocket. Details lost include names, addresses, national insurance numbers, ethnicity and more.
Read More »

It seems from a recent report that healthcare businesses have become a specific target for hackers in recent months. International managed security services company SecureWorks says that attempted hacker attacks launched at its healthcare clients doubled in Q4 2009, increasing from an average of 6,500 per healthcare client, per day in the first nine months of 2009, to an average of 13,400 per client per day in Q4 2009.

It’s suggested that there are two main reasons for this: the large amounts of identifiable data on patients stored within healthcare organisations, and the sheer number of possible attack vectors, including web-based attacks and attacks from devices (such as infected, unauthorised USB flash drives).

In some territories, such as the UK and Canada, healthcare bodies are rolling out extensive data security measures (such as secure USB drives with onboard anti-virus scanning). This is a sensible and practical response to the increase in data security risks.

It’s been talked about for some time, but now the UK’s information watchdog, the Information Commissioner’s Office, will soon be able to penalize companies that are proven to have acted recklessly or maliciously with personal data.
Read More »

The UK Government’s former Information Commissioner, Richard Thomas, was recently interviewed by SC Magazine. It makes a very interesting read, especially on what Thomas describes as “politicians, senior civil servants and managers … not understanding the technologies and the risks.”

It also gives an insight into plans to introduce stronger powers for the Information Commissioner’s Office, such as increased notification fees for data breaches for larger organisations, new powers of inspection and much stronger sanctions against companies that have experienced breaches.

New sanctions are also planned to be introduced from next year when ‘a company or government department deliberately or recklessly ignore data protection requirements, and cause serious harm, then they will face a civil penalty’. Thomas explains that this will affect anyone who is a data controller, and there are over 300,000 of them in the UK.

All the more reason for organizations to evaluate their approach to portable data security – and take appropriate action to secure critical information.

The UK Government Information Commissioner’s Office (ICO) continues to be firm with public sector organisations that have had data losses.

This week, a Council in central England has agreed to comply with data protection principles, and signed an undertaking to assure the ICO that personal data will be kept securely in future.  A council employee lost an unencrypted memory stick which contained highly sensitive personal information on four families.

As part of the commitment, the council has agreed to ensure that portable and mobile devices, including laptops, USB flash drives etc are encrypted.  Staff will also be trained and made aware of policies for storage and use of personal information.

It’s good to see that these measures are being taken over losses of personal data, even when the actual volume of lost data is small.  Let’s hope that other countries take an equally firm stance on this issue.

The UK Government’s data protection watchdog has recently criticised another health organisation for two incidences of data loss in early 2008, one of which involved the loss of an unencrypted USB flash drive. 

While this can seem negative, it’s an example of how attitudes to data security in the UK public sector are changing.  As a result of the Government’s data watchdog’s vigilance and willingness of organisations that have suffered losses to change, the English National Health Service is one of the most advanced in successfully rolling out DLP systems, including mandatory hardware-encrypted USB drives.

An excellent example of how this can be done is given by NHS Dumfries and Galloway, which earlier this year deployed 1100 SanDisk Cruzer Enterprise secure flash drives to protect confidential patient data.

An interesting point was that NHS Dumfries & Galloway didn’t just hand the secure drives to users:  they held an amnesty so that staff could bring in old USB pen drives containing confidential information for orderly disposal.

The organisation arranged distribution days where they travelled to its various different office locations to give out the new drives.  This helped to ensure that all staff knew about the amnesty, and had a chance to familiarise themselves with the organisation’s updated polices – an example of good practice for anyone planning a similar roll-out.

A new report on the state of IT security has warned that the weakening job market could lead to an increase in online crime as laid-off workers, especially those with computer skills, turn to scams to support themselves.

The report from networking company Cisco claims that IT staff threatened with redundancy because of the downturn could initially target their employers as an easy option for sourcing information, based on their inside knowledge of systems, processes and people.

An example was the arrest in April this year of a former IT analyst at the Federal Reserve Bank of New York, on suspicion of taking out loans using false identities.  The FBI found a USB flash drive attached to the employee’s computer with applications for $73,000 in loans in the names of stolen identities.

Whether this is just another version of the often-repeated “insider threat” remains to be seen.  But it does highlight the importance of securing data by encryption, and controlling what USB storage devices employees can use – for example, issuing authorised staff with secure flash drives.  These measures help to cut the risks of damaging data losses or theft.

The UK Government’s data watchdog, the Information Commissioner’s Office (ICO), has said that the UK Home Office broke data protection laws when a Home Office contractor lost a USB flash drive containing unprotected information on thousands of prisoners. 

The thumb drive was lost in August 2008 by an employee of the contractor.  It contained the names, addresses and expected release dates of 84,000 prisoners in England and Wales. 

The ICO ruled that even though a contractor had lost the data, the data controller (the Home Office) was responsible for the security of the information.

 As a result, the ICO has also insisted the Home Office signs a declaration promising to hold personal data securely in the future - which will mean all portable and mobile storage devices which are used to store and transmit information must be encrypted. 

 It’s likely that other Government and public sector organisations will be made to follow this policy - meaning that secure USB flash drives will be widely adopted in the coming year.  Let’s hope this signals the end of large-scale public data losses.