News Stories about Data Loss
--Stolen Laptop Contains Sensitive Financial Data
(October 5 & 8, 2007)
A
laptop computer stolen from an HMRC (HM Revenue and Customs) employee's
car on September 20 contains personal and financial data of at least
400 people. The employee had information from financial institutions
about account holders for the purpose of conducting a routine audit.
The police have been notified, and the HMRC will investigate the
incident, which does not involve a third party contractor. The data on
the computer are reportedly protected by "complex password and top
level encryption." HMRC is urging the financial institutions to inform
their clients about the breach.
http://www.theregister.co.uk/2007/10/08/hmrc_lost_laptop/print.html
http://www.whatpc.co.uk/vnunet/news/2200705/red-faces-government-laptop
http://www.manchestereveningnews.co.uk/news/s/1018735_laptop_theft_sparks_id_fears
[Editor's
Note (Pescatore): If top level encryption was really in use, no need to
actually make public disclosures of lost laptops anymore. ]
--Stolen Laptops Hold Carnegie Mellon Univ. Student Data
(October 9 & 10, 2007)
Two
laptop computers stolen from the locked office of a Carnegie Mellon
University computer science professor hold personally identifiable
information of approximately 400 students. While the theft occurred on
or around September 2, affected individuals were not notified of the
breach until September 29. The breach is believed to affect students
who took courses from the professor between summer 2004 and spring 2006.
http://www.securitypronews.com/news/securitynews
http://www.post-gazette.com/pg/07283/824157-298.stm
--Memory Stick Containing Sensitive UK Government Passwords Found Outside Pub
(November 2 & 3, 2008)
The
UK's Government Gateway website was shut down after a memory stick
containing pass codes for the system was found in a pub parking lot.
The Gateway site allows citizens to access services from 50 government
departments, including managing parking tickets, pension entitlements
and tax returns; someone with those pass codes could access personally
identifiable information of the 12 million people who have registered
on the site. The system was restored after it was found that the data
on the stick were encrypted. The stick belongs to Atos Origin, the
company that manages the website; an investigation is underway. Atos
said the employee violated company policy by taking the memory stick
off business premises. Prime Minister Gordon Brown has taken some heat
for remarking that "It is important to recognize that we cannot promise
that every single item of information will always be safe because
mistakes are made by human beings."
http://www.smh.com.au/news/technology/security/memory-stick-loss-sparks-government-system-shutdown/2008/11/03/1225560695249.html
http://www.scmagazineuk.com/Government-website-briefly-closed-following-USB-loss/article/120275/
http://www.scmagazineuk.com/Lib-Dems-call-for-ban-on-memory-sticks-to-carry-confidential-data/article/120277/
http://www.timesonline.co.uk/tol/news/politics/article5064274.ece
http://www.mailonsunday.co.uk/news/article-1082467/I-make-promises-keeping-personal-details-safe-admits-Brown-wake-latest-data-blunder.html
http://www.scmagazineuk.com/Prime-Minister-criticised-over-data-loss-comment/article/120276/
[Editor's
Note (New Editor Ron Dick): While probably not the most politically
correct thing to say, Prime Minister Gordon Brown is right. People make
mistakes that cause harm to others. The challenge is how we educate
and reinforce in people to do what is correct. I have said for years
there needs to be a law entitled U.S. Code Title 18 "Stupid". In my
former life, I would have had a lot more convictions. However, I am
not sure what the consequences should be for stupid. ]
DATA LOSS, THEFT & EXPOSURE
--Bank of Ireland Acknowledges Missing USB Stick
(November 3, 2008)
Bank
of Ireland has confirmed that a USB memory device containing personally
identifiable information of nearly 900 customers has been lost. The
drive contains names, addresses and contact numbers but no financial
account information. Bank of Ireland policies and procedures do not
allow storage of customer data on unencrypted memory devices.
http://www.breakingnews.ie/ireland/mhideygbkfsn/
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
--Lost Memory Stick Holds UK Prison Inmate Medical Information
(January 9, 2009)
UK
Health officials have apologized following the loss of a memory stick
that contains personally identifiable information of people who had
been seen as medical patients while at HM Prison Preston. The data are
encrypted, but the password was apparently attached to the device. The
data include 6,360 entries. The stick was lost on December 30.
Employees of NHS Central Lancashire involved in the incident have been
suspended pending the results of an investigation.
http://www.lep.co.uk/news/Apology-after-prisoners39-health-info.4862265.jp
--440 MoD Data Storage Devices Lost or Stolen in 2008
(January 26, 2008)
The
UK Ministry of Defence (MoD) says that during 2008, 440 desktop
computers, laptops, hard drives and memory sticks were lost or stolen.
This brings the total number of devices reported missing in the last
five years to over 1,640. Despite new cyber security rules established
last summer, 2008 marked the highest number of missing devices since
2003. The lost devices contained personal information, including bank
details, driver's license and passport numbers of nearly half of those
serving in the armed forces. All persons known to be affected by the
breach have been contacted and cautioned to keep a close watch on their
account activity.
http://www.theherald.co.uk/news/other/display.var.2484537.0.MoD_admits_440_computer_data_devices_have_been_lost_or_stolen_in_the_past_year.php
--Lost Disk with British Council Staff Data Was Encrypted
(January 25, 2009)
A
disk containing personal employment information of approximately 2,000
members of the British Council staff was lost by a courier company
while in transit between the council's payroll supplier and its human
resources department. The data on the disk, which include names,
national insurance numbers, salary and bank account information, were
encrypted.
http://www.channel4.com/news/articles/science_technology/encrypted+staff+data+disc+lost/2910732
