News Stories about Data Loss
--Stolen Laptop Contains Sensitive Financial Data
(October 5 & 8, 2007)
A laptop computer stolen from an HMRC (HM Revenue and Customs) employee's car on September 20 contains personal and financial data of at least 400 people. The employee had information from financial institutions about account holders for the purpose of conducting a routine audit. The police have been notified, and the HMRC will investigate the incident, which does not involve a third party contractor. The data on the computer are reportedly protected by "complex password and top level encryption." HMRC is urging the financial institutions to inform their clients about the breach.
[Editor's Note (Pescatore): If top level encryption was really in use, no need to actually make public disclosures of lost laptops anymore. ]
--Stolen Laptops Hold Carnegie Mellon Univ. Student Data
(October 9 & 10, 2007)
Two laptop computers stolen from the locked office of a Carnegie Mellon University computer science professor hold personally identifiable information of approximately 400 students. While the theft occurred on or around September 2, affected individuals were not notified of the breach until September 29. The breach is believed to affect students who took courses from the professor between summer 2004 and spring 2006.
--Memory Stick Containing Sensitive UK Government Passwords Found Outside Pub
(November 2 & 3, 2008)
The UK's Government Gateway website was shut down after a memory stick containing pass codes for the system was found in a pub parking lot. The Gateway site allows citizens to access services from 50 government departments, including managing parking tickets, pension entitlements and tax returns; someone with those pass codes could access personally identifiable information of the 12 million people who have registered on the site. The system was restored after it was found that the data on the stick were encrypted. The stick belongs to Atos Origin, the company that manages the website; an investigation is underway. Atos said the employee violated company policy by taking the memory stick off business premises. Prime Minister Gordon Brown has taken some heat for remarking that "It is important to recognize that we cannot promise that every single item of information will always be safe because mistakes are made by human beings."
[Editor's Note (New Editor Ron Dick): While probably not the most politically correct thing to say, Prime Minister Gordon Brown is right. People make mistakes that cause harm to others. The challenge is how we educate and reinforce in people to do what is correct. I have said for years there needs to be a law entitled U.S. Code Title 18 "Stupid". In my former life, I would have had a lot more convictions. However, I am not sure what the consequences should be for stupid. ]
DATA LOSS, THEFT & EXPOSURE
--Bank of Ireland Acknowledges Missing USB Stick
(November 3, 2008)
Bank of Ireland has confirmed that a USB memory device containing personally identifiable information of nearly 900 customers has been lost. The drive contains names, addresses and contact numbers but no financial account information. Bank of Ireland policies and procedures do not allow storage of customer data on unencrypted memory devices.
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
--Lost Memory Stick Holds UK Prison Inmate Medical Information
(January 9, 2009)
UK Health officials have apologized following the loss of a memory stick that contains personally identifiable information of people who had been seen as medical patients while at HM Prison Preston. The data are encrypted, but the password was apparently attached to the device. The data include 6,360 entries. The stick was lost on December 30. Employees of NHS Central Lancashire involved in the incident have been suspended pending the results of an investigation.
--440 MoD Data Storage Devices Lost or Stolen in 2008
(January 26, 2008)
The UK Ministry of Defence (MoD) says that during 2008, 440 desktop computers, laptops, hard drives and memory sticks were lost or stolen. This brings the total number of devices reported missing in the last five years to over 1,640. Despite new cyber security rules established last summer, 2008 marked the highest number of missing devices since 2003. The lost devices contained personal information, including bank details, driver's license and passport numbers of nearly half of those serving in the armed forces. All persons known to be affected by the breach have been contacted and cautioned to keep a close watch on their account activity.
--Lost Disk with British Council Staff Data Was Encrypted
(January 25, 2009)
A disk containing personal employment information of approximately 2,000 members of the British Council staff was lost by a courier company while in transit between the council's payroll supplier and its human resources department. The data on the disk, which include names, national insurance numbers, salary and bank account information, were encrypted.