Data Protection News

Welsh police force fined for sexual abuse case data breach

The ICO has issued South Wales Police with a £160,000 fine for losing a video recording which formed part of the evidence in a sexual abuse case.

The DVDs contained film of an interview with a victim, who had been sexually abused as a child. Despite the DVDs containing a graphic and disturbing account, the discs were unencrypted and left in a desk drawer.

The recorded interview took place in August 2011 and the loss was discovered by staff after an office move in October 2011 but the security breach then went unreported for nearly two years due to lack of training. Although the DVDs were stored in a secure part of the police station, South Wales Police had no specific force-wide policy in place to deal with the safe storage of victim and witness interviews in its police stations.

A second interview had to be abandoned due to the victim’s distress and the DVDs have still not been recovered. The defendants were eventually convicted in court.

Anne Jones, Assistant Commissioner for Wales said: “Without any doubt we would expect a professional police force, in a position of trust, dealing with this type of highly sensitive information from victims and witnesses on a daily basis to have robust procedures to keep track of the personal data in their care.

“The organisation has failed to take all appropriate measures against the unauthorised processing and accidental loss of personal data. This breach is extremely serious and despite guidance from our office, the Ministry of Justice and Association of Chief Police Officers stating it is essential to have a policy on storing this sort of information they still haven’t fully addressed the issue.

“The monetary penalty given to South Wales Police should send a clear message that organisations have to take responsibility for personal data and the way in which it is stored.”

In addition to the monetary penalty, the Information Commissioner has asked the police force sign an undertaking to ensure the changes are made to implement policies to stop any incidents happening again.

Discarded hard drives are dangerous

During a computer upgrade, some may be tempted to toss old hard drives on the curbside or sell them on eBay. But it might be better to smash them with a baseball bat. Otherwise, computer forensics experts warn, sensitive data within those hard drives could someday end up in the wrong hands Warns Simon L Garfinkel a post doctorate fellow at the Centre for Research on computation and society.

When retiring a hard drive, physical destruction makes information inaccessible,But after an extensive investigation, he has found that a lot of old hard drives are being proliferated with reams of sensitive information intact. Many are repurposed or sold, and some end up on eBay. One company had a 300-machine upgrade and needed to unload the old hard drives, Garfinkel said. They were sold for spare parts.”Since 1998, I have purchased 1,000-plus hard drives on the secondary market and had them delivered by FedEx,” Garfinkel said. Garfinkel and fellow researcher Abhi Shelat conducted some earlier research on the scope of the problem when they collected 158 hard drives from online auction services, markets and used computer equipment shops.

They rummaged through the old machinery and found thousands of credit-card numbers, financial records, medical information, trade secrets and other highly personal information. The hard drive problem is just one example of why organizations need to audit their security controls, Garfinkel said. In fact, his larger presentation at the MIS confab was on the value of forensics and self-auditing. He said companies can use forensics to “understand what’s actually going on” over their network and test the effectiveness of application performance and security. It can also be used to review regulatory compliance efforts and track the flow of data across network boundaries.And, of course, it could be used to track old hard drives and see if they’ve been properly disposed.

The hard drive problem is just one example of why organizations need to audit their security controls, Garfinkel said. In fact, his larger presentation at the MIS confab was on the value of forensics and self-auditing. Used to review regulatory compliance efforts and track the flow of data across network boundaries. And, of course, it could be used to track old hard drives and see if they’ve been properly disposed.

Be safe make sure your hard drives have been destroyed correctly.

Book your appointment today

Missile Data Found on Hard Drives

Sensitive information for shooting down intercontinental missiles as well as bank details and NHS records was found on old computers, researchers say.

Of 300 hard disks bought completely randomly at computer fairs and an online auction site, 34% still held personal data.

Researchers from BT and the University of Glamorgan bought disks from the UK, America, Germany, France and Australia.

The information was enough to expose individuals and firms to fraud and identity theft, said the researchers.

Standard Data recovery software was used to inspect the hard drives. The research involving the Welsh campus was led by BT’s Security Research Centre and included researchers at Edith Cowan University in Australia and Longwood University in the US.

In addition to finding bank account details and medical records, the work unearthed job descriptions and personal security identity numbers as well as data about a proposed $50bn currency exchange through Spain. Details of test launch procedures for the THAAD (Terminal High Altitude Area Defence) ground-to-air missile defence system were found on a disk bought on eBay.

The missile system, tested as recently as March 2009 following a controversial missile test by North Korea, is designed to destroy long-range intercontinental missiles launched by terrorists or countries the US considers to be “rogue states”.

The missile system was designed and built by US defence group Lockheed Martin and the same computer hard disk also revealed security policies and blueprints of facilities at the group, and personal information on employees.

The researchers said a disk from France included security logs from an embassy in Paris, while two disks from the UK appear to have originated from a Scottish health board.

The disks had information from the Monklands and Hairmyres hospitals, part of Lanarkshire health board, and revealed patient medical records, images of x-rays, medical staff shifts and sensitive and confidential staff letters.

Another disk, from a US-based consultant, formerly with a US-based weapons manufacturer, revealed account numbers and details of proposals for the $50bn currency exchange as well as details of business dealings between organisations in the US, Venezuela, Tunisia and Nigeria.

Personal correspondence was also found from a member of a major European bank.

‘Illegal’

Prof Blyth, an expert in computer forensics and principal lecturer at the University of Glamorgan’s faculty of advanced technology, said the results were in line with previous

studies which showed 40%-50% of second-hand disks that can be powered up contained sensitive data.

He said: “While it’s not getting worse, its not getting any better either.

“It’s not rocket science. I could probably take somebody who is 14 or 15 years old and in a day have them doing this.”

Dr Andy Jones, head of information security research at BT, said: “It is clear that a majority of organisations and private individuals still have no idea about the potential volume and type of information that is stored on computer hard disks.

“Businesses also need to be aware that they could also be acting illegally by not disposing of this kind of data properly.”

In a statement, Lanarkshire health board said: “This study refers to hard disks which were disposed of in 2006. At that time NHS Lanarkshire had a contractual agreement with an external company for the disposal of computer equipment.

“In this instance the hard drives had been subjected to a basic level of data removal by the company and had then been disposed of inappropriately. This was clearly in breach of contract and was wholly unacceptable.”

The board has carried out a review of its policies and now no longer uses external companies to dispose of IT equipment, the statement added.

A spokesman for Lockheed Martin said the company was not aware of any “compromise of data” related to the THAAD programme, and no government or law enforcement agency had notified it of any such loss.

The results of the study, the fourth in a five-year project, will be made available in a paper appearing in the next issue of the Journal of International Commercial Law and Technology (JICLT) 2009.

Shredding would eliminate any of the issues found with the above situations.