It seems hardly a day goes past without news of a lost laptop containing sensitive unencrypted data or a mislaid USB memory stick.
The latest victims are some 109,000 pension holders whose data was on a laptop computer at the offices of Marlow-based NorthgateArinso, a British software provider who supplied the computerised pensions administration system to The Pensions Trust.
The stolen laptop included such sensitive data as names and addresses, dates of birth, National Insurance numbers, employer names, salary details, and bank account details. More information about the affected pension schemes can be found in this BBC News report.
NorthgateArinso published a statement on its website saying that the PC was password-protected, but choosing not to mention that the data was not encrypted:
The Police authorities have confirmed that they are investigating the loss, and believe the theft to be opportunistic rather than a targeted attempt to steal data. However, with awareness growing of the value of identity and banking information we can expect to see more and more petty crooks understanding that the computer they have stolen may have more value than a brand new PC on the shelf of a high street store.
Of course, you’d expect me to bemoan that the disk wasn’t properly encrypted. And yes, it is horrendous that such sensitive information wasn’t being held securely.
But the big question that instantly springs to my mind is this: Why on earth was there any need to use live data for testing and training purposes in the first place? If a large amount of data needed to be used for testing purposes or statistical analysis then it should have been sanitised beforehand, by wiping out identifying information.
Too many organisations are making too many errors when it comes to properly securing the public’s personal information.