Manchester police pay off £150,000 fine for unencrypted USB key

Filed Under: Data loss, Law & order

The UK Information Commissioner's Office (ICO) in the UK recently fined the Greater Manchester Police £150,000 for a data breach.

To be fair, the cops took it on the chin. Yesterday, reports the ICO, they paid up. (In a sign of the ongoing commercialisation of the modern era, they even earned a discount for early payment, getting a handy 20% off.)

The problem boiled down to an unencrypted USB key stolen from an officers's home. It contained details about more than 1000 people with links to serious crime investigations.

The Director of Data Protection at the ICO had some chilling words to say:

This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine.

Before you wag your finger at the Boys in Blue for this lapse, keep in mind that the Greater Manchester Police aren't unique in making this sort of blunder.

Last year, Sophos Australia spent $400 at a lost property auction in Sydney, coming home with 57 USB keys containing a total of 4400 files.

We found:

  • 66% of the keys had one or more malware infections.
  • Many of the keys contained personal and work-related files.
  • Not a single one of the 4400 files was encrypted.

So, how do you protect yourself from leaking data on USB keys which get lost or stolen?

Or on keys which are transferred between users, departments and even companies?

Or on keys that you are retiring from active service, perhaps because they're no longer fast, reliable or capacious enough?

One answer: only ever write encrypted data to your USB keys.

That makes them just so much meaningless garbage to anyone without the decryption key.

Encrypt everything and you never have to worry about the stuff you didn't encrypt!

, , , , , ,

You might like

12 Responses to Manchester police pay off £150,000 fine for unencrypted USB key

  1. kabigabor · 1045 days ago

    Wouldn't be benefit the Police more from training, and investing some encryption package instead of charging them for £150,000 pounds? :S This money would have been better spent for sure!

    • Paul Ducklin · 1045 days ago

      As the ICO's website points out, the fine goes into the Treasury, not to the Commissioner's Office.

      So letting the cops have the money back is presumably always a possibility, provided they agree to spend it on X or Y and achieve P or Q with it...

  2. abc · 1045 days ago

    Why did Zurich get a 30% discount for a much larger UK data loss and on a larger fine? Did they settle even quicker? (it took them a year to discover or an external body to discover)

    • Paul Ducklin · 1045 days ago

      Maybe they paid even earlier? Like in advance :-) (Only joking!)

      Zurich's fine was different - it was part of a Financial Services Authority investigation, not a penalty levied by the ICO. If I understand correctly, Zurich got the 30% discount by capitulating at an early stage in the investigation, not merely by paying promptly and not appealing.

      Different regulatory body, different sort of case, different regulations, different powers vested in the regulator...and therefore a different sort of "discount", I guess.

  3. abc · 1045 days ago

    Also in a list of recent fines it seems government bodies were largely the bodies that got fined, with a few amusing individuals. But knowing large corp's they are most likely worse! (too big to fail comes to mind) So therefore is there a hint that discoverability is easier in public bodies and due to this then being caught is a pretty slim chance. Does this send private companies a message that makes them more willing to see these duties to society and specifically people’s privacy just slide.

    • Soloduck · 1044 days ago

      Public Sector bodies in the UK are expected to report data loss - therefore almost all fines are because these bodies have "fessed up"... where as the same rules don't apply to the private sector. If your shares are going to lose value, you tend to keep quiet about such things.

      Now, when was the last time a GP Practice got fined?

  4. 123 · 1045 days ago

    I work in the Education sector and a lot of educational establishments seem to think prosecution will never happen to them and do flaunt data security. Trying to get encryption on laptops enforced, using encrypted email for sensitive documents, and the banning on USB devices is seen as being over the top ....

    I personally welcome these fines as with my experience (over 10 yrs in this sector) Colleges and Schools seem to think they can operate outside of the law, and will continue to do as they please. In industry you would lose your job, in the public sector its a 'don't do it again' slap on the wrist.

    The only thing that seems to make them scared is having to work longer to get their pensions !

  5. Andrew Symmons · 1045 days ago

    if the police do not understand security then surely we have a serious problem here in the UK it seems to me that people of athority simply try to bypass protocols that are there to protect themselves and the public. It should be standard practice of any organisation that handles data (especially sensitive data) the one thought what happens if I lose this? how can I protect this data?
    surely it would be wise that all departments have some kind of encryption technology on USB devices and nothing can be stored on the device without it being encrypted. when police officers lose these devices they should be held accountable at the police officers level and not the whole department. something is seriously wrong in the mental attitude of people in these positions.
    If the data on the device is sensitive why was it taken out of the building? Why has the officer concerned not been held responsible? come on boys in blue use your heads think before you do.

  6. Alex · 1045 days ago

    We use IronKeys at work - my boss nearly choked at the price of them but out of everything around at the time, they offered the best protection.

  7. BradT · 1045 days ago

    I doubt 1/4 the police in the US are even using encryption for USB, laptops, tablets, etc.... Very lax policies for govt agencies.

  8. Yitzchok Mickler · 1045 days ago

    Not one USB drive was encrypted?! I think that is because people who encrypt their files are careful not to lose their drives so you might never find encrypted files on a lost USB drive. My drive is encrypted and I haven't lost it. It's right here.

    • Paul Ducklin · 1045 days ago

      Not one _file_ on one USB drive was encrypted. (At least so far as I could tell. It's possible that some files I classified as "unknown type" were unrecognisable due to being scrambled into indistinguishability from random data. But it would have been a tiny minority - a minority approximated by thy number zero.)

      I accept the hypothesis that some, even most, of the people who are prepared enough to encrypt might also be conscientious enough not to lose their stuff (ironic, since their use of encryption makes it less risky to lose the device :-). But the facts remain: not one file on any lost key was encrypted, and USB keys are pretty easy to lose even for those who are very careful.

      (If you've ever been on a Sydney train in rush hour, especially getting on or off at one of the undergound stations in the city like Wynyard or Town Hall, you'll know how easily you and your property can be prised apart by force of circumstance.)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog