Sophos Cloud Optix
The UK Information Commissioner’s Office (ICO) in the UK recently fined the Greater Manchester Police £150,000 for a data breach.
To be fair, the cops took it on the chin. Yesterday, reports the ICO, they paid up. (In a sign of the ongoing commercialisation of the modern era, they even earned a discount for early payment, getting a handy 20% off.)
The problem boiled down to an unencrypted USB key stolen from an officers’s home. It contained details about more than 1000 people with links to serious crime investigations.
The Director of Data Protection at the ICO had some chilling words to say:
This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine.
Before you wag your finger at the Boys in Blue for this lapse, keep in mind that the Greater Manchester Police aren’t unique in making this sort of blunder.
Last year, Sophos Australia spent $400 at a lost property auction in Sydney, coming home with 57 USB keys containing a total of 4400 files.
We found:
- 66% of the keys had one or more malware infections.
- Many of the keys contained personal and work-related files.
- Not a single one of the 4400 files was encrypted.
So, how do you protect yourself from leaking data on USB keys which get lost or stolen?
Or on keys which are transferred between users, departments and even companies?
Or on keys that you are retiring from active service, perhaps because they’re no longer fast, reliable or capacious enough?
One answer: only ever write encrypted data to your USB keys.
That makes them just so much meaningless garbage to anyone without the decryption key.
Encrypt everything and you never have to worry about the stuff you didn’t encrypt!
Wouldn't be benefit the Police more from training, and investing some encryption package instead of charging them for £150,000 pounds? :S This money would have been better spent for sure!
As the ICO's website points out, the fine goes into the Treasury, not to the Commissioner's Office.
So letting the cops have the money back is presumably always a possibility, provided they agree to spend it on X or Y and achieve P or Q with it…
Why did Zurich get a 30% discount for a much larger UK data loss and on a larger fine? Did they settle even quicker? (it took them a year to discover or an external body to discover)
Maybe they paid even earlier? Like in advance 🙂 (Only joking!)
Zurich's fine was different – it was part of a Financial Services Authority investigation, not a penalty levied by the ICO. If I understand correctly, Zurich got the 30% discount by capitulating at an early stage in the investigation, not merely by paying promptly and not appealing.
Different regulatory body, different sort of case, different regulations, different powers vested in the regulator…and therefore a different sort of "discount", I guess.
Also in a list of recent fines it seems government bodies were largely the bodies that got fined, with a few amusing individuals. But knowing large corp's they are most likely worse! (too big to fail comes to mind) So therefore is there a hint that discoverability is easier in public bodies and due to this then being caught is a pretty slim chance. Does this send private companies a message that makes them more willing to see these duties to society and specifically people’s privacy just slide.
Public Sector bodies in the UK are expected to report data loss – therefore almost all fines are because these bodies have "fessed up"… where as the same rules don't apply to the private sector. If your shares are going to lose value, you tend to keep quiet about such things.
Now, when was the last time a GP Practice got fined?
I work in the Education sector and a lot of educational establishments seem to think prosecution will never happen to them and do flaunt data security. Trying to get encryption on laptops enforced, using encrypted email for sensitive documents, and the banning on USB devices is seen as being over the top ….
I personally welcome these fines as with my experience (over 10 yrs in this sector) Colleges and Schools seem to think they can operate outside of the law, and will continue to do as they please. In industry you would lose your job, in the public sector its a 'don't do it again' slap on the wrist.
The only thing that seems to make them scared is having to work longer to get their pensions !
if the police do not understand security then surely we have a serious problem here in the UK it seems to me that people of athority simply try to bypass protocols that are there to protect themselves and the public. It should be standard practice of any organisation that handles data (especially sensitive data) the one thought what happens if I lose this? how can I protect this data?
surely it would be wise that all departments have some kind of encryption technology on USB devices and nothing can be stored on the device without it being encrypted. when police officers lose these devices they should be held accountable at the police officers level and not the whole department. something is seriously wrong in the mental attitude of people in these positions.
If the data on the device is sensitive why was it taken out of the building? Why has the officer concerned not been held responsible? come on boys in blue use your heads think before you do.
We use IronKeys at work – my boss nearly choked at the price of them but out of everything around at the time, they offered the best protection.
I doubt 1/4 the police in the US are even using encryption for USB, laptops, tablets, etc…. Very lax policies for govt agencies.
Not one USB drive was encrypted?! I think that is because people who encrypt their files are careful not to lose their drives so you might never find encrypted files on a lost USB drive. My drive is encrypted and I haven't lost it. It's right here.
Not one _file_ on one USB drive was encrypted. (At least so far as I could tell. It's possible that some files I classified as "unknown type" were unrecognisable due to being scrambled into indistinguishability from random data. But it would have been a tiny minority – a minority approximated by thy number zero.)
I accept the hypothesis that some, even most, of the people who are prepared enough to encrypt might also be conscientious enough not to lose their stuff (ironic, since their use of encryption makes it less risky to lose the device :-). But the facts remain: not one file on any lost key was encrypted, and USB keys are pretty easy to lose even for those who are very careful.
(If you've ever been on a Sydney train in rush hour, especially getting on or off at one of the undergound stations in the city like Wynyard or Town Hall, you'll know how easily you and your property can be prised apart by force of circumstance.)