Manchester police pay off £150,000 fine for unencrypted USB key

The UK Information Commissioner’s Office (ICO) in the UK recently fined the Greater Manchester Police £150,000 for a data breach.

To be fair, the cops took it on the chin. Yesterday, reports the ICO, they paid up. (In a sign of the ongoing commercialisation of the modern era, they even earned a discount for early payment, getting a handy 20% off.)

The problem boiled down to an unencrypted USB key stolen from an officers’s home. It contained details about more than 1000 people with links to serious crime investigations.

The Director of Data Protection at the ICO had some chilling words to say:

This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine.

Before you wag your finger at the Boys in Blue for this lapse, keep in mind that the Greater Manchester Police aren’t unique in making this sort of blunder.

Last year, Sophos Australia spent $400 at a lost property auction in Sydney, coming home with 57 USB keys containing a total of 4400 files.

We found:

  • 66% of the keys had one or more malware infections.
  • Many of the keys contained personal and work-related files.
  • Not a single one of the 4400 files was encrypted.

So, how do you protect yourself from leaking data on USB keys which get lost or stolen?

Or on keys which are transferred between users, departments and even companies?

Or on keys that you are retiring from active service, perhaps because they’re no longer fast, reliable or capacious enough?

One answer: only ever write encrypted data to your USB keys.

That makes them just so much meaningless garbage to anyone without the decryption key.

Encrypt everything and you never have to worry about the stuff you didn’t encrypt!