Leak of kids' social services info earns Aberdeen City Council £100k fine

Filed Under: Data loss, Featured, Law & order

Aberdeen City Council has been hit with a £100,000 fine (about $150k) by the Information Commissioner's Office (ICO), after an employee took sensitive files home and accidentally uploaded them to a public website.

The data, which included information on vulnerable children and details of alleged crimes, was on display for three months before it was spotted and taken down.

The incident started in November 2011, when an unnamed female council worker worked on council files on her own second-hand computer at home. These files apparently included minutes of meetings and detailed reports relating to the care of children.

The investigation into the incident failed to pin down whether the documents were accessed using remote access to council email or carried home on a USB stick, but at some point after being copied to the My Documents folder on her laptop the files were posted online by some unspecified software, thought to have been installed on the system by a previous owner and either started automatically or accidentally activated by the hapless employee.

Once online they were not noticed until February 2012 when another council employee stumbled across them when doing a search for their own name, and they were promptly removed from the website. The exact location the four files were posted to is also unspecified in the ICO report.

The ICO found huge gaps in the council's policies regarding home working, which seem to have focused entirely on health and safety with no regard for the security of sensitive data, and even those policies which had been drafted were not being enforced:

In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information. On a wider level, the council also had no checks in place to see whether the council’s existing data protection guidance was being followed.

The Data Protection Act, found to have been breached in this case, allows for fines of up to £500,000 for the most serious data breaches.

This case highlights a wealth of common problems with working from home and BYOD (Bring Your Own Device) practices. Any business or institution dealing with sensitive data - which is just about anyone really - needs to think carefully about how that data is secured when it's being accessed remotely by staff, just as much as when handing it over to third parties.

Strict and comprehensive policies need to be put in place, clearly demonstrated to staff and strongly enforced with both technical and regulatory controls.

The rules need to cover what data can be accessed, from where and by whom, how data is accessed, transferred and handled, and what systems can be used to work on data.

The BYOD issue usually focuses on smartphones and tablets being brought in to work, but personal laptops remain the default tool to enable home working. Imposing the same level of application control, anti-malware and other security features is far more difficult than in systems built and monitored by dedicated IT staff.

So staff training is also vital - from the sound of this case, where the employee in question appears to have been unaware of what was running on her pre-owned laptop, it seems that IT skills were not considered an important part of her job, but people need to take more care to know what the tools they are using are capable of before they blindly trust them with information which could be incredibly sensitive to leakage.

Since the Aberdeen incident, auditing and assessment by the ICO earlier this year has noted some improvements, although there is still some way to go to achieve a satisfactory level of security.

Hopefully this good-sized fine will be an eye-opener to anyone dealing with personal information, particularly local government where data sensitivity is high but IT infrastructure tends to be disparate and creaky and skills are often minimal.

They need to wake up to the dangers of home-working and BYOD, and make sure they do all they can to minimise the risk.

, , , ,

You might like

2 Responses to Leak of kids' social services info earns Aberdeen City Council £100k fine

  1. Vito · 767 days ago

    Hmmm…it seems unlikely that the Aberdeen City Council members will be paying the “good-sized fine” out of their own pockets, which means that the burden will be passed to the Aberdeen taxpayers. Terrific. I suppose there'll be new city ordinances about data security, and maybe even a few heads will roll. But the taxpayers will foot the bill nonetheless.

    Eventually, the public outrage will subside (assuming there is any in the first place), and the same tax-subsidized city council system that bred such incompetence will breed more of it at a different level. Meanwhile, the nature of the "city council" as a supposedly indispensable, entrenched monopoly will remain unquestioned.

    If the city council were not a monopoly — meaning, if they had some competition for the "services" they provide — and actually had to earn a profit by providing those services to willing customers who could go elsewhere if they were unhappy, things would TRULY change...almost overnight. It wouldn't eliminate every conceivable security problem, but it sure would provide a powerful continuing impetus toward greater competence in all aspects of government.

  2. simplEtraining · 766 days ago

    Security requires a holistic approach - there's no two ways about it.

    There's a need to combine good and consistent policy management with policy enforcement points, patched software and IT security training for all users as well as role specific training for those that have more privileges and therefore can do more damage.

    It seems that most organisations are very focussed on the firewalls but often overlook the human element, however SANS and many others advocate the importance of IT security awareness.

    The strange thing is that we provide Security Awareness Training and we appreciate that it takes more than what we provide but it seems that everyone else gets so focussed on what they do - they forget the other parts of the puzzle but we provide an approach to covering the topics holistically.

    It's a bit like taking so much care to shut your windows, you then walk out and leave the front door open!

    Unless you train the users - this is going to happen over and over !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.