Data Loss: HSBC Fine

HSBC has been fined a collosal £3 million by the FSA in relation to data loss. The fine is interesting as it dwarfs previous fines and has been imposed by the FSA rather than the ICO.

The incident relates to the loss of data in 2007 and early 2008. For those feeling sorry (if at all possible) for HSBC, should consider that these data losses were not isolated, and there have been several other HSBC data losses, including:

• HSBC lost an entire server, the data was not encrypted
• HSBC lose 37,000 records, on an un-encrypted media.
• HSBC, along with UAE and others also suffered a data theft from their banks

From the information available it appears that HSBC had a very relaxed policy to client data, moving data around, in unrecorded post that was unencrypted. The true amount of data theft from HSBC will never be known, as their data security appears so lax details could have been stolen without any one knowing.

Data Loss: NorthgateArinso Followup

Following the data loss in March 2009 of 109,000 records from NorthgateArinso, a HR company, has now joined  CIFAS, a fraud prevention service.

CIFAS, while offering a useful service in tracking fraud, does not prevent the data being used, or being stolen again in the future.

The company needs to use encryption, at a minimum, or employ a data loss prevention service/software.

The fact that NorthgateArinso have repeated that the laptop was “password protected” is a concern, as it implies that a password protected laptop may offer some protection again data theft

Data Loss: 109,000 Pension Details

In an unusual and rare event for the UK data has been lost!

A laptop has been stolen, containing details  of 109,000 members of six different pension schemes. The data was stolen from NorthgateArinso “Deliver HR Excellence”  in Marlow, Buckinghamshire, last month, on 23rd March 2009.

The event has just come to light and the laptop was not, of course, encrypted. And all the usual details were lost in the theft of the laptop; names, addresses, dates of birth, NI numbers, salary details…etc, etc.

Encryption….just use TrueCrypt its free and easy.

Data Theft: RAF

It has just been reported that that the RAF data theft  in September 2008, was far worse than original reported and includes of drug use, debts and affairs about RAF officers, which is not  just embarrassing but could also be used to blackmail people.

To compound the problem this part of the data loss has only just been admitted.

According an “unnamed” Wing Commander who contacted the BBC the data theft not only include the usual information that we expect the government to lose, names, addresses, and bank details, but also “”details of criminal convictions, investigations, precise details of debt, medical conditions, drug abuse, use of prostitutes, extra-marital affairs including the names of third parties“.

This information would be there as it was part of the vetting procedure for those who work in classified areas. During the vetting procedures questions are asked about an individual’s personal life, so that detailed background checks can be made, the answers to those questions were stored on 500 files, it is these 500 files which were included in the theft of the USB drives.

Such detailed information would be excellent use for those who wish to threaten and/or blackmail RAF officers.  The RAF did not inform parliament, or the ICO, that such a data loss/data theft has occurred or possibly the police, though this not clear at this point.

In its typically bland statement the MoD stated that “All individuals identified as being at risk received personal one-on-one interviews to alert them to the loss of the data, to discuss potential threats and to provide them with advice on mitigating action,” the statement says….There is no evidence to suggest that the information held on the hard drive… has been targeted by criminal or hostile elements.”

While the statement does not reveal much it does tell us that the data was not encrypted, and thatthe RAF does not think a targeted theft of USB drives is criminal activity.

Again, the question has to be asked: If secret information about those who handle top secret information, from AWACs communications to battle plans for wars, is not encrypted and protected, what do they encrypt?

This is not the first time the MoD has lost data, nor failed to use encryption.

Data Loss: MI6

In 2006 MI6 lost data containing lists of informers and agents relating to the drugs trade.

The loss occurred in 2006, in Columbia, when agent “T” lost lost a USB drive while on a bus. The result of loss meant that agents and informers had to be moved homes, and new lives started.

As has often been stated on this site, data loss happens, and loss of media will almost certainly always happen but its effects can be reduced or stopped. Using encryption, for example stops the loss being damaging. If encryption cannot be used by MI6, the home of James Bond and Q, then who, in the government then who can we expect to use it?

The incident itself is certainly not surpursing, after all the cases of data loss by the government last year. It just shows, once again, why data, and particlary personal information, cannot be trusted to the government, because they will misuse it (deliberately) or lose it (accidentally), but the effect will be the same for the end victim. The wrong people getting hold of their data.