Data Loss: HSBC Fine

HSBC has been fined a collosal £3 million by the FSA in relation to data loss. The fine is interesting as it dwarfs previous fines and has been imposed by the FSA rather than the ICO.

The incident relates to the loss of data in 2007 and early 2008. For those feeling sorry (if at all possible) for HSBC, should consider that these data losses were not isolated, and there have been several other HSBC data losses, including:

From the information available it appears that HSBC had a very relaxed policy to client data, moving data around, in unrecorded post that was unencrypted. The true amount of data theft from HSBC will never be known, as their data security appears so lax details could have been stolen without any one knowing.


Data Loss: NorthgateArinso Followup

Following the data loss in March 2009 of 109,000 records from NorthgateArinso, a HR company, has now joined  CIFAS, a fraud prevention service.

CIFAS, while offering a useful service in tracking fraud, does not prevent the data being used, or being stolen again in the future.

The company needs to use encryption, at a minimum, or employ a data loss prevention service/software.

The fact that NorthgateArinso have repeated that the laptop was “password protected” is a concern, as it implies that a password protected laptop may offer some protection again data theft

Data Loss: 109,000 Pension Details

In an unusual and rare event for the UK data has been lost!

A laptop has been stolen, containing details  of 109,000 members of six different pension schemes. The data was stolen from NorthgateArinso “Deliver HR Excellence”  in Marlow, Buckinghamshire, last month, on 23rd March 2009.

The event has just come to light and the laptop was not, of course, encrypted. And all the usual details were lost in the theft of the laptop; names, addresses, dates of birth, NI numbers, salary details…etc, etc.

Encryption….just use TrueCrypt its free and easy.

Data Theft: RAF

It has just been reported that that the RAF data theft  in September 2008, was far worse than original reported and includes of drug use, debts and affairs about RAF officers, which is not  just embarrassing but could also be used to blackmail people.

To compound the problem this part of the data loss has only just been admitted.

According an “unnamed” Wing Commander who contacted the BBC the data theft not only include the usual information that we expect the government to lose, names, addresses, and bank details, but also “”details of criminal convictions, investigations, precise details of debt, medical conditions, drug abuse, use of prostitutes, extra-marital affairs including the names of third parties“.

This information would be there as it was part of the vetting procedure for those who work in classified areas. During the vetting procedures questions are asked about an individual’s personal life, so that detailed background checks can be made, the answers to those questions were stored on 500 files, it is these 500 files which were included in the theft of the USB drives.

Such detailed information would be excellent use for those who wish to threaten and/or blackmail RAF officers.  The RAF did not inform parliament, or the ICO, that such a data loss/data theft has occurred or possibly the police, though this not clear at this point.

In its typically bland statement the MoD stated that “All individuals identified as being at risk received personal one-on-one interviews to alert them to the loss of the data, to discuss potential threats and to provide them with advice on mitigating action,” the statement says….There is no evidence to suggest that the information held on the hard drive… has been targeted by criminal or hostile elements.”

While the statement does not reveal much it does tell us that the data was not encrypted, and thatthe RAF does not think a targeted theft of USB drives is criminal activity.

Again, the question has to be asked: If secret information about those who handle top secret information, from AWACs communications to battle plans for wars, is not encrypted and protected, what do they encrypt?

This is not the first time the MoD has lost data, nor failed to use encryption.

Data Loss: MI6

In 2006 MI6 lost data containing lists of informers and agents relating to the drugs trade.

The loss occurred in 2006, in Columbia, when agent “T” lost lost a USB drive while on a bus. The result of loss meant that agents and informers had to be moved homes, and new lives started.

As has often been stated on this site, data loss happens, and loss of media will almost certainly always happen but its effects can be reduced or stopped. Using encryption, for example stops the loss being damaging. If encryption cannot be used by MI6, the home of James Bond and Q, then who, in the government then who can we expect to use it?

The incident itself is certainly not surpursing, after all the cases of data loss by the government last year. It just shows, once again, why data, and particlary personal information, cannot be trusted to the government, because they will misuse it (deliberately) or lose it (accidentally), but the effect will be the same for the end victim. The wrong people getting hold of their data.

Data Loss: Bob Quick Follow Up

Following on from the story of Bob Quick accidentally revealing information, it seems that the “immediate” and very “real” threat of terrorists was not quite as immediate, or real, as originally stated.

With the raids, some of which did not even require firearms officers, producing the square root of nothing (not the first time crazed terrorists have been found to be regular people), with all those arrested being released without charge

So, the net result is that a well regarded, long serving officer, was forced to resign following the inadvertent exposure of largely irrelevant material relating to a totally irrelevant operation.

Data Loss: Police – Bob Quick

Headlines around the UK have been showing the now infamous picture of Bob Quick carrying the documents relating to an anti-terror police operation into downing street.  The information, it is reported, forced a large scale police operation (200+ staff)  ahead of schedule. For this error in judgment Mr Quick has been criticized and forced out of his position; resigning just 24 hours after the incident.

But how bad was his lapse in judgment? Is he a disgrace who needs to be kicked out of his job?


The pictures were taken on downing street as Bob Quick came to Number 10 for a meeting. Downing street is the most secure street in the country, if its not, there is something very wrong.

The entrance to downing street consists of a large security gate, and a vertical road block , that could, quite literally, stop a tank. This gets lowered into the road if a car is allowed to pass. In addition to  this the entrance, and the street itself has numerous armed police officers, carrying semi and fully automatic weapons.  It would be reasonable to feel secure in this scenario.

Capturing the image:

The press managed to read the information on display, using telephoto lenses and probably image enhancement techniques. I.e. the same technology a spy or a special forces reconnaissance unit would use.

Data Loss

Several papers have published the pictures of what the document states, with the key information blacked out. It appears that the information given away was:

  • The “gold” commanders for each area
  • The “SIO” for each area.

A gold commander is almost always the Chief Constable, and this is a strategic, rather than a tactical role. This role is a very public role, and the person involved could be expected to appear on TV with the title “Gold Commander of Operation X” under his name.

The SIO, or Senior Investigating Office, will normally be the head of CID for the area, or possibly the head of special branch for the region. This will also be public information, normally, or very easy to find out.

In fact a quick google search for “Gold Commander” brings back a Wiki page on the very subject, as the first hit.

In short the only information given away is that fact that a police operation was occurring in the North, North West, or North East of England, against those of Pakistani origin. That geographic area would probably include 70% of all pakistani terrorists in the UK, who must know that at any time they may be under the gaze a police operation of some sorts. (Note 70% is a wildly made up figure, but the true number will be a high number due to the geography, social demographic and previous events in the area)


One of the houses the police were due to raid they were not even going to carry firearms; where the terrorists armed with strong sarcasm and a disdain for authority?

Time Scale

The police have alleged they stopped a “major” terrorist plot, that could have occurred as “early as this weekend”. Therefore, by definition the police raids must have  been planned to occur, at the latest, this weekend. This means that the police have acted a couple of hours early.


The government has the ability to stop the press publishing information, and have done so on numerous occasions, often without merit. If this was an issue of national security, surely this would have been an opportunity to use this power?

Previous Examples

Losing information is not a new thing. The goverment loses data all of the time and last year a civil servant left an entire dossier on the train; other MPs have allowed similar photographs to occur. Despite this huge history of events no minister or senior civil servant has resigned or been sacked over these incidents.


A police officer, in the most secure street in the country, allowed press with high powered lens find out that a police operation was going to occur, somewhere in England. An operation on which some of the terrorists suspects were not percieved a serious enough threat for the police to bother carrying  firearms.  The government could have used a D-Notice,but didn’t. In other information loss/leak cases which similar in nature, but far worse in scale, nobody of any importance has been sacked or forced to resign.

Mr Quick however, was out of his job faster than you can say “double standards”.