Data Protection.

The Information Commissioner's Office (ICO)

The ICO has had the power to issue monetary penalty notices of up to £500,000 for serious breaches of the Data Protection Act occuring on or after 6 April 2010, and serious breaches of the Privacy and Electronic Communications Regulations.

Data Protection Penalties

66 enforcement notices issued by the ICO for DPA infringements between January 2013 and October 2014.

£2.17M in monetary penalties issued during this period.

Loss of business, brand damage & fines up to £500K can result from a breach of the DPA.

And there's more to come - Fines of up to 100 000 000 EUR or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is greater are being proposed in the new EU General  Data Protection Regulations (GDPR).

Survey: 40% of hard drives bought on eBay hold personal or corporate data

A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive information -- everything from corporate financial data to the Web-surfing history and downloads of a man with a foot fetish. Kessler International conducted the study over a six-month period, buying up disk drives ranging in size from 40GB to 300GB from the United States and Canada. The firm, which completed its research about two weeks ago, bought a total of 100 relatively modern drives, the vast majority of them Serial ATA. "With size of the sample, I guess we were surprised with the percentage of disks that we found data on," said Michael Kessler, CEO of Kessler International. "We expected most of the drives to be wiped -- to find one or two disks with data. But 40 drives out of 100 is a lot." Kessler believes the drives were likely from computers sold to third-party resellers that dissassembled them and sold off the parts. In recent years, hard drives have shown up on eBay that contain all kinds of sensitive data. In April 2006, Idaho Power Co. learned that drives it thought had been recycled had actually been sold on eBay with the data still intact. The Boise, Idaho-based utility had used the drives in servers; when bought on eBay, the drives still contained proprietary corporate information such as memos, customer correspondence and confidential employee information. See the original report here - Computerworld

National Health Service Continuing to Repeat Data Breaches

 The National Health Service (NHS) has encountered close to 2,500 breaches of confidentiality each year.
An investigation by a privacy campaign group discovered cases of private data being stolen, accidentally sent by post or fax, as well as inappropriate posting on social media.
In total, there were 7,255 recorded incidents between April 2011 and April 2014.
The organisation said the mistakes were “unacceptable”.
The privacy campaign group Big Brother Watch asked NHS trusts for any breaches of personal data. It found: 50 cases of data being posted on social media 103 cases of data being lost or stolen 251 cases of data being inappropriately shared with a third party 236 cases of data being shared by email, letter or fax
As a result, there were 61 resignations according to the data supplied by the NHS Trusts.

In July 2013, it emerged that NHS Surrey was fined £200,000 by data regulators over the loss of sensitive information of more than 3,000 patients.
Thousands of children’s patient records were found on a second-hand NHS computer that was auctioned on eBay.
Regulators said NHS Surrey failed to check that a data destruction company had properly disposed of the records.
Three further computers that had been sold on eBay contained sensitive data. “NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a
company without checking that the information had been securely deleted,” ICO head of enforcement Stephen Eckersley said in a statement.

Brighton hospital fined record £325,000 over data theft - June 2012

A hospital trust has been fined £325,000 after computer hard drives containing confidential information on thousands of patients were stolen.

The Information Commissioner's Office (ICO) said the fine, for Brighton and Sussex University Hospitals NHS Trust, was the highest it had ever imposed. Personal data belonging to patients and staff was taken from Brighton General Hospital in September 2010. The trust said it could not afford to pay the fine and would appeal.

Highly sensitive personal data belonging to tens of thousands of people, including some relating to HIV and Genito Urinary Medicine patients, was discovered on hard drives sold on eBay in October and November 2010.

The ICO said the data included details of patients' medical conditions and treatment, disability living allowance forms and children's reports.

It also included staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.

 The data breach occurred when an individual working for the trust's IT service provider, Sussex Health Informatics Service (HIS), was told to destroy approximately 1,000 hard drives at Brighton General Hospital.

A data recovery company bought four hard drives from a seller on eBay, who had purchased them from the individual.

The ICO said the trust was unable to explain how the individual removed at least 252 of the hard drives that were supposed to be destroyed from the hospital. The worker was not believed to have known the key code needed to access the room where the drives were stored, and was usually supervised by staff working for HIS.

 The ICO's deputy commissioner David Smith said the fine reflected the gravity and scale of the data breach. "It sets an example for all organisations - both public and private - of the importance of keeping personal information secure," he said. The trust's chief executive, Duncan Selbie, said no sensitive data had entered the public domain.

"We dispute the Information Commissioner's findings, especially that we were reckless, and a requirement for any fine," he said. "We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay. "It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine."  See the original article on the BBC website

 

Research Shows Android ‘factory resets’ are not enough to permanently delete data

Smartphone and tablet owners have been warned that performing a factory reset is not enough to permanently remove data from Android devices.

Investigations into Android’s software have found that it is possible to retrieve potentially sensitive information that was previously thought to have been wiped. This hardware flaw has left users of Tesco’s Hudl tablet particularly vulnerable.

There is a known bug the Rockchip processor which allows sensitive information including bank details, pin codes, Wi-Fi keys, and browser cookies to be extracted.

Pen Test Partners Ken Munro performed the investigations on ten (10) tablets he bought second-hand on eBay. Munro was able to retrieve data that had been supposedly deleted during factory resets.

He explained that a ‘factory reset’ often only deletes the index of files present in the device’s memory. Munro recovered the data using software that was available online for free.

This issue is not exclusive to Android users. Computer forensics expert Jonathan Zdziarski has completed research that found deleted information on Apple products is also vulnerable to data recovery.

Zdziarski’s work has since been independently verified by the security firm Stroz Friedberg.

A spokesman for Tesco stated: ‘Customers should always ensure all personal information is removed prior to giving away or selling any mobile device. To guarantee this, customers should use a data wipe program.’