Missing USB drive, found in pub, contained unencrypted data

The ICO says two housing groups must improve data security after a contractor’s missing USB drive, containing unencrypted data, was found in a pub.

Two London housing groups have been forced to issue public undertakings to improve their security after a USB stick containing thousands of their tenants’ details was found in a pub.

The Information Commissioners Office (ICO) was alerted to the missing USB drive, which contained unencrypted data, after it was found by a member of the public and handed in to the police.

According to the ICO, the device belonged to a contractor who was employed by both the Wandle Housing Association and Lewisham Homes. The worker had copied details of over 25,000 Lewisham and Wandle tenants. Nearly 800 of the records belonging to Lewisham Homes also contained tenants’ bank account details.

Neither of the housing groups has been fined, but both Wandle and Lewisham have signed undertakings with the ICO to make specific improvements to the way they implement and enforce security policy.

In the case of Lewisham, Chief Executive Andrew Potter admitted the contractor had copied the data to his device due to problems encountered backing up work on the data controller’s network. He also admitted there had been no effective measures in place to prevent the use of personal or unencrypted USB devices on the data controller’s systems, and there was no provision for training contract workers in the data controller’s policies on data protection.

In its agreement with the ICO following the incident, Lewisham will ensure all portable devices handling personal data are encrypted, and everyone dealing with sensitive data – including temporary staff – will receive relevant policy awareness training and will be monitored on a regular basis.

In her undertaking, Sara Thakkar, chief executive of Wandle Housing, said the same contractor had copied the data to his device to work on a laptop computer at home, having experienced problems with his remote connection to the data controller’s network. She admitted the contractor had not been trained in the data controller’s policies and procedures relating to data protection or IT security. As with Lewisham, Wandle will now enforce encryption and ensure staff are made aware of security procedures.

In a written statement, Sally-Anne Poole, acting head of enforcement at the ICO, said: “Saving personal information on to an unencrypted memory stick is as risky as taking hard copy papers out of the office. Luckily, the device was handed in and there is no suggestion that the data was misused. But this incident could so easily have been avoided if the information had been properly protected.” 

Experts from the security industry were quick to criticise the housing groups. “This highlights the need to selectively block or encrypt all devices connecting to your network in order to protect sensitive data,” said Edy Almer, vice president of product management for Israel-based endpoint security company Safend.

And Mark Fullbrook, UK director of privileged identity management company Cyber-Ark, said: “Data will always need to move beyond the four walls of an organisation.  That’s not going to change.  So firms need to rethink their existing practices and ensure the same high level of security used within the organisation is used to defend its information in the outside world.”

This is not the UK’s first example of a pub-related data breach. In 2008, a memory stick belonging to an employee of consultancy Atos Origin was found in a pub’s car park. The device contained usernames and passwords for an £18 million government computer system.

Read more on Data breach incident management and recovery