ICO reveals 356 breaches last year

ICO reveals 356 breaches last year

Despite the availability of free, open source encryption packages like TrueCrypt data continues to be lost or stolen.

Figures gathered from the Information Commissioner's Office have underlined the extent of data breaches in the UK, showing that over 350 individual incidents of data loss have been reported in the last year.

The information, gathered as part of a Freedom of Information request by software company Software AG revealed that the ICO has handled reports of 356 unique incidents of companies and government departments losing personally identifiable information about their customers - more than double the number reported in the preceding twelve months.

By far the most common reason for data going walkabout was the loss of portable computing devices: according to the report, 127 portable devices - including laptops - were reported to the ICO as having been stolen with personally identifiable information on their hard drives.

Portable media doesn't fare much better, with 71 cases of CDs, DVDs, and solid-state devices having been carelessly lost with copies of business-critical client databases stored thereon. A further 24 cases report that the data was lost as a result of an error by a courier company.

Perhaps the most worrying figure is that of the 356 incidents, 78 were categorised as "data disclosed in error" - i.e. media being sent to the wrong address or e-mails being incorrectly addressed. While having something stolen is perhaps excusable - although the lack of encryption in use on such devices isn't - simple human error in this way is harder to forgive.

While high-profile attacks on company websites steal the headlines, victims of identity theft remain more likely to have their details snagged by an opportunistic thief as the result of a lost or stolen laptop or memory stick than as the result of a website crack. Despite this, encryption on such devices - even free, open source solutions - remains the exception rather than the rule.

Do you believe that the figures obtained by Software AG show a worrying disregard for the privacy and safety of customers, or is this sort of security breach simply to be expected? Share your thoughts over in the forums.


Discuss in the forums Reply
djellison 27th October 2009, 18:09 Quote
I've recently done a review of what the DPA means for our company (medical education). It's a damn nightmare. There are not specific rules - just 'guidelines'. It's so damn fluffy and non specific. Furthermore, a problem I've come across a lot is the data you have to look after is often incorrect through no fault of your own. Customers (or in my specific case doctors and patients) often fill out forms incorrectly, or fill them out so badly you can't read them.

I maintain one very simple rule for all data protection rules. What do we have to do, to make sure we never appear on the front page of the Daily Mail. Can't go wrong with that.
RichCreedy 27th October 2009, 21:47 Quote
i dont think personal data should be stored on portable devices, especially as remote access is possible via virtual private networks.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.

Discuss in the forums