Data breaches in the UK

Ensuring the security of data is essential to assuring the integrity and longevity of any organisation and protecting the interest of the public at large.

The Data Protection Act 1998 was introduced to protect individual’s fundamental rights and freedoms, and in particular their right to privacy with the respect to the processing of their personal data. It states that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Despite the Act information security incidents continue to make headline news and not everyone gets it right. So where are organisations going wrong?

Let’s take a look at some of the biggest UK data protection breaches over the last few years…

November 2007 – HM Revenue and Customs

In November of 2007 HM Revenue and Customs lost 25,000,000 records of individuals in the UK. This was as a result of two CDs containing the details of families that claimed child benefits going missing in the post. It was said that the handling of this precious data by HMRC was “woefully inadequate” and staff were actually described as “muddling through” in a report by the Independent Police Complaints Commission in June 2008.

November 2007 – Foreign and Commonwealth Office

Also in November 2007, the Foreign and Commonwealth Office in London leaked the details of 50,000 visa applicants which were subsequently made accessible on the FCO website. With a massive breach of the Data Protection Act, a tip-off alerted the Commissioner’s Office to this personal data about people applying for entry visas to the UK.

November 2007 – City and Hackney Teaching Primary Care Trust

Again during the month of November 2007 160,000 heavily encrypted disks containing children’s details were lost by postal couriers. This particular incident prompted the implementation of hard drive and USB memory stick encryption systems across all PCs within the Trust.

January 2008 – Royal Navy

In January of 2008, the laptop of a Royal Navy officer was stolen from a car in Edgbaston with the details of 600,000 Navy applicants stored on it –  as well as others who were interested in joining the Navy, Marines and Air Force.

August 2008 – Colchester Hospital University NHS Foundation Trust

In Summer of 2008, the laptop of a manager was stolen from his car whilst he was on holiday in Edinburgh. The laptop wasn’t encrypted and held details of individuals’ treatments, as well as their personal information such as addresses.

August 2008 – Home Office

Also in August of 2008, 84,000 records of high risk, prolific offenders were lost by the Home Office on an unencrypted memory stick.

October 2008 – Ministry of Defence

In October 2008, a hard drive which was being held by one of the Ministry of Defence’s contractors was found to be missing – losing 1,700,000 records of armed forces personnel.

2012 – Greater Manchester Police

In 2012, a USB stick that was not encrypted was stolen in a burglary from a police officer’s house. The USB stick held vital information about witnesses that had links to serious criminal investigations. After this happened Greater Manchester Police were forced to pay a penalty of £120,000.

2013 – Serious Fraud Office

In 2013, the Serious Fraud Office breached the Data Protection Act by losing multiple documents that were relating to the investigation of BAE Systems. All of the data that was lost amounted to 32,000 records of text, 81 audio tapes, among other forms of media.

If you are looking to safeguard your business against the loss of data or any other information, please visit our website to find out how implementing an information security management system such as ISO 27001 can help.