Another week, another few million records lost

Even by the standards of the UK infosecurity industry, it’s been a bad few days.

Last week, PA Consulting mislaid a USB thumb drive with the personal details of 84,000 prisoners as well as a further 43,000 serious ex-offenders. The thumb drive was unprotected, even though the Home Office, which supplied the data to PA for analysis purposes, had originally encrypted the information.

Then it emerged this week that a network storage drive containing bank and credit card account information, security details and even signatures belonging to around one million people has turned up on eBay.

Incredibly, an IT manager bought the system -- which had originally belonged to a company called Graphic Data -- for just £35. The firm, which specialises in processing digital copies of financial paperwork, has since admitted that a second machine has gone missing.

In a statement Graphic Data said the machine was sold by a former employee without its permission. The data breach came to light when IT manager Andrew Chapman contacted the Daily Mail. Mr Chapman told the paper that the hard drives in the system had not been erased, and contained thousands of credit card applications, requests for balance transfers and even scans of application forms with customers’ signatures.

Cheap hardware, expensive data loss

According to Dr Guy Bunker, chief scientist at security vendor Symantec, the breach at Graphic Data values personal information at just one 268th of a penny per record. But he added that this latest case shows how it is all too easy for sensitive information to fall into the wrong hands, especially when equipment is disposed of at the end of its working life.

"Disposal of equipment is now governed by the [EU’s] WEEE directive," he said. "But disposal of the data on the equipment isn't. Companies must put in place proper data disposal policies and procedures to prevent this type of error happening."

Banks and other organisations often go to extreme lengths to protect commercially-sensitive files, even going as far as drilling holes through hard drives to render them useless. Companies such as IBM and Seagate Recovery Services have plants that undertake secure equipment destruction; some clients even go as far as transporting obsolete hardware to such sites in armoured vans.

But even lower-grade, software security measures such as over-writing data multiple times, and deleting metadata records, can help. However, no such measures appear to have been followed in this case. “You do need a process, and you need to make sure is part of your standard hardware disposal procedure and information protection policy,” warns Bunker. Meanwhile, Graphic Data has said it is taking steps to recover its NAS drive.

The situation around last week’s loss of Home Office prison data is, if anything, even more complex. According to the Home Office, its data was originally encrypted, but somehow was kept in the clear by its external contractor.

It is understood that this was in breach of Home Office rules; Government data handling practices are supposed to have been tightened significantly following the loss of Child Benefit records on an unencrypted disk last November.

Email to a friend

Print this page