Two London housing bodies, Lewisham Homes and Wandle Housing Association, admitted to breaching the UK’s Data Protection Act when a USB memory stick with tenant information turned up at a police station. The problem? Lack of disk encryption software like AlertBoot, certainly, but also a lack of data controls.
According to databreaches.net, the memory stick belonged to a contractor that did work for both organizations. The information was copied from both housing bodies’ networks, with 20,000 details downloaded from Lewisham Homes and 6,200 details downloaded from Wandle Housing Association. 800 of the Lewisham Homes records also included tenants’ bank account information.
According to other sources, such as theregister.co.uk and scmagazine.co.uk, the USB drive was lost (and found) at a pub. The contractor worked as a database administrator and has been dismissed since, according to newsshopper.co.uk.
According to the Undertakings signed by both organizations, the data was copied for a couple of reasons. For Wandle:
[The contractor] had copied the data to this device to work on a laptop computer at home, as he had experienced problems with his remote connection to the data controller’s network. In addition, the Commissioner was told that there was no evidence that this contractor had ever been trained in the data controller’s policies and procedures relating to data protection or IT security.
[The contractor] had copied the data to this device due to problems encountered backing up work on the data controller’s network. In addition, the Commissioner was told that there was no effective measure in place to prevent the use of personal or unencrypted USB devices on the data controller’s systems, and there was no provision for training contract workers in the data controller’s policies on data protection.
I can see how Lewisham and Wandle are ultimately responsible for the data breaches. However, I cannot understand why these two are taking the blame for the data breach. In this day and age, you’re telling me that a bona fide database administrator has no idea about data privacy and breach laws?
Excuses Understandable, Lack of Encryption Not
The contractor copied the data for a couple of reasons, both of them perfectly understandable. In one case, the remote connection (and I’m hoping that he was VPNing in) wasn’t working; in the other, he was having problems backing up to the correct device.
Such problems occur often enough that I’m willing to accept the argument that the information was copied to the USB flashdrive for such reasons (as opposed to something more nefarious. After all, well over 10% of breaches are due to “internal attacks”). But if so, why wasn’t this guy’s USB drive encrypted?
Even if he was unaware of the laws surrounding data security and privacy, as a database admin he should have known about the importance of data security from a technical standpoint. Why his USB stick wasn’t protected with encryption software is incomprehensible.
Related Articles and Sites: