Data Encryption Breach Penalties: Greater Manchester Police Pays £120,000 For Lack Of Data Security Training.

The Greater Manchester Police in the UK has recently been assessed a penalty of £150,000 (reduced to £120,000 for early payment).  While many publications are claiming that this figure primarily ties to the theft of a USB stick, the truth is that the Greater Manchester Police (GMP) was fined for not having better sense.

What type of “sense”?  Why the use of data security tools like AlertBoot, which ensure the protection of sensitive personal data using advanced encryption technology.

USB Stick Stolen is Part of a Pattern

According to the Monetary Penalty Notice filed in this case, an officer that worked with the GMP’s Serious Crime Division (“mainly the Drug Squad”) had his USB memory stick stolen on July 17, 2011.  The device was kept in his wallet, which was stolen was stolen during a home burglary.

(This factoid gave me a boob tube flashback: George Constanza’s exploding wallet / personal filing cabinet / not a purse.  I guess the use of a USB drive is one way to ensure one’s wallet doesn’t become morbidly obese).

The officer in question was with the Serious Crime Division for over 10 years, and he used the USB stick to “create a backup of his folder and to enable the officer to access information when he was out of the office or at another site.”  A forensic, post-breach investigation revealed that information on 1,075 individuals was saved to the device and that it was not protected with encryption.  This was against a September 2010 Chief Constable Orders (CCO) that instructed everyone to use an encrypted disk.

But the officer cannot be blamed directly, as he “was on leave at the time this CCO was issued,” “never had any specific training on data protection,” the use of encrypted storage media “was not effectively enforced,” and “no further steps were taken to prevent the use of USB sticks other than encrypted ones.”

Approximately 1,100 Unauthorized USB Sticks Used

Following the above incident, the GMP engaged in what’s known in certain circles as “fixing the barn after the horses have fled CYA maneuver” (CYA being short for “Cover Your A–“).  I call it prudence: the GMP declared amnesty for people not following the CCO, and rounded up all unauthorized USB sticks it could find.

The effort netted approximately 1,100 memory sticks and an admission that “some of the devices have still not been recovered.”

It was further revealed in the Notice that GMP had a similar breach in 2010.

More Dormant Security License Issues

Yesterday, I had noted how the Veterans Affairs Department in the USA had wasted a cool $5 million on encryption licenses that had not been used since 2006.  One has to wonder how many of the encrypted USB devices the GMP purchased have gone unused since 2010, just lying there and collecting dust.

The management of such devices and licenses can pose a significant challenge to many organizations.  However, ensuring that they’re properly managed and deployed is necessary and beneficial for many reasons:

  • Increased data security.  That’s what the procurement was about, right?

  • Adequate use of financial resources.  Nothing worse than having your money tied up on software that you’re not using.

  • Indirect assessment of your problem. You bought 1,000 — presumably because an assessment showed you needed 1,000 — and still have 900 waiting to be deployed one year later.  You’ve got a problem somewhere, buddy.

Plus, the fact that you won’t be publicly shamed or that you’ll end up owing more £100,000 to the government has its merits as well.

Related Articles and Sites: (PDF)

Comments (0)

Let us know what you think