Risk
6/7/2013
12:24 PM
Connect Directly
RSS
E-Mail
50%
50%

Glasgow City Council Fined For Security Lapses

Stolen laptops and repeated cases of unencrypted data top the list of the City of Glasgow's security failings.

The organization that safeguards data privacy in the U.K., the Information Commissioner's Office (ICO) has slapped a £150,000 ($232,000) fine on the Glasgow City Council for failing to adequately protect citizens' data. The ICO has levied the penalty on Scotland's second city using its powers of enforcement under the 1998 Data Protection Act.

The judgment centers on the May 2012 theft of two unencrypted laptops from some of the council's offices, which were in the process of being refurbished. The security breach occurred when an employee placed a key to a safe area into the drawer of a colleague, leaving both devices unprotected long enough to be purloined. One of the devices contained the names, addresses, and in some cases, bank account data, for more than 20,000 individuals.

[ Could the U.K.'s recently vetoed communications monitoring law help prevent crime? Read Will Britain Revive Its 'Snooper's Charter'? ]

This data was unencrypted due to problems with Glasgow's security software, but the ICO maintains that the city should not have allowed its IT supplier to hand out unencrypted laptops to employees. It also points out that staff had asked for -- but not been given -- better-protected laptops, and that managers were aware of a series of recent thefts in the offices. (In fact, an astonishing 74 laptops had gone missing in addition to the one containing sensitive data.) Finally, the ICO's judgment cites the distress suffered by individuals whose personal information was exposed.

The ICO has now served Glasgow with an enforcement notice requiring it to carry out a full audit of all IT assets used to process personal data. It must also arrange for all of its managers to receive appropriate asset management training, and carry out a full check of all of its devices each year and maintain a complete, up-to-date asset register.

"How an organization can fail to notice that 74 unencrypted laptops have gone missing beggars belief," remarked Ken Macdonald, the ICO's assistant commissioner for Scotland. "The fact that these laptops have never been recovered and no record was made of the information stored on them means we will probably never know the true extent of this breach, or how many people's details have been compromised."

According to the ICO, Glasgow has had a history of security problems. In 2010, it was issued with an enforcement notice after an unencrypted memory stick was lost. Macdonald said, "To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow."

"The council should be held to account," he added. "The penalty goes some way to achieving that."

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Simon Harbridge, Stone Group
50%
50%
Simon Harbridge, Stone Group,
User Rank: Apprentice
6/10/2013 | 3:41:47 PM
re: Glasgow City Council Fined For Security Lapses
Surely it is time for all public sector bodies to face up to the fact of the ICO's willingness to issue heavy penalties for negligence? If organisations are to avoid facing fines at a time when they can ill afford financial wastage, important steps must be taken to improve IT procurement and disposal processes.

Investing in IT hardware with comprehensive encryption is key: organisations must
approach hardware manufacturers with demonstrable experience in this area, and
those which offer encrypted laptops which meet a variety of security benchmarks, such as CESG approval.

Windows 8 Professional is another great example, now featuring Windows BitLocker as standard for no extra cost, as long as public sector customers procure notebooks and tablets that have Trusted Platform Module (TPM) modules, then they can be encrypted up to IL3 Level Security. This will be more than adequate for the vast majority of local authorities and indeed wider public sector
workers, outside of serious crime and defence.

If public sector bodies adapt a best practice approach to data security upfront then the wrath of ICO fines can be kept at bay.

Simon Harbridge, CEO, Stone Group
garfage
50%
50%
garfage,
User Rank: Apprentice
6/11/2013 | 10:13:47 AM
re: Glasgow City Council Fined For Security Lapses
Thanks for your observation, Mr Harbridge.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.