Luton Borough Council improves security after detecting a flaw in their protocols (updated)
There was no press release issued, but the Information Commissioner’s Office site notes:
An undertaking to comply with the seventh data protection principle has been signed by Luton Borough Council. This follows a self reported breach concerning a flaw in the encryption function of a number of Council issue memory sticks. The flaw could allow memory sticks to be formatted removing encryption protection.
From the undertaking:
The Information Commissioner (the “Commissioner”) was informed by the data controller on 21 January 2011 that a flaw had been discovered in a number of Council issued encrypted memory sticks. The flaw could permit the memory sticks to be formatted, removing the encryption protection. The data controller discovered the flaw when conducting a recall of old devices. During the recall process a total of 619 memory sticks were identified as having incomplete audit records, with the location of half of these being unknown.
It has been established that only a small percentage of the untraced devices will be subject to the encryption flaw. It is also likely that the majority of these contain no personal data. However, due to the circumstances, the actual risk to individuals is unknown.
Appropriate remedial action has been taken by the data controller and the appropriate auditing and security of such devices re- established.
Updated Sept. 5: I wasn’t sure whether the undertaking really meant that the council had no idea where half of their memory sticks were – even if most of them did not contain PII – so I emailed the ICO’s office to get clarification. Today, I received a response from a spokesperson:
Thank you for contacting the Information Commissioner’s Office (ICO).
The recent undertaking signed by Luton Borough Council concerns the lack of appropriate audit measures being in place for 619 memory sticks. This problem meant that around half the sticks couldn’t be recalled as their whereabouts were no longer known due to a lack of suitable checks being in place.
During the recall it was also discovered that a small percentage of these memory sticks had carried a flaw which meant that the encryption protection on the device could potentially be removed. However as the majority of these devices didn’t contain personal data they would not have been covered by the Data Protection Act and therefore are not covered by the terms of the undertaking.
I hope that has helped to explain the circumstances of this data breach in more detail.
So it seems that yes, the council lost track of the location of over 300 memory sticks, some of which contained PII. I’d say that losing track of your data – even if it’s not PII – is a pretty big issue, but understand that only devices with PII would be subject to the ICO’s authority.