Stoke-on-Trent City Council (UK) has been smacked with a £120,000 fine for failing to secure sensitive information that was being transmitted electronically. The data, child protection documents, was accidentally delivered to a person not related to the case, and wasn’t properly encrypted the Information Commissioner’s Office (ICO) said, posing a significant breach of the Data Protection Act.
The incident occurred last December, when 11 emails related to a child protection case were sent by a solicitor to the wrong email address. The emails contained sensitive information related to the care of a child and information related to the health of two other adults and two other children. The emails should have been sent to Counsel instructed on a child protection case.
“If this data had been encrypted then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure. It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved,” said Stephen Eckersley, Head of Enforcement at the ICO.
As a result, the Stoke-on-Trent City Council was fined £120,000 for breaching the council’s own guidance, which confirmed that sensitive data should be sent over a secure network or encrypted. Making the situation worse, subsequent investigation into the matter revealed that the council had failed to provide the legal department with encryption software and knew that the team had to send emails to unsecure networks. This is in addition to failing to offer proper training on the use of encrypted communications and encryption software.
“The council has now introduced new measures to improve the security of information sent electronically, as well as signing a legal notice to improve the data protection training provided to their staff. This should limit the chances of further personal information being lost,” Eckersley added.
Earlier this month, Greater Manchester Police paid £120,000 after a thief took a USB drive containing personal information from an officer’s home. It was later learned that officers normally used unsecured USB drivers to store and transport sensitive information, a fact that David Smith, the ICO’s director of data protection, said sends a “shiver down the spine.”
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
