UK Privacy Debacles

From Orgwiki

This page catalogues UK Privacy debacles, inspired by this (US-centric) article in Wired magazine: [1]

It's in date reported to the public order at present.

• HSBC loses customers' data on a disc 370,000 customers affected. The disc was sent using ordinary Royal Mail services. customers' details included their names, dates of birth, policy number, if they where a smoker and their levels of insurance cover. 7 April 2008
• 'Home Office highly confidential' CD found in laptop sold on eBay Police are investigating after the disc - which was hidden between the keyboard and circuit board - was discovered by computer repair technicians in Bolton. Luckily the CD was encrypted, it's not reported how. 28 February 2008.
• Skipton Financial Services lost an unencrypted laptop containing personal information on 14,000 customers The laptop, which contained names, dates of birth, National Insurance numbers and investment amounts, was stolen from an SFS contractor. The Information Commissioner's Office has ruled they have breached the Data Protection Act. 21 February 2008
• Information on 20,000 people including their bank account numbers and health details left in squat Documents included names, phone numbers and addresses, dates of birth, pay slips, bank forms and details of private interviews with benefit claimants. ...The Haringey Council files many stamped "Confidential" - date from the 1980s to 1993. 18 February 2008
• 5,000 medical records stolen, latop A laptop containing the medical records with information on 5,123 patients has been stolen from a Black Country hospital. 14th February 2008
• NHS get warning after more patient data goes missing, including data on 1.7 million patients, hard drives dumped in skip, disc lost, information left in pub, laptop stolen from locked room and and doctor's name linked to patients' details via 'google' search. 27th Jan 2008
• Personal details of more than 1,000 students in Scotland have gone missing in the post 26th Jan 2008
• Royal Navy officer had a laptop stolen which had held the personal details of 600,000 people. It contains data including passport numbers, National Insurance numbers and bank details. They relate to people who had expressed an interest in, or joined, the Royal Navy, Royal Marines and the RAF. 19 January 2008
• NHS lose 4,000 medical and personal details on a USB drive Stockport Primary Care Trust (PCT) admitted it had not informed the thousands affected after it lost their names, dates of birth and details of medical conditions in December. The details, which also included NHS numbers and details of GPs, was on a USB drive that was dropped by an employee. 18 January 2008
• Police data including names, addresses, telephone numbers and ranks of employees of Devon and Cornwall Police found on computer disk that had been thrown out 26 December 2007
• Nhs bosses in the north-east have admitted losing confidential patient information on eight separate occasions in the last five years. Patient information kept on the health board's databases was lost and never retrieved and it was unable to confirm how many individuals had been affected by the breach. 24 December 2007
• Sensitive details about adults and children were lost in 10 incidents at Nine separate NHS Trusts. Cases include the loss of a CD holding 160,000 children's names and addresses by a Trust in East London and the loss of 244 cancer patients' details by the Maidstone and Tunbridge Wells health trust in Kent. THE TRUSTS: Bolton Royal Hospital, Sutton and Merton, Maidstone and Tunbridge Wells (two incidents), Sefton Merseyside, City and Hackney, Mid Essex, East and North Herts, Norfolk and Norwich, Gloucester Partnership Foundation Trust 23 December 2007
• details of 6,500 pension firm customers lost by HMRC. Names, addresses, DoB, NI Numbers and pension contributions 18 December 2007
• The details of three million candidates for the UK driving theory test. Names, addresses and phone numbers - but no financial information - were among details on a computer hard drive which went missing in the US. 17 December 2007
• Norwich Union has been fined £1.26m for failing to protect customers' personal details after fraudsters were able to steal £3.3m from policyholders. 74 polices worth a total of around £3.3m. In a series of telephone calls to Norwich Union Life the fraudsters obtained confidential information and were able to change customers' details so that policies were paid out to the wrong accounts. 17 December 2007
• The details of up to 3,000 NHS patients could have been on a laptop stolen from a doctors' surgery The laptop contained patients' names, addresses, dates of birth and phone number. 14 December 2007
• The personal details of 160,000 children have been lost at a London hospital. A computer disc containing the data was sent to St Leonard's Hospital in Hackney but failed to reach the right department - even though it was signed for by hospital staff. The disc contained their names, dates of birth and addresses. (Encryption was used on the discs) 12 December 2007
• Sefton PCT leaks personal details of 1800 staff 12 December 2007
• Leeds Building Society has mislaid information containing the personal details of its 1,000-strong workforce 11 December 2007
• The Driver and Vehicle Licensing Agency in Northern Ireland has lost the personal details of 6,000 people, on two discs after being sent to the agency's headquarters in Swansea. The information was not encrypted. 11 December 2007
• A laptop computer containing personal details of up to 60,000 people has been stolen from the Citizens Advice Bureau in Belfast (Thankfully the computer was encrypted) 7 December 2007
• Concern over use of post for patient records Two Primary Care Trusts use the regular post to deliver GP records to “fringe practices”. 6 December 2007
• The DVLA has sent out 1,215 questionnaires including drivers’ names, addresses, birth dates, licence numbers and motoring offences records to the wrong people 6 December 2007
• The Department for Work and Pensions has lost another computer disc containing the personal financial details of 40,000 housing benefit claimants 2 December 2007
• At least ten discs holding personal information about millions of people have yet to be accounted for after they had been sent from Revenue and Customs’ offices there are actually ten missing discs, including the two sent from offices in Washington, Tyne and Wear, to the National Audit Office in London and six lost in transit from tax offices in Preston 26 November 2007
• Frank Milford, whose company was hired in 2006 by the Department of Constitutional Affairs to overhaul its administration, said he had asked for a list of its suppliers. He received a package from a firm called Liberata, which handled the department’s finances, containing two discs listing personal details of every person, business or company paid by the department over the past five years. He told The Sun newspaper that the discs were neither encrypted nor password-protected. 26 November 2007
• HMRC loses almost half the nation's data in the post also see Discgate‎
• Data on 15,000 pension policy holders, sent on CD has been lost The lost disc contained names, national insurance numbers, dates of birth, addresses, and pension data. Information such as this would easily lend itself to abuse by crooks if it fell into the wrong hands. The data was not encrypted 5 November 2007
• Hundreds of people could be at risk of identity fraud after a laptop holding sensitive information was stolen from an HM Revenue and Customs worker 8 October 2007
• Dudley Group of Hospitals NHS Trust sold one of its computers full of confidential medical information on eBay 14 September 2007
• http://www.computerweekly.com/blogs/tony_collins/2007/09/npfit-security-warning-after-n.html 50 NHS staff view celebrity record. 18th Sep 2007
• A computer database containing thousands of top secret telephone records from police investigations into terrorism and organised crime has been stolen 11 August 2007
• A laptop containing salary details, addresses, dates of birth, national insurance and phone numbers of some 26,000 M&S employees has been stolen 9 May 2007
• Marks & Spencer loses 26,000 staff details after a laptop containing unencrypted data was stolen Marks & Spencer (M&S) now has until 1 April 2008 to ensure all laptop hard drives are fully encrypted. The Information Commissioner's Office have served the enforcement notice on 23 January after M&S refused to allow the watchdog to publish the changes it demanded in data security at the company. April 2007
• Talking CCTV cameras - this still takes my breath away. 4 April 2007
• TJX revealed that UK shoppers at its stores have had their personal and financial data stolen, which could be used for fraudulent transactions 30 March 2007 The theft, already one of the world's largest incidents of corporate data theft, has so far seen US-based retailer TJX admit that 45.7 million credit and debit cards was stolen from the company in a computer data security breach over an 18-month period. 30 March 2007
• Children's details taken in theft Health bosses in Nottinghamshire have issued a warning after a laptop containing information on about 11,000 young children was stolen. 27 March 2007
• A Halifax building society employee last week had data on 13,000 mortgage customers stolen from his car. 27 March 2007
• Thousands of Worcestershire County Council employees have become victims of data theft after a laptop containing sensitive personnel information was stolen in a street robbery 16,000 employees, one laptop and no encryption. 28 February 2007
• Met Police in laptop theft security flap Three laptops, containing the payroll and pension details of more than 15,000 Met Police officers, have been nicked from the offices of LogicaCMG, the outsourcing firm that handles the payments. 22 November 2006
• The UK Building Society Nationwide has admitted that a laptop containing account records of possibly more than 11 million customers has been stolen from an employee's home. They did not tell customers for more than 3 months. 18 November 2006
• Newcastle City Council has mistakenly released the private details of more than 50,000 credit and debit card customers 27 July 2007
• Natwest/RBOS allegedly dump customer details in bins [2] 18 August 2006
  • Did this lead to major consequences?
• HSBC knew about security loophole in online banking One of Britain’s biggest high street banks knew about a security loophole in its online banking service that left millions of accounts open to fraud and did nothing about it for almost two years. 11 August 2006
  • It appears that this was not such a huge problem as the Guardian made out as keylogging software was required to effect the "hack"[3]
• http://www.computerweekly.com/Articles/2006/07/11/216882/nhs-trust-uncovers-password-sharing-risk-to-patient.htm Leeds teaching hospital uncovers 70,000 cases of "inappropriate access" to systems, including medical records, in one month 11th Jul 2006
• UK National DNA database shared overseas 7 June 2006
• CRB check "false positives" - while not a privacy issue precisely, this resulted in people losing employment opportunities. 21 May 2006
• Identities of Network Rail and DWP staff stolen and used to defraud the Tax Credits system 19 January 2006
• Old 'Phantom Withdrawals' issue with UK banking system: [4] and [5] 21 October 2005
• Castlereagh police station raid - Suspected inside job; Denis Donaldson (IRA informant) turns up dead later, though this is tied up with the Stormont Spy Ring affair. 24 May 2002
• Individual Learning Accounts fraud 10 October 2001
• Powergen security breach shock A major security breach involving the disclosure of personal details (including names, addresses and credit card information) on as many as 7,000 customers has occurred on the Powergen web site. 20 July 2000