An enquiry has been launched after a memory stick was found in a second-hand car in Leeds.
The memory stick contained the names, addresses, dates of birth, ethnicity and phone numbers of an estimated 5,000 children. It also stored information about child protection and whether parents claimed state benefits.
The memory stick had been dropped at least a month earlier by a Leeds City Council worker during a taxi trip, although the employee reported the loss, the council was told there was no sensitive information on the stick. None of the confidential details had been encrypted or protected by passwords despite strict council rules.
The memory stick was discovered by a man from Leeds as he cleaned his second-hand car, which he bought from a taxi driver last month. When he plugged the device into his home computer, he discovered a huge confidential list, which also included his own daughter.
He told the Yorkshire Evening Post: “I just feel it is information that should not be on a memory stick. It just worries you - we don't know how long it's been there or whose hands it has been in before we found it. How can we trust Leeds City Council when they do something like this?
“Originally my concern was that if this lady or man is taking this information home, should they not have a code on it so no-one else can access it? But should this information even be taken home?”
A spokeswoman for the council said staff had been reminded about rules surrounding data security and an urgent inquiry set up regarding the memory stick. She declined to say if anyone had been disciplined.
She said: “We take issues of information security very seriously and are very sorry that this breach has occurred. We have guidance in place which seeks to prevent such incidents occurring including advice on using memory sticks.
“The loss was immediately reported by the employee concerned to their line manager and enquiries were made to recover it. Regrettably it could not be located. At the time, it was understood that no sensitive or confidential data was on this stick, so no further action was taken.
“Unfortunately, once recovered, it became apparent the memory stick did have sensitive information on it that should not have been there. As soon as we were made aware of the content, a full investigation into the circumstances of this case was launched and an immediate reminder to all staff is being issued regarding the security of personal and sensitive information. We are grateful to the member of the public who found and returned the memory stick.”
Jason Holloway, regional sales manager Northern Europe for SanDisk commented: “The fact that this data was on an unsecured USB stick, despite Council guidelines, shows just how important it is to enforce policies with security products.
“Policies alone mean nothing: even the most fastidious users will ignore advice sometimes, just this once, because they're just trying to be productive. For this type of data, it's essential to use strong, mandatory encryption that users can't turn off, or work around.
“In April this year, SanDisk surveyed IT managers and end-users, and 12 per cent of end users reported finding a USB flash drive in a public place. What's more, 55 per cent indicated they would try and view the data on it. So data encryption is a must-have for USB drives.”