Greater Manchester Police have been issued with a monetary penalty of £120,000 after a USB stick containing sensitive personal data was lost.
According to the Information Commissioner's Office (ICO), the device was unencrypted and had no password protection. It contained details of more than a thousand people with links to serious crime investigations and was stolen from an officer's home.
The theft, on the 17th July 2011, happened when an officer employed by the data controller had his house burgled and his wallet was stolen, which contained the USB stick. To date this has not been recovered.
The officer had worked in the data controller's Serious Crime Division for around ten years and had used a personal USB stick to download information from his folder on the shared drive of the data controller's network, which was subject to access controls. He had been issued an unencrypted USB stick in 2003/4, but had replaced it with his own USB stick when it became full.
The ICO found that a number of officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access data away from the office. Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection.
David Smith, ICO director of data protection, said: “This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine.
“It should have been obvious to the force that the type of information stored on its computers meant proper data security was needed. Instead, it has taken a serious data breach to prompt it into action.
“This is a substantial monetary penalty, reflecting the significant failings the force demonstrated. We hope it will discourage others from making the same data protection mistakes.”
Terry Greer-King, UK managing director for Check Point, said: “In November 2011, we surveyed 320 UK public and private sector organisations and 50 per cent of them were still not encrypting data on USB sticks, despite the high-profile security breaches of recent years. So these losses will keep happening.
“The fact that a subsequent amnesty by the GMP on personal, unsecured devices led to 1,100 such devices being handed in, highlights the scale of the problem. Without the proper controls in place, employees will continue to use personal devices for work, simply because they're trying to do their job more efficiently. Firms have to balance that against the need to protect confidential data.”
Nick Banks, head of EMEA and APAC at Imation Mobile Security, said: “The nature of USB memory devices makes them highly portable but also very vulnerable to loss or theft, but even in the face of these obvious risks organisations are still getting this wrong. Had the USB stick been encrypted in this case then the information would have been protected and the fine would have been avoided.
“When you look at the risks involved, it simply doesn't make sense to allow staff working with confidential data to use unencrypted devices. An unencrypted memory stick is totally unsuited to holding this type of confidential information, and Greater Manchester Police should have had firm policies in place to mandate the use of encrypted devices. The investigation found that officers regularly used unencrypted memory sticks, and now the force will have to swallow a large fine and urgently review its data protection policies.”