Lost USB sticks are back in the spotlight after an unencrypted memory stick, which contained housing association tenant details, was left in a pub.
According to the Information Commissioner's Office (ICO), the memory stick belonged to a contractor who was working for Lewisham Homes and had previously worked for Wandle Housing Association.
Information on the stick included the details of 6,200 tenants of Wandle Housing Association and over 20,000 tenants of Lewisham Homes. The unencrypted USB stick also included almost 800 financial records of the Lewisham tenants. The memory stick was recovered and handed into the police and safely retrieved at a later date.
Sally-Anne Poole, acting head of enforcement at the ICO, said: “Saving personal information on to an unencrypted memory stick is as risky as taking hard copy papers out of the office.
“Luckily, the device was handed in and there is no suggestion that the data was misused. But this incident could so easily have been avoided if the information had been properly protected.”
Chris McIntosh, CEO of ViaSat UK, said that the breach shows a worrying lack of regard both by the contractors and by extension, Lewisham Homes and Wandle Housing Association.
“The fact that the contractors were holding unencrypted details from both associations on a single memory stick shows little or no consideration that the information might be lost or stolen. That the information was lost in a pub just seems to top off this apparent lack of care,” he said.
“This loss demonstrates that when bodies such as housing associations enlist the services of contractors and outside organisations, they must ensure that they obey data protection best practices and can be trusted with sensitive information. After all, the cost of any loss to a member of the public would far outweigh the cost of an encrypted memory stick and the knowledge to use it correctly.”
Edy Almer, VP of product management at Safend, said: “It is good to see that data stored on the USB was most likely not compromised and that the immediate response from the breached party was to make things right. It is important to note it was a third party contractor that lost the data and not trained internal staff, thus highlighting the need to selectively block or encrypt all devices connecting to your network in order to protect sensitive data.”
Mark Fullbrook, UK and Ireland director at Cyber-Ark, said: “This is yet another example of the poor data protection policies operating within organisations today. Using a memory stick to transport sensitive information may be convenient, but it's certainly not secure and whilst in this case the memory stick was returned to its rightful owners, should it have fallen into the wrong hands the repercussions could have been severe”
Terry Greer-King, UK managing director of Check Point, said: “Always-on media encryption would make the risk of data misuse negligible, even if the device is lost or stolen. When we surveyed 130 UK public and private sector organisations in November 2010, 52 per cent said they do not use data or device encryption and a further eight per cent admitted that they did not even know if encryption was in use.
“These figures hadn't really changed compared with the previous two years, so it's evident that there's still a big security gap to be bridged.”
Nigel Hawthorn, VP of marketing EMEA at Blue Coat Systems, said: “This is yet another example of how complacency and data loss can come from all sorts of places. The lesson here is to assume that your data will be lost, as there is virtually nothing that can be done to address the carelessness of those responsible for your personal information.”