UK Information Commissioner fines Police Service of Northern Ireland 750,000 pounds for exposing the personal information of its entire workforce

October 21, 2024

When it comes to poor data security practices and serious data breaches the police and health service providers are generally amongst the worst performers. Both have serious cultural problems in properly treating personal information confidential. Both often have serious system problems, especially with their IT. The UK Information Commissioner’s fine of 750,000 of the Police Service of Northern Ireland is the most recent example. Here the breach was the very common human error of uploading a document onto a webpage.  That happens quite regularly.  Here the document contained the personal information of all employees of the Northern Ireland Police Service.  The consequences were baleful.  The quality assurance processes failed.  While the personal information was viewable for only 3 hours the Police Service are working on the assumption that the information was accessed by dissident republications who would use to intimidate.

The media release provides 

We have fined Police Service of Northern Ireland (PSNI) £750,000 for exposing the personal information of its entire workforce, leaving many fearing for their safety.
Our investigation found that simple-to-implement procedures could have prevented the serious breach, in which hidden data on a spreadsheet released as part of a freedom of information request revealed the surnames, initials, ranks and roles of all 9,483 PSNI officers and staff.
Mindful of the current financial position at PSNI and not wishing to divert public money from where it is needed, the Commissioner used his discretion to apply the public sector approach in this case. Had this not been applied, the fine would have been £5.6 million.

Summary of the breach

On 3 August 2023, PSNI received two freedom of information requests from the same person via WhatDoTheyKnow (WDTK). The first asked for “… the number of officers at each rank and number of staff at each grade …”, the second asking for a distinction between “how many are substantive / temporary / acting …”.
The information was downloaded as an Excel file with a single worksheet from PSNI’s human resources management system (SAP). The data included: surnames and first name initials, job role, rank, grade, department, location of post, contract type, gender and PSNI service and staff number.

As the information was analysed for disclosure, multiple other worksheets were created within the downloaded Excel file. On completion, all visible onscreen worksheet tabs were deleted from the Excel file. The original worksheet, containing the personal details, remained unnoticed and this was also not picked up despite quality assurance. The file was subsequently uploaded to the WDTK website at 14:31 hours on 8 August.
PSNI was alerted to the breach by its own officers at approximately 16:10 hours the same day. The file was hidden from view by WDTK at 16:51 hours and deleted from the website at 17:27 hours.
Six days later, PSNI announced they were working on the assumption that the file was in the hands of dissident republicans and that it would be used to create fear and uncertainty and for intimidation.
John Edwards, UK Information Commissioner said: Read the rest of this entry »

UK Information Commissioner’s Office reprimands UK law firm Levales Solicitors for poor protection of data which were affected by a data breach

October 16, 2024

Law firms are prime targets for data breaches. One need only look at the recent massive data breach at HWL Ebsworth. Entry into law firms can be through a range of third party providers such as IT services. The UK Information Commissioner has reprimanded a UK Law Firm, Levales for breaching the General Data Protection Regulation. The incident affected 8,234 UK individuals, of which 863 individuals were deemed at high risk because of the nature of the data involved.

According to the reprimand:

  • The breach occurred after an unknown threat actor gained access to the secure cloud based server via legitimate credentials, later publishing the data on the dark web
  • 8,234 UK data subjects were affected, of which 863 were deemed to be at ‘high-risk’ of harm or detriment due to the special category of data including criminal data pertaining to ‘homicide, terrorism, sexual offences, offences involving children or particularly vulnerable adults’.
  • the data involved was:
    • Name
    • Data of Birth
    • Address
    • National Insurance Number
    • Prisoner Number
    • Health Status
    • Details of Criminal allegations not charged
    • Details of Criminal allegations prosecuted
    • Outcomes of investigations and prosecutions
    • Details of complainants and victims both adult and children
    • Previous Convictions
    • Legally privileged information and advice
  • Levales did not implement appropriate technical and organisational measures to ensure their  systems were secure because while outsourcing their IT management to a third party were unaware of security measures in place such as detection, prevention, and monitoring.
  • Levales had not reviewed if the technical measures associated with the contract, were appropriate for the personal data they were processing since the contract was first signed in 2012.

Read the rest of this entry »

The UK Information Commissioner fines Advanced Computer Software Group Ltd (Advance) 6 million pound fine after 2022 ransomware attack that disrupted NHS

August 10, 2024

Cyber attacks on service providers working for large institutions, especially in the health sector, are common. Health Services often contract out IT services, as they did with Advanced Computer Software Group Ltd (Advanced). Unfortunately organisations and agencies spend insufficient time in ensuring that those contractors maintain adequate cyber protections and proper training regimes for their staff. Advanced provided IT services and handled personal information collected by the UK National Health Service in its capacity as a data processor. In August 2022 Advanced was hit with a ransomware attack which also involved personal information of 82,946 people being exfiltrated. NHS was impacted in not being able to access patient records. The ICO has announced that it will fine Advanced 6.09 million pounds.

The announcement provides:

We have provisionally decided to fine Advanced Computer Software Group Ltd (Advanced) £6.09m, following an initial finding that the provider failed to implement measures to protect the personal information of 82,946 people, including some sensitive personal information.  

Advanced provides IT and software services to organisations on a national scale, including the NHS and other healthcare providers, and handles people’s personal information on behalf of these organisations as their data processor. Read the rest of this entry »

Cyber attack on London hospitals by Russian Crime Group impacts delivery of blood transfussions

June 13, 2024

The health industry is a prime and consistent target for cyber attacks as well as more analog data breaches, as I have posted many times in the past. A recent attack by Russian crime groups on London hospitals, in particular King’s College hospital, Guy’s and St Thomas’ and Synnovis, a pathology services firm, has had a catastrophic impact on their operations. The damage has been so severe that the NHS has called for O – type blood donations because the cyber attack has meant that the hospitals cannot match patient’s blood. This is against a backdrop where the Norfolk and Norwich University Hospitals NHS Foundation Trust paid out 47,000 pounds in compensation for data breaches between 2020 and 2023. Last year NHS trusts were discovered sharing patient data with Facebook without consent.

The problem has become so endemic in the UKI that the Information Commissioner issued a press release on 10 May 2024 titled Organisations must do more to combat the growing threat of cyber attacks.

There is no reason to believe the situation is any better in Australia as recent massive data breaches at Optus and Medibank Private highlight that inadequate data security and the pervasiveness of cyber attacks is an international problem. 

The Commissioner’s press release Read the rest of this entry »

Three staff investigated into Princess of Wales data breach

March 21, 2024

The Times reports that investigation into a data breach, involving the Princess of Wales’ medical records at the London Clinic has zoned in on 3 staff. And the Information Commission has received a breach report and is investigating as well. The story has been picked up by the Australian with Three hospital staff ‘tried to access Princess of Wales’s records’. Initially one person was suspected of creating a data breach.  That has expanded to three.  That is not unusual.  In cases where people seek out salacious information or photographs the desire to share seems to be difficult to resist.  That occurred when photos of Dani Laidley were inapopriately taken in a police station and then sent to other police officers.  

Data breaches involving snooping into medical records are a chronic problem in hospitals.  But they can be minimised if there are proper systems in place.  And top of the list is requiring anyone to access records to have authorisation and sign in before they can view records.  That creates a trail and may allow the system to alert IT when someone without authorisation has accessed those records or is trying to.  It is not foolproof as those determined can use other’s authorisation but even then there are ways of dealing with that.  It is no less a problem in my experience in Australia than in the UK.  Given the regulation is Read the rest of this entry »

UK Information Commissioner reprimands more police services. This time it is the Dover Harbour Board and Kent Police

March 19, 2024

Police breaching privacy is almost a cliche. The Victorian Police had a sub specialty for years in misusing the LEAP database.  In the UK the Information Commissioner’s Office (ICO) has issued reprimands to Dover Harbour Board and Kent Police for breaches of privacy.  Those breaches related to the use of the social media app, WhatsApp, and instant-messaging service, Telegram, on personal phones to share information. The personal information was being shared in the group without appropriate safeguards in place.

This is a widespread problem.  Encrypted social media messaging havw been used by politicians and officials doing government business to do communicate, and do business, away from official means of communications.  The problem with  social media messaging apps on personal devices is that it avoids the necessary oversight supervisors and managers should have.   For example while Prime Minister Malcolm Turnbull used Wickr adn Confide outside of the federal parliament’s system when communicating with colleagues and journalists. He claimed not to have used the systems to send classified government information. But, as Mandy Rice Davies said after hearing Lord Astor had denied having sex with her “He would, wouldn’t he.” 

Regarding Dover Board the reprimand relates to the use of  WhatsApp and then Telegram.  The reprimand relevantly Read the rest of this entry »

UK Information Commissioner reprimands West Midlands Police for data protection breach

March 5, 2024

Managing data when organisations are flooded with data is an ongoing challenge which can easily result in a data breach when that management fails. Misfiling documents in the analog era was common enough however the chance of that resulting in a privacy breach was far rarer than today with . The Information Commissioner has reprimanded the West Midlands Police for a data protection failure.  The data breach resulted in one person with the same name receiving documentation intended for another.  Given that one was a suspect in crimes and the other a victim of domestic violence this error was significant.  As is usually the case, upon investigation the Commissioner found significant flaws in the way the WMP handled data and trained its officers.  This is a typical problem.  Data breaches often occur because there are inadequate processes and not much in the way of training.

The media statement provides:

The Information Commissioner’s Office (ICO) has issued a reprimand to West Midlands Police (WMP) after the force repeatedly mixed up two people’s personal information.

On numerous occasions throughout 2020, 2021 and 2022, WMP incorrectly linked and merged the records of two people with the same name and date of birth. Both people had been victims of crime, and one was a suspect, meaning WMP didn’t make a clear distinction between the personal information of victims and suspects of crime, a breach of the Data Protection Act 2018.

This mix-up led to inaccurate personal information being processed and resulted in a catalogue of errors, including officers attending the wrong address when attempting to find a person regarding serious safeguarding concerns. Officers also incorrectly visited the school of a wrong person’s child. Read the rest of this entry »

The UK Information Commissioner reprimands South Tees Hospitals for a serious harmful data breach.

January 28, 2024

The UK Information Commissioner has reprimanded the South Tees Hospitals NHS Foundation Trust for a serious data breach. The breach involved providing sensitive information to an unauthorised family member. The nature of the information is not specified but it involved sending a letter relating to an upcoming appointment which found its way into the hands of another person. 

The ICO’s release provides:

The Information Commissioner’s Office (ICO) has today announced it has reprimanded South Tees Hospitals NHS Foundation Trust for a data breach which resulted in a disclosure containing sensitive information to a unauthorised family member.

In November 2022, a Trust employee sent a standard letter to inform the father of a patient of an upcoming appointment, but the appointment letter was sent to the wrong address.

Whilst the subsequent investigation by the ICO confirmed that the disclosure was the result of human error, it also found no evidence that the Trust fully and appropriately prepared staff for their role in dealing with correspondence that was particularly sensitive.

Joanne Stones, Group Manager at the Information Commissioner’s Office, said:

“This breach resulted in extremely sensitive information being passed to the wrong person. This was a serious, harmful incident that has understandably caused upset to the individuals involved and such an error must never be repeated.

“This breach highlights how even seemingly minor errors can have very serious consequences. To other organisations handling similarly sensitive data, this shows just how important proper training and procedures are in preventing mistakes.”

Under data protection law, organisations must have appropriate technical and organisational systems in place to ensure personal data is kept safe and not inappropriately disclosed to others.

South Tees Hospitals NHS Foundation Trust should now implement new standard operating procedures and provide further staff training to ensure data is protected and reduce possibility of future disclosures in error.

Read the rest of this entry »

UK Information Commissioners’ Office fines Ministry of Defence for revealing the names fo 265 people seeking relocation to the UK from Afghanistan after the Taliban took over.

January 1, 2024

A very common form of data breach by government agencies is for an officer, usually mid ranked or lower, to attach a list of names to an email, advertently or inadvertently, and then send the email to the wrong recipient or sending the wrong attachment to the intended recipient.  Another variation I see quite commonly is someone sending an email to a large number of recipients as part of a “Reply All” when the intention was to respond to only one person.  Many of the “Alls” should not have seen the document.   

Before Christmas the UK Information Commissioner fined the Ministry of Defence for releasing via email the names of 265 Afghans seeking relocation to the UK in the wake of the Taliban takeover. Here the email was sent to a distribution list of Afghan nationals releasing personal information of 245 people. The ICO statement provides:

    • Details of 265 people compromised in email data breaches weeks after Taliban took control of Afghanistan in 2021
    • Egregious breach “let down those to whom our country owes so much” – UK Information Commissioner
    • Email error could have resulted in a threat to life

The Information Commissioner’s Office (ICO) has fined the Ministry of Defence (MoD) £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021.

On 20 September 2021, the MoD sent an email to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 245 people being inadvertently disclosed. The email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.

The original email was sent by the team in charge of the UK’s Afghan Relocations and Assistance Policy (ARAP), which is responsible for assisting the relocation of Afghan citizens who worked for or with the UK Government in Afghanistan. The data disclosed, should it have fallen into the hands of the Taliban, could have resulted in a threat to life.

Soon after the data breach, the MoD contacted the people affected asking them to delete the email, change their email address, and inform the ARAP team of their new contact details via a secure form. The MoD also conducted an internal investigation, made a statement in Parliament about the data breach, and updated the ARAP’s email policies and processes, including implementing a ‘second pair of eyes’ policy for the ARAP team when sending emails to multiple external recipients. Such procedure provides a double check whereby an email instigated by one member of staff is cross checked by another. Read the rest of this entry »

UK Information Commissioner reprimands Charnwood Borough Council for disclosing the new address of a domestic abuse victim to her ex partner. Meanwhile in Australia there is a serious data breach involving 11,000 records of National Disability Insurance Agency.

November 30, 2023

Government departments and agencies are notorious for sending without thinking and causing a privacy breach. Often times it is a list of individuals. The UK Information Commissioner in Charnwood Borough Council disclosed the new address of a domestic abuse victim. To her ex partner! It arose from an administrative bungle, with a letter being sent to the previous address of the victim, which she shared with her ex and at which he still resided. The ex read the letter. The UK Information Commissioner reprimanded the Council for this breach.

The ICO’s media release provides:

The Information Commissioner’s Office (ICO) has issued a reprimand to Charnwood Borough Council after it disclosed the new address of a domestic abuse victim to her ex-partner.

The ICO has called on other organisations to learn lessons from the incident to ensure they are not at risk of making the same mistake.

They should make sure:

    • Alerts are put on files if staff need to be especially vigilant when someone is a vulnerable service user
    • A proper process is in place for address changes
    • Data protection training is carried out, including refresher training.

In this case, the council’s process for updating addresses was not clear. A letter detailing the new address of the victim was sent to the previous address she shared with her ex-partner. The letter was later confirmed to have been opened and read by the ex-partner. Read the rest of this entry »

Verified by MonsterInsights