The Southwark Council in the UK (in South-East London) has avoided a penalty despite having breached the Data Protection Act of 1998. Approximately 7,200 people were affected by the incident. Full disk encryption like AlertBoot was not used to defend the contents of a desktop computer that was discarded (but, the fact that the DPA was breached should have been a clue that they hadn't).
The breach details are something to read: an Apple computer was discovered in a garbage skip by a random citizen on June 3, 2011. The device was tossed there by new tenants of a building that used to be occupied by the Southwark Council. While the building had been vacated in December 2009 by the council, it remained tenanted until May 11, 2011 (I can only assume it means the contract ran until May 2011, but the council had moved out a year and a half earlier). So, the computer was discarded between mid-May and early June. The computer was, apparently, removed from the council's asset register in 2003, meaning that someone could have stolen the thing anytime between 2003 and 2011 and, possibly but not probably, no one would have been the wiser. Yikes! (Of course, it would have been even more so between December 2009 and May 2011). The computer that caused the commotion was an iMac, a desktop computer. It looks like it could have been one of the earliest models (either the happy-colored ones, the ones that looked like candy, or the first generation of aluminum, thin-screens) based on the earliest year being discussed above. Password-protection had been used on the device, but encryption software was lacking.
The breach details are something to read: an Apple computer was discovered in a garbage skip by a random citizen on June 3, 2011. The device was tossed there by new tenants of a building that used to be occupied by the Southwark Council. While the building had been vacated in December 2009 by the council, it remained tenanted until May 11, 2011 (I can only assume it means the contract ran until May 2011, but the council had moved out a year and a half earlier). So, the computer was discarded between mid-May and early June.
The computer was, apparently, removed from the council's asset register in 2003, meaning that someone could have stolen the thing anytime between 2003 and 2011 and, possibly but not probably, no one would have been the wiser. Yikes! (Of course, it would have been even more so between December 2009 and May 2011).
The computer that caused the commotion was an iMac, a desktop computer. It looks like it could have been one of the earliest models (either the happy-colored ones, the ones that looked like candy, or the first generation of aluminum, thin-screens) based on the earliest year being discussed above.
Password-protection had been used on the device, but encryption software was lacking.
The information on the desktop computer included names, addresses, medical records, ethnic backgrounds, past criminal records, and other information for approximately 7,200 people. However, the council has avoided being penalized because the law that allows the ICO, the Information Commissioner's Office, to fine breaches of the DPA was only passed in April 2010.
Related Articles and Sites:http://www.itproportal.com/2011/11/22/ico-warns-southwark-council-over-misplaced-files-computer/http://www.v3.co.uk/v3-uk/news/2126518/ico-scolds-southwark-council-unencrypted-imac-skiphttp://www.zdnet.co.uk/blogs/security-bullet-in-10000166/southwark-council-warned-over-data-breach-10024842/http://www.ico.gov.uk/news/latest_news/2011/council-warned-after-personal-data-was-missing-for-two-years-21112011.aspxhttp://www.ico.gov.uk/what_we_cover/taking_action/~/media/documents/library/Data_Protection/Notices/london_borough_of_southwark_undertaking.ashx