The UK's Information Commissioner's Office (ICO) has fined Welcome Financial Services Limited £150,000 for failing to properly secure two backup tapes. The tapes were not protected with data encryption software like AlertBoot and went missing in November of last year.
Last year, Welcome announced that around 510,000 customers' names, addresses, phone numbers, dates of birth and loan details were lost, or were presumed to be lost, when the company couldn't locate the backup tapes. Apparently, 26 people out of the group decided to file a complaint with the ICO. The half-million figure is a bit misleading, it turns out. According to credittoday.co.uk: The tapes, which have never been recovered, contain personal data relating to 1.4 million customers, limited to names and addresses for 800,000 but also including date of birth and payment history for 600,000. I'm not sure what the discrepancy means but it appears that the data breach could have been greater than reported (as opposed to a breach of sensitive personal data). Most sites are also quoting the 500k figure, but the ICO's own penalty notification letter confirms the above figures. My own research had also found out that the company had declared bankruptcy (probably common knowledge in the UK), and I was left wondering, that if the company were penalized, who'd end up paying? After all, for all pragmatic purposes, the company didn't exist anymore. Well, it appears that for the purposes of the fine, the company does exist: the ICO's Monetary Penalty Notice, dated 02 July 2012, names Welcome Financial Services Limited as the data controller. If the penalty is paid by 31 July 2012, a 20% discount will kick in, reducing the fine by £30,000. Another detail I've found: the tapes in question were HP LTO-4, and according to HP's own site. from LTO-4 onwards, secure AES-256 encryption provides even higher levels of data security and compliance with the most stringent industry regulations to prevent unauthorized data access. From a purely technical perspective, it sounds like encryption could have been used on the backup tapes. Considering all -- the number of people impacted; the type of information that was breached; the availability of technical safeguards -- it doesn't take a genius to know that the ICO had no choice but to come down hard, especially considering its actions this year.
Last year, Welcome announced that around 510,000 customers' names, addresses, phone numbers, dates of birth and loan details were lost, or were presumed to be lost, when the company couldn't locate the backup tapes. Apparently, 26 people out of the group decided to file a complaint with the ICO.
The half-million figure is a bit misleading, it turns out. According to credittoday.co.uk:
The tapes, which have never been recovered, contain personal data relating to 1.4 million customers, limited to names and addresses for 800,000 but also including date of birth and payment history for 600,000.
I'm not sure what the discrepancy means but it appears that the data breach could have been greater than reported (as opposed to a breach of sensitive personal data). Most sites are also quoting the 500k figure, but the ICO's own penalty notification letter confirms the above figures.
My own research had also found out that the company had declared bankruptcy (probably common knowledge in the UK), and I was left wondering, that if the company were penalized, who'd end up paying? After all, for all pragmatic purposes, the company didn't exist anymore.
Well, it appears that for the purposes of the fine, the company does exist: the ICO's Monetary Penalty Notice, dated 02 July 2012, names Welcome Financial Services Limited as the data controller. If the penalty is paid by 31 July 2012, a 20% discount will kick in, reducing the fine by £30,000.
Another detail I've found: the tapes in question were HP LTO-4, and according to HP's own site.
from LTO-4 onwards, secure AES-256 encryption provides even higher levels of data security and compliance with the most stringent industry regulations to prevent unauthorized data access.
From a purely technical perspective, it sounds like encryption could have been used on the backup tapes. Considering all -- the number of people impacted; the type of information that was breached; the availability of technical safeguards -- it doesn't take a genius to know that the ICO had no choice but to come down hard, especially considering its actions this year.
Related Articles and Sites:http://www.ico.gov.uk/what_we_cover/taking_action/~/media/documents/library/Data_Protection/Notices/welcome_finance_monetary_penalty_notice_enf0427198.ashxhttp://www.out-law.com/en/articles/2012/july/credit-firm-fined-150k-after-losing-personal-data-of-half-a-million-customers/