Posted by stuart.gilbertson

The Information Commissioner’s Office (ICO) has found Warwickshire County Council in breach of the Data Protection Act (DPA) following the theft of two laptops and the loss of a memory stick.

The laptops, which were unencrypted and not physically secured or locked away, were stolen from council offices. They held sensitive personal information relating to a number of pupils and members of staff from two schools. The council also reported a separate incident to the ICO, involving the disappearance of an unencrypted memory stick holding a small amount of personal data relating to children attending an education centre.

Sally-anne Poole, Head of Enforcement & Investigations at the ICO, said: “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when
it concerns sensitive information relating to children. A lack of awareness of data protection requirements can lead to personal information falling into the wrong hands.

The Information Commissioner’s Office (ICO) has found St Albans City and District Council in breach of the Data Protection Act. A laptop was stolen which was used to store postal voters’ records as part of an election process in June 2009.

The personal information, which was password protected but unencrypted, remained on the laptop when it was no longer required. At a later date it was left unsecured on a desk until it was discovered missing on 5 November 2009 along with three other laptop computers belonging to the council.

Sally-anne Poole, Head of Enforcement & Investigations at the ICO, said: “When organisations store large volumes of personal details on portable computers, encryption is essential. They must ensure staff and contractors are trained to handle personal information securely to avoid the risk of information falling into the wrong hands. It is also crucial organisations don’t keep personal information for longer than is necessary.”

Anyone who processes personal information must comply with eight principles, which make sure that personal information is:
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection

The Information Commissioner’s Office (ICO) has found Zurich Insurance plc in breach of the Data Protection Act after it lost an unencrypted back-up tape containing financial personal information belonging to 46,000 policy holders of Zurich Private Client, Zurich Special Risk and Zurich Business Client, which are all part of Zurich Insurance plc.

The back-up tape, which also included personal details of 1,800 third parties, was lost by a sister company, Zurich Insurance Company South Africa, during a routine transfer to a data storage centre in South Africa. The data loss occurred on 11 August 2008 although the sister company did not inform Zurich Insurance plc until over a year later. Subsequent internal investigations revealed failings in the management of security procedures involving data tapes in South Africa.

Sally-anne Poole, Head of Enforcement & Investigations at the ICO, said: “It is vital that organisations ensure effective safeguards are in place to protect personal information. Failure to adequately protect personal details could lead to information falling into the wrong hands and ultimately the loss of customers’ trust and confidence…”

On Wednesday, Reuters reported that a new password stealing virus is working its way through the Internet targetting Facebook users.

Hackers flooded the ‘net with spam messages that are targetting Facebook’s estimated 400 million users in an attempt to steal your personal information.

The email message tells its recipients that the passwords on their Facebook account have been reset, urging them to open an attachment to obtain new login details. Consider IT warns all readers NEVER to open unknown attachments!

A Facebook spokesman said the company could not comment on the specific case, but pointed to a status update the company posted on its website earlier on Wednesday. This update warned users about the illicit email and advises users to delete it immediately.

The email’s subject line says “Facebook password reset confirmation customer support,” according to Dave Marcus from McAfee.

The Information Commissioner’s Office (ICO) has found that the Royal London Mutual Insurance Society breached the Data Protection Act (DPA) after eight laptops, two of which contained the personal details of 2,135 people, were stolen from the company’s Edinburgh offices. The individuals affected were employees of various firms which had sought pension scheme illustrations.

The two laptops containing personal information were unencrypted but were password protected. An internal report established that the company was uncertain about the precise location of the laptops at any given time and that physical security measures were inadequate. The report also revealed that managers were not aware that personal information was stored on any of the laptops, which meant no additional precautions to control and secure the data had been taken.

Mick Gorrill, Head of Enforcement at the ICO, said: ”It is crucially important that portable devices such as laptops containing personal information are properly protected. It is particularly concerning that the organisation was unaware of the whereabouts of the laptops at any given time or what information they held. All staff members should be fully aware of the policies and procedures in place to safeguard personal information and should be appropriately trained.

Facebook users have been warned that a “who viewed my profile” application is indeed a scam and does not genuinely show you who has looked at your profile at all.

Rik Ferguson, a senior security consultant at Trend Micro, warns he has already identified 25 different copies of the same rogue app but using different monikers such as peeppeep-pro, profile-check-online and stalk-my-profile.

Some of the Facebook Applications even offer a photo montage of the aleged visitors to your profile – these are fake and it simply randomly selects a group of your known friends and shows them in the image.

“The app itself is designed to look convincing enough, but none of the many ‘Continue’ buttons it offers will activate some under-the-counter profile checking functionality – they will just push you into another Facebook app earning the scammer advertising revenue in the process,” Ferguson explains in a blog post containing screenshots illustrating the scam, which resurfaced over the weekend. “There is no officially sanctioned Facebook functionality that will allow you to view who has been checking your profile.”

As always, TheRegister has a full report here: http://www.theregister.co.uk/2010/03/15/facebook_profile_stalk_scam/

At Consider IT, we want all our clients, customers and readers of our blog to remember not to install Applications you don’t trust. If something looks suspicious, then chances are it’s a scam. Err on the side of caution and ask yourself if you really want this unknown Application on your Facebook profile.

At the time of posting, Facebook have taken action to remove the offending Applications from their services.

WordPress were alerted to a problem where logged in users can peek at trashed posts belonging to other authors. If you have untrusted users signed up on your blog and sensitive posts in the trash, you should upgrade to 2.9.2.

If you use our WordPress Management service, your WordPress website will be updated this week. If not, simply log in to your wp-admin login area and click Upgrade WordPress.

The Information Commissioner’s Office (ICO) is reminding charities that personal information must be handled securely after finding the Alzheimer’s Society in breach of the Data Protection Act.

One of the unencrypted laptops contained personal details including names, addresses, national insurance numbers and salary details for about 1,000 staff across England, Wales and Northern Ireland.

Sally-anne Poole, Head of Investigations at the ICO, said: “A thousand staff members’ details were stored on unencrypted laptops. This is unacceptable; portable devices must be encrypted if they are used to store personal information. It is vital that all organisations ensure personal information is handled securely and that appropriate staff have adequate training in this area.”

Are your laptops encrypted? Find out more about encryption services.