A laptop containing the personal information and bank account details of thousands of people and businesses has been stolen from Glasgow City Council.

The local authority is now contacting 37,835 affected customers, including suppliers and people receiving winter fuel payments and care grants.

Strathclyde Police and the Information Commissioner have been informed about the theft, which took place last month.

The laptop was password-protected but not encrypted.

It was one of two laptops stolen during a break-in at the council offices in Cochrane Street some time between Monday 28 and Tuesday 29 May.

The local authority said the full extent of the data loss did not become apparent until last Wednesday.

The information on the laptop relates to 17,692 companies and 20,143 individuals.

It includes names and addresses and, in the case of 16,451 customers, bank account details.

A full internal audit is being carried out.

A council spokesman said: “We are in the process of writing to the people affected by this theft to alert them to the data loss and offer them advice about what steps they might need to take.

“We’ve also provided them with a phone number they can use to contact us if they have any questions.

“We are sorry that this has happened and apologise for the inconvenience it has caused. Anyone with any information on the theft should contact Strathclyde Police.”

He added: “Customers should remember that no one from the council would ever call at their home or telephone them to ask for personal information, such as banking details.

“A bank will never ask for a customer’s PIN or for a whole security number or password.”

A Scottish charity – based in Glasgow – breached the Data Protection Act after two unencrypted memory sticks and papers containing the personal details of up to 101 individuals were stolen from an employee’s home.

The information included peoples’ names, addresses and dates of birth, as well as a limited amount of data relating to the individuals’ health. The charity – Enable Scotland (Leading the Way) – promptly reported the incident to the ICO in November 2011 and informed those individuals affected.

The ICO’s investigation found that the information should have been deleted from the memory sticks once it had been uploaded onto the charity’s server. The charity had no specific guidance for home workers on keeping personal data secure, and portable media devices used to store sensitive personal information were not routinely encrypted.

Ken Macdonald, Assistant Commissioner for Scotland said:

“Organisations that use memory sticks to store personal information must make sure the devices are properly protected. Encrypting the data means that the information will remain safe even if the device is later lost or stolen. It is also important that employers provide home workers with guidance on how to keep any personal data taken outside of the office secure, as this is potentially when the information is most vulnerable.

“We are pleased that Enable Scotland has taken action to keep people’s information safe, however this incident should act as a warning to all charities that they must ensure that personal information is handled correctly.”

Peter Scott, Chief Executive of Enable Scotland, has now signed an undertaking, committing the charity to improving its compliance with the Data Protection Act. This includes making sure laptops used to store sensitive personal data are encrypted. Hard copy files will only be removed from the office when absolutely necessary and will contain the minimum amount of personal data required. Guidance will also be provided to home workers, to ensure that any personal data taken outside of the office is kept secure.

Edinburgh IT Support company, Consider IT, has recently learned that security software publisher Symantec has confirmed it was recently the victim of a cyber attack, resulting in the theft and disclosure of product source code. Via its website, the company affirmed Anonymous’ claims, citing a source code heist dating back to 2006. The post goes on to suggest that users running Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks, Symantec Endpoint Protection 11.0, or Symantec AntiVirus 10.2 apply the latest maintenance patches.

Earlier this month, the online-collective Anonymous stated, via Twitter, that it possessed portions of the code in question and planned to release it in support of a class-action lawsuit filed by consumers – the suit claims Symantec employed scare tactics to encourage users to purchase its wares. If you have the company’s pcAnywhere solution deployed, Symantec suggests only using it for “business critical purposes,” as this software is “at increased risk.” Those looking to stay up-to-date on the breach and what Symantec is doing to ameliorate its effects can get the blow-by-blow from the source link below.

The security vendor said at the time that because the code is old, customers running Norton products today should not be in any increased danger of cyberattacks. However, the company admitted that users of pcAnywhere, which has not changed as much as the Norton products over the past few years, might face an increased risk because of the leak.

A patch for pcAnywhere 12.5 was released on Tuesday in order to address two security vulnerabilities that could lead to arbitrary code execution or privilege escalation. The flaws were reported privately to Symantec by security researchers Tal Seltzer and Edward Torkington.

Lewis Peckover, who set up a little web tool that displays all the “HTTP header information” sent to sites by web browsers, highlighted yesterday that O2 include your mobile phone number whenever you visit a website whilst running over the 3G network.

Users of the social news site, Reddit.com, confirm this problem also happens with Tesco Mobile.

For O2 and Tesco customers browsing on a 3G connection, these headers also include their personal telephone number in an x-up-calling-line-id line. Enterprising website owners can easily keep a copy of the HTTP header information sent over by visiting browsers and tie it to IP addresses and logins, if applicable.

O2 commented on their Twitter feed:

@lewispeckover Hi Lewis. The mobile number in the HTML is linked to how the site determines that your browsing from a mobile device #O2Guru  (https://twitter.com/#!/O2/status/161872584634408960)

Edinburgh IT Support company, Consider IT, would like to make clients and visitors aware of a recent McAfee vulnerability that has been confirmed by McAfee themselves.

McAfee is promising to fix a vulnerability in its anti-malware service after it was alerted to a flaw that allows systems where the product was installed to be turned into spammers.

The spamming problem from this software resulted in major inconvenience for some McAfee customers, whose email was blocked after their IP addresses appeared on blacklists. McAfee’s forums show some of these customers complaining here and here.

In a blog post (here), McAfee said:

The patch will be released on January 18 or 19, as soon as we have finished testing. Because this is a managed product, all affected customers will automatically receive the patch when it is released.

McAfee says both the issues are restricted to SaaS for Total Protection and don’t affect any of its other products.