Glasgow City Council has been slapped with a £150,000 fine after two unencrypted laptops containing personal details of over 20,000 people were stolen.
Bank account details of 6,069 individuals were stored on one of the laptops.
An investigation by the Information Commissioner’s Office (ICO) found that on 28 May last year two laptops were stolen from the Glasgow City Council offices during a refurbishment.
One laptop was locked up in its storage drawer and the key placed in the drawer where the second laptop was kept. But that second drawer was left unlocked, meaning the thief could easily get access to both.
One contained the council’s creditor payment history file, listing personal information of 20,143 people, including the bank data.
The ICO later found another 74 unencrypted laptops appeared to have been lost, with at least six known to have been stolen.
“Glasgow City Council was issued with an enforcement notice back in 2010 after a similar incident where an unencrypted memory stick was lost,” said Ken Macdonald, the ICO’s assistant commissioner for Scotland.
“To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow.”
A Glasgow City Council spokesman said the data loss “should not have happened”. “The council co-operated fully with the Information Commissioner’s Office and wrote to everyone potentially affected to advise them of the data loss,” he added.
“The ICO acknowledges there is no evidence that any bank accounts have been targeted, that the council immediately informed it of the theft and that we carried out significant remedial action.”
Are you a pedant on privacy? Try our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
Surely it is time for all public sector bodies to face up to the fact of the ICO's willingness to issue heavy penalties for negligence? If organisations are to avoid facing fines at a time when they can ill afford financial wastage, important steps must be taken to improve IT procurement and disposal processes.
Investing in IT hardware with comprehensive encryption is key: organisations must approach hardware manufacturers with demonstrable experience in this area, and those which offer encrypted laptops which meet a variety of security benchmarks, such as CESG approval. Windows 8 Professional is another great example, now featuring Windows BitLocker as standard for no extra cost, as long as public sector customers procure notebooks and tablets that have Trusted Platform Module (TPM) modules, then they can be encrypted up to IL3 Level Security. This will be more than adequate for the vast majority of local authorities and indeed wider public sector workers, outside of serious crime and defence.
If public sector bodies adapt a best practice approach to data security upfront then the wrath of ICO fines can be kept at bay.
Simon Harbridge, CEO, Stone Group