Glasgow City Council Fined £150k After Big Data Loss

Glasgow City Council has been slapped with a £150,000 fine after two unencrypted laptops containing personal details of over 20,000 people were stolen.

Bank account details of 6,069 individuals were stored on one of the laptops.

An investigation by the Information Commissioner’s Office (ICO)  found that on 28 May last year two laptops were stolen from the Glasgow City Council offices during a refurbishment.

Glasgow City Council in trouble…

One laptop was locked up in its storage drawer and the key placed in the drawer where the second laptop was kept. But that second drawer was left unlocked, meaning the thief could easily get access to both.

One contained the council’s creditor payment history file, listing personal information of 20,143 people, including the bank data.

The ICO later found  another 74 unencrypted laptops appeared to have been lost, with at least six known to have been stolen.

“Glasgow City Council was issued with an enforcement notice back in 2010 after a similar incident where an unencrypted memory stick was lost,” said Ken Macdonald, the ICO’s assistant commissioner for Scotland.

“To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow.”

A Glasgow City Council spokesman said the data loss “should not have happened”. “The council co-operated fully with the Information Commissioner’s Office and wrote to everyone potentially affected to advise them of the data loss,” he added.

“The ICO acknowledges there is no evidence that any bank accounts have been targeted, that the council immediately informed it of the theft and that we carried out significant remedial action.”

Are you a pedant on privacy? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • Surely it is time for all public sector bodies to face up to the fact of the ICO's willingness to issue heavy penalties for negligence? If organisations are to avoid facing fines at a time when they can ill afford financial wastage, important steps must be taken to improve IT procurement and disposal processes.

    Investing in IT hardware with comprehensive encryption is key: organisations must approach hardware manufacturers with demonstrable experience in this area, and those which offer encrypted laptops which meet a variety of security benchmarks, such as CESG approval. Windows 8 Professional is another great example, now featuring Windows BitLocker as standard for no extra cost, as long as public sector customers procure notebooks and tablets that have Trusted Platform Module (TPM) modules, then they can be encrypted up to IL3 Level Security. This will be more than adequate for the vast majority of local authorities and indeed wider public sector workers, outside of serious crime and defence.

    If public sector bodies adapt a best practice approach to data security upfront then the wrath of ICO fines can be kept at bay.

    Simon Harbridge, CEO, Stone Group

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago