Tag Archives: ICO

Holding on to data is not good practice; A look at the Wetherspoons breach.

Del Brazil turns his well-experienced eye to the Wetherspoons customer data breach and asks some questions about how data was being managed, given how long some of this data had been retained by Wetherspoons. 

wetherspoonIt has been recently reported that the Pub chain JD Wetherspoon has admitted that card data of 100 customers has been stolen from a database after it was hacked.  Weatherspoon’s have stated that “Very limited” credit and debit card information was accessed in the hack in June and that the information could not be used as part of any attempted fraud.  Weatherspoon’s further stated that personal details, including names and email addresses may also have been stolen from more than 650,000 people.

The Information Commissioner’s Office has been notified of the breach, which only came to light recently and is investigating accordingly.

The hacked database contained customer’s details which included names, dates of birth, email addresses and phone numbers; however the 100 affected whose card data was stolen had apparently bought Wetherspoon vouchers online between January 2009 and August 2014.

Will a lead lined wallet be the only solution?

“Only the last four digits of payment cards were obtained in the hack as the remaining digits were not stored in Wetherspoon’s database” said John Hutson, Weatherspoon’s Chief executive.  None of the card data stored by Weatherspoon’s was encrypted because other associated details were not stored on the database.

A letter to those customers whose details may have been hacked advises them to “remain vigilant for any emails that they are not expecting that specifically ask you for personal or financial information, or request you to click on links or download information”.

Despite an email warning being received about the suspected breach little if anything was done to further investigate the possibility of a hack taking place.  The email warning may have been captured by a spam filter and either quarantined or automatically deleted dependent upon the settings of the relevant servers.

Mr Hutson said that the hack has occurred between 15th and 17th June and there was no evidence that fraudulent activity had taken place using the hacked data from the database.  Yo40 1jdHe added: “We have taken all necessary measures to make our website secure again following this attack. A forensic investigation into the breach is continuing.”

istock_000011991144medium.jpgSerious questions need to be asked of Wetherspoon’s as to why they were retaining customer data for such a long period time in fact well past the time for which it was intended to be used for.  Further investigation should establish as to how and why the data was retained for such a long period of time and again one of the main data protection principles is at the forefront of the author’s mind.   If the data was being retained for an appropriate reason and with the individual’s permission was there sufficient security measures in place to safe guard against and/or deter would be hackers.

Weatherspoon’s have already given a clear indication that they fully intend to keep their retention of personal data to a minimum, as stated by founder and Chairman Tim Martin.  Is this likely to be to satisfy the ICO, well in essence, yes, as it does show a clear intention to limit the amount of personal data being retained by Weatherspoon’s; although once the ICO investigation has been completed it is likely that a number of requirements and/or recommendations will be imposed by the ICO.

It is of the opinion of the author that should the ongoing investigation by the ICO highlight significant failings by Weatherspoon’s in the protection of customer data then a fine should be imposed that is in line with the seriousness and size of the breach.  The ICO may take a dim view of this breach as it likely to flaunt one of the key data protection act principles in that Weatherspoon’s may have been storing customer data for longer than necessary and may have not afforded the information the appropriate level of security measures.

Currently there is no legal requirement for companies to report data breaches and/or losses to the ICO; however this is likely to change in the very near future.  In the author’s opinion that each and every company has a moral obligation to not only report the breach or loss of personal data to the individual concerned but also to any recognised institute, such as the ICO, so that improvements on data protection can be pushed forward by looking at previous failings.

By popular demand…

Our NHS CCTV Awareness training day is back!

For all users and viewers of CCTV images in the NHS regardless of role, the ccourse is deisgned to keep NHS trusts on the right side of the Data Protection Act and ICO guidelines.

November 20th is the date for the training centre but if you have a larger group and would prefer us to come to you, we can arrange it for you.

You can get details of the course, prices  and a booking form here… 

“This was a really informative day. Lots of questions answered. I wish we had had this training when the CCTV was first installed.” – recent delegate from Cornwall Foundation Trust

ICO Fine of the NHS Trust – Who Owns the Risk?

If you have an NHS card, receive NHS treatment and have ever been to hospital, raise your hand…either a lot of us all want to leave the room at the same time, or this particular kind of breach can affect pretty much everyone from the UK.

From the ICO website:

“NHS Hospital Trust  receives a Civil Monetary Penalty (CMP) for serious data breach.

Brighton and Sussex University Hospitals NHS Trust has been served with a Civil Monetary Penalty (CMP) of £325,000 following a serious breach of the Data Protection Act (DPA), the Information Commissioner’s Office (ICO) said today.

The fine is the highest issued by the ICO since it was granted the power to issue CMPs in April 2010.

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site in October and November 2010.

The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.

The data breach occurred when an individual engaged by the Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual.”

You can read the full piece here.

Discussion of this penalty in various places online, has raised a variety of questions and opinions. Some people feeling, even within the Data Protection community, that this was ‘too harsh’ (source: Linkedin European Data Protection Forum discussion) Others, with a due sense of subject fatigue, feeling that not only was it right but that it is a bit more like the kind of penalty the ICO needs to be handing out and not just to the public sector either.

Looking at this particular breach and reading the arguments that the penalty was too high makes me wonder if people understand the risk scenario. The task of destroying these hard drives was out-sourced. They were still owned by the trust and they were still guardians of this data.

It looks like a failure of Risk Management that this occurred and one would question if proper due diligence was performed on the contractor tasked with this. A decent Risk Assessment would have suggested that they either sanitise the data prior to disposal or procure an on-site disposal service – the supplier of which should have been sourced from a reputable list like SEAP. I guess you get what you pay for.

The bottom line is the buck stops with the Trust, they were guardians of this data. They out-sourced the task not the risk or accountability. If the Chief Executive is the SIRO, which they should be, should they be made personally accountable for incidents like this? CESG guidance is very clear on how highly sensitive data should be handled in these circumstances, so there really is no excuse.