Housing groups leave unencrypted data in a pub

THE UK INFORMATION COMMISSIONER'S OFFICE (ICO) has slammed two housing groups in London for leaving unencrypted data on thousands of tenants, including banking details, on a USB memory stick in a pub.

The ICO said that Lewisham Homes and Wandle Housing Association had breached the 1998 Data Protection Act by failing to encrypt the information of over 26,200 people.

20,000 of these belonged to Lewisham Homes, with 800 of that number containing bank account details.

The information was copied to the memory stick by a contractor working for both firms and was subsequently left at the traditional place most unencrypted drives are found - the local pub. Luckily for the housing companies the device was found and turned in. If a more unscrupulous individual had found the drive the data easily could have been abused.

The ICO told the two companies that they must ensure that all personal information is encrypted and that all staff, including contractors, must follow the proper policies and procedures for handling such information. It also called for staff to be monitored to ensure that data security is being maintained. Lewisham Homes and Wandle Housing Association have agreed to these demands.

"Saving personal information on to an unencrypted memory stick is as risky as taking hard copy papers out of the office," said Sally-Anne Poole, Acting Head of Enforcement at the ICO. "Luckily, the device was handed in and there is no suggestion that the data was misused. But this incident could so easily have been avoided if the information had been properly protected."

The ICO did not fine the housing bodies, despite the fact that they clearly breached the Data Protection Act. Just because on this occassion the data was not abused does not mean that they did not mess up, so a light telling off might simply not be enough to ensure they conform with proper data protection practices.

Failure to encrypt sensitive data is becoming an increasing problem across the world. The NHS was slated in June for storing unencrypted details of millions of people on a laptop that was subsequently stolen.

The EU said it would crack down on data privacy abuse, primarily in terms of Apple and Google's collection of location data, but tighter regulations and harsher penalties need to be employed to ensure that people stop leaving unencrypted data laying around for anyone to find. µ