By Will Sturgeon, 28 February 2007 16:55
NEWS
More than 16,000 council workers in the Midlands have been warned their sensitive personal data may have been compromised after a laptop was stolen from one of their colleagues.
And bosses at Worcestershire County Council are facing criticism for reportedly taking more than a week to inform those staff affected of the possible breach and the related risk of identity theft.
A spokeswoman for the council told silicon.com the laptop contained data on more than 16,000 council workers and was stolen during a robbery. She wouldn't confirm when the robbery took place, however, but said this non-disclosure was a deliberate attempt not to alert the laptop thief to the potentially sensitive data they may now have in their possession.
She said: "Obviously laptops get stolen every day in the UK and we don't want to tell people when this particular laptop was stolen in case that alerts the thief," expressing concern the robber could abuse the data on the laptop if they accessed it.
However, she said the laptop has "some layers of security on it" to protect the data it stores.
Although experts believe there is no such thing as a 100 per cent impenetrable laptop, sound basic security would normally be enough to ward off a curious opportunist, rather than motivated data thief.
The spokeswoman confirmed all staff affected have now been contacted in writing and a hotline number has been set up to handle enquiries. Over the past five days around 370 concerned staff have either emailed or phoned the hotline for advice, said the spokeswoman.
Comments
There are 11 comments. Join the discussion
1. anonymous
Isn't it about time that people stop synchronising (sensitive) data to their mobile devices? A laptop, which has, by dafault, become one's desktop, is nothing but a mobile device and the way Outlook, for example, forces one to synchronise is dangereous.
2. Samuel Smith
According to the Worcester News it was actually the council's IT supplier SERCO that had the laptop taken. The FD at WCC was quoted as saying "The personal details include names and addresses," and also had "details relating to national insurance and bank accounts".
There are many comments on the Worcester News website asking why such information was held on a laptop etc and lets hope strong questions are asked by WCC.
3. Gordon Davies
It is utterly ridiculous in this day and age that all data held within our public services of a personal nature isn't encrypted. Perhaps, more importantly checks and processes should be in place that never allow data of this nature to reside on anyone's laptop - ever!
There really is no excuse. This area is long overdue some detailed legislation forcing compulsory compliance. Clearly, BS 7799 is simply inadequate in many areas, and as a standard is largely being ignored by many organisations, I suspect it will only be when their is a massive fraud or failing uncovered before steps are taken to close this huge gap in information security.
4. Graham Coles
I just love the comment:
... but said this non-disclosure was a deliberate attempt not to alert the laptop thief to the potentially sensitive data they may now have in their possession ...
Yes, because there's absolutely no way that having stolen a laptop that they could discern this fact. Unless, of course, they decide to actually press the power button and look at what's on the machine they have just stolen!
Clearly we need legislation to make non-disclosure a criminal offence as otherwise we will have to put up with an endless bunch of lame excuses like this each time data gets compromised.
5. anonymous
Surely the question has to be asked, What was all this personal information doing on a Lap top that was so apparently easy to steal?There seems to be too many lap tops with sensitive information just lying about for thieves to walk off with.Should the computer data act now be adjusted to include a criminal offence to put sensitive material on lap tops or portables that again appear so easy to steal?A little like shutting the gate after the horse has bolted but some one now has to make a stand.The responsibilities of firms and employees should be tightened up.
6. Richard
Why still rely on such open "secrets"?
Surely this type of personal information is now very easy to discover: Why do so many Banking and Government security procedures still rely on it being "secret"?
Rather than wringing our hands each time a laptop is stolen; shouldn't we start using more reliable security?
My name & address are in the phone book; they are also on the Government's compulsory public register of Company Directors: Other details appear on Domain registers: My banking details or credit card number are disclosed for most purchases: The DWP regularly does "mass mailings" which contain a wealth of personal information: Many people post biographical information (eg. Schools, mother's maiden name, etc.) on Social Networking and Genealogical web-sites.
Let's stop pretending that these details are "secret"!
7. anonymous
It is just stupidy to transport significant lists of personal information on a laptop. It shouldn't have been there in the first place. You have to ask was it some tech support or HR person thinking they were powerful to have such sensitive information close to hand? Maybe it's time for some Local Government guidelines on such things.
8. anonymous
As an affected person, and having worked as in an outsourcing organisation dealing with such sesnitive data, I was appalled to recieve the letter from Worcester County Council, The notice also stated that "The equipment was aowned and being used by .... SERCO .... " it goes on to say that it was a "street robbery" that "took place away from from Worcestershire".
Questions should and will be asked as to why this data was taken off site and why it was not encrypted. The document says the computer is "password protected" - hardly secure.
9. anonymous
We might as well give up and surrender. The government brought out all these laws and rulus and regulations to protect us from ID theft but no matter what we, as individuals do, local councils, banks, and other organisations that should know better, are putting our personal data at risk of theft by storing data on laptops (at risk of theft like any other portable item) and storing excessive amounts of data in one place. I cannot understand why MY personal data should be on ANYONE'S laptop and why an organisatio outside of the one holding such information, should have access to it. The only people who need my National Insurance number are my employers, the relevant government department, and ME! It is no-one else's business. When the NHS records go on the computer data base being put together right now NOTHING will be sacred! Big brother has come of age, he is now a BIG GIANT and he thinks he is God!
10. anonymous
As an affected person, and having worked as in an outsourcing organisation dealing with such sesnitive data, I was appalled to recieve the letter from Worcester County Council, The notice also stated that "The equipment was aowned and being used by .... SERCO .... " it goes on to say that it was a "street robbery" that "took place away from from Worcestershire".
Questions should and will be asked as to why this data was taken off site and why it was not encrypted. The document says the computer is "password protected" - hardly secure.
11. anonymous
Deploying efffective database security to control the effects of this kind of breach is a no brainer – whether or not staff are able to download so much customer information that they leave organisations exposed to such basic risks as the theft of a laptop.
Even though employees may well need to access critical business data, every organisation should be able to identify requests to download such large amounts of information as ‘out of the ordinary’ and block them.