BreachExchange mailing list archives
ICO Fines London Council for Gangs Matrix Data Leak Exposing 203 People
From: Destry Winant <destry () riskbasedsecurity com>
Date: Wed, 10 Apr 2019 00:51:05 -0500
https://www.bleepingcomputer.com/news/security/ico-fines-london-council-for-gangs-matrix-data-leak-exposing-203-people/ The London Borough of Newham received a £145,000 monetary penalty from the Information Commissioner’s Office (ICO) after leaking the personal information of more than 200 individuals allegedly associated with gangs. As discovered by an ICO investigation, the personal data of more than 203 alleged gang members was disclosed by a Newham Council employee who emailed the info part of the Gangs Matrix police intelligence database to 44 recipients, in both redacted and unredacted form. The ICO found that the council employee shared dates of birth and home addresses with the third parties, as well as info on the supposed gang members' association, firearm, or knife carrying status. Fine was issued under the Data Protection Act 1998 All the personal info leaked in the breach was sent by the Metropolitan Police Service (MPS) during a coordinated operation designed to both prevent and tackle gang violence. According to the monetary penalty notice, "The Gangs Matrix is a database if intelligence about gang members. One of the purposes of the Gangs Matrix is that relevant information and intelligence about persons on the Matrix is shared with relevant bodies in order to prevent and detect crime, deter gang activity and enable appropriate support to those who need it." Following the data leak, multiple gang-related violent incidents were reported in the Borough of Newham, with some of the victims having been listed on the shared unredacted list. Because the data breach occurred during January 26, 2017, the fine was issued under the Data Protection Act 1998, and not under the General Data Protection Regulation which replaced it on May 25, 2018. "We recognise there is a national concern about violent gang crime and the importance of tackling it. We also recognise the challenges of public authorities in doing this. Appropriate sharing of information has its part to play in this challenge but it must be done lawfully and safely," said Deputy Commissioner James Dipple-Johnstone. Council failed to notify the ICO of the breach To make things even worse, while the Newham Council conducted an investigation it failed to report the data breach to the ICO, further increasing the danger the individuals in the leaked Gangs Matrix data were exposed to. Furthermore, the council also delayed the investigation until December 2017. The Newham Council data breach was eventually discovered by the ICO during a wider inquiry on the use of the Gangs Matrix database by the MPS. Following this investigation, which found that the MPS also failed to comply with data protection rules, the ICO issued an enforcement notice which required the MPS to provide "providing better arrangements for sharing the Matrix with partner agencies." "Our investigation concluded that it was unnecessary, unfair and excessive for Newham Council to have shared the unredacted database with a large number of people and organisations, when a redacted version was readily available. The risks associated with such a transfer of sensitive information should have been obvious," also argued Dipple-Johnstone. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- ICO Fines London Council for Gangs Matrix Data Leak Exposing 203 People Destry Winant (Apr 10)