Essex County Council facing ICO probe over data breach

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.cbronline.com/news/essex-county-council-facing-ico-probe-over-data-breach-200812

Details of 400 vulnerable citizens were sent outside the council's network

Essex County Council has admitted to a serious data breach which has
potentially left 400 people exposed to identity fraud.

The leaked details include names, addresses and financial information
of around 400 vulnerable users of the council's services.

The council claims the breach was caused by an employee in the Adults
Health and Community Wellbeing department sending the information to a
computer outside the council's network. Essex County Council has not
revealed exactly how the data breach occurred beyond telling CBR in a
statement that it was, "sent electronically to a member of staff's
home computer."

According to local news website This Is Total Essex, the council
worker has subsequently been dismissed.

Essex Police and the ICO have been informed, the report added.

In a statement the council confirmed a breach but played down fears
the information could lead to identity theft.

"While we are unable to give specific details we can confirm that the
investigation centres on an ex-employee who breached our information
security policy. Whilst the ex-employee had signed a declaration
stating they had deleted the information and not shared it with
anyone, it is our duty to inform service users that their information
has been compromised," the statement said.

"We do not believe there is malicious intent behind this incorrect use
of data. The information involved is such that (the risk of) identity
theft is minimal," the council added.

The council added that it provides mandatory training to all staff in
data governance and information handling and has "strict" information
security policies and procedures in place.

"With all the security procedures we are supposed to have now and all
the millions the county council has spent on the best IT, it beggars
belief that something like this can have happened," said Councillor
Mike Mackrory, Liberal Democrat opposition leader at the council.

"I am frankly staggered. We need to get to the bottom of it quickly
and ensure our procedures are even tighter," he said.

The Information Commissioner's Office (ICO) is likely to look into the
incident. In a statement it told CBR: "We have recently been made
aware of a possible data breach which may involve Essex County
Council. We will be making enquiries into the circumstances of the
alleged breach of the Data Protection Act (DPA) before deciding what
action, if any, needs to be taken."

It was recently revealed that the data watchdog had handed out 68
warnings over the last year, up from just 46 the previous year.

The ICO has also increased the frequency and amount of fines it has
handed out. During the specified time period it handed out 15 fines
totalling £1.8m, well up on the six fines totalling £431,000 handed
out the previous year, recent figures revealed.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.