Experts have warned that firms are still not doing enough to safeguard personal information
ICO slaps Verity Trustees for data protection breach
/v3-uk/news/2001819/ico-slaps-verity-trustees-protection-breach
27 Nov 2009, Dan Worth , V3
Verity Trustees has been made to sign a Formal Undertaking by the Information Commissioner's Office (ICO) after the theft of a laptop containing sensitive data on 110,000 individuals.
Mick Gorill, assistant information commissioner at the ICO, described the incident as a "stark reminder of how easily people's details can be put at risk ".
Of the 110,000 individuals affected, the laptop contained the bank details of 18,000 of them, along with names, addresses, dates of birth and National Insurance numbers.
As well as signing the Formal Undertaking to process personal data in accordance with the Data Protection Act, Verity must ensure that portable and mobile devices used to store and transmit personal data are encrypted.
The data was downloaded for training purposes by Northgate Arinso, the supplier of Verity's computerised pensions systems, and then subsequently stolen from one of its locked server rooms. This was in breach of the firm's policy of using only anonymous data samples of 50 to 100 pension scheme members.
Graham Cluley, senior technology consultant at Sophos, said that organisations which handle personal data should put technology in place that not only encrypts sensitive information, but polices the movement of that data.
"There is a danger that the public are losing trust in the ability of organisations to look after personal information, but it's essential that confidence is maintained," he added.
Gorill said that he was encouraged to see that Verity had "taken remedial steps" since the data loss, including the engagement of a fraud protection service provider to protect the affected individuals.
"I am satisfied that the Trustees will now take appropriate steps to ensure that individuals' details are protected," he said.
Cluley also said it was good that Verity is engaging with a fraud protection service, which "may offer some comfort to concerned customers who may have been affected".
However, the security expert questioned whether other companies will learn from this incident, and put "proper defences in place to ensure that data accidents like this do not happen again".
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
A Masterclass in how to make news out of nothing.
'...slaps Verity Trustess'?
The undertaking is actually a VERY short list of points to consider and improve on. The ICO equivalent of "Move along please, nothing to see here"
Hence the need to heavily pad the article with generalisms from an IT security firm that everyone has heard of to make it sound like there is still a story.
Why not pop along to www.theregister.co.uk for some real news.
Posted by Ghost, 01 Dec 2009