ICO slaps Verity Trustees for data protection breach

Experts have warned that firms are still not doing enough to safeguard personal information

Verity Trustees has been made to sign a Formal Undertaking by the Information Commissioner's Office (ICO) after the theft of a laptop containing sensitive data on 110,000 individuals.

Mick Gorill, assistant information commissioner at the ICO, described the incident as a "stark reminder of how easily people's details can be put at risk ".

Of the 110,000 individuals affected, the laptop contained the bank details of 18,000 of them, along with names, addresses, dates of birth and National Insurance numbers.

As well as signing the Formal Undertaking to process personal data in accordance with the Data Protection Act, Verity must ensure that portable and mobile devices used to store and transmit personal data are encrypted.

The data was downloaded for training purposes by Northgate Arinso, the supplier of Verity's computerised pensions systems, and then subsequently stolen from one of its locked server rooms. This was in breach of the firm's policy of using only anonymous data samples of 50 to 100 pension scheme members.

Graham Cluley, senior technology consultant at Sophos, said that organisations which handle personal data should put technology in place that not only encrypts sensitive information, but polices the movement of that data.

"There is a danger that the public are losing trust in the ability of organisations to look after personal information, but it's essential that confidence is maintained," he added.

Gorill said that he was encouraged to see that Verity had "taken remedial steps" since the data loss, including the engagement of a fraud protection service provider to protect the affected individuals.

"I am satisfied that the Trustees will now take appropriate steps to ensure that individuals' details are protected," he said.

Cluley also said it was good that Verity is engaging with a fraud protection service, which "may offer some comfort to concerned customers who may have been affected".

However, the security expert questioned whether other companies will learn from this incident, and put "proper defences in place to ensure that data accidents like this do not happen again".