Greater Manchester Police have been issued with a monetary penalty of £120,000 after a USB stick containing sensitive personal data was lost.
According to the Information Commissioner's Office (ICO), the device was unencrypted and had no password protection. It contained details of more than a thousand people with links to serious crime investigations and was stolen from an officer's home.
The theft, on the 17th July 2011, happened when an officer employed by the data controller had his house burgled and his wallet was stolen, which contained the USB stick. To date this has not been recovered.
The officer had worked in the data controller's Serious Crime Division for around ten years and had used a personal USB stick to download information from his folder on the shared drive of the data controller's network, which was subject to access controls. He had been issued an unencrypted USB stick in 2003/4, but had replaced it with his own USB stick when it became full.
The ICO found that a number of officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access data away from the office. Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection.
David Smith, ICO director of data protection, said: “This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine.
“It should have been obvious to the force that the type of information stored on its computers meant proper data security was needed. Instead, it has taken a serious data breach to prompt it into action.
“This is a substantial monetary penalty, reflecting the significant failings the force demonstrated. We hope it will discourage others from making the same data protection mistakes.â€
Terry Greer-King, UK managing director for Check Point, said: “In November 2011, we surveyed 320 UK public and private sector organisations and 50 per cent of them were still not encrypting data on USB sticks, despite the high-profile security breaches of recent years. So these losses will keep happening.
“The fact that a subsequent amnesty by the GMP on personal, unsecured devices led to 1,100 such devices being handed in, highlights the scale of the problem. Without the proper controls in place, employees will continue to use personal devices for work, simply because they're trying to do their job more efficiently. Firms have to balance that against the need to protect confidential data.â€
