Two housing organisations have been given a slap on the wrists after personal details, including some back account information, of thousands of people was lost on a USB stick.
The Information Commissioner’s Office (ICO) said a contractor lost a USB stick containing information from Lewisham Homes and Wandle Housing Association in a pub in London. It was found and handed to police.
A contractor working for both housing associations had copied the details of over 20,000 tenants of Lewisham Homes and 6,200 tenants of Wandle Housing Association. Around 800 of the records from Lewisham Homes contained bank account information, the ICO said.
The information was not encrypted, the ICO said. However both organisations have agreed to ensure that all portable devices used to move personal information will be encrypted. All staff, including contractors, will have to follow existing policies on handling sensitive information and they will be monitored to ensure they are keeping personal information as secure as possible.
"Saving personal information on to an unencrypted memory stick is as risky as taking hard copy papers out of the office. Luckily, the device was handed in and there is no suggestion that the data was misused. But this incident could so easily have been avoided if the information had been properly protected," said Sally-Anne Poole, acting head of enforcement at the ICO.
The fact that it was a contractor that lost the USB and not a member of staff raises questions about how companies should deal with external access to sensitive data.
"This data breach shows a worrying lack of regard both by the contractors and, by extension, by Lewisham Homes and Wandle Housing Association," said Chris McIntosh, CEO of ViaSat UK. "The fact that the contractors were holding unencrypted details from both associations on a single memory stick shows little or no consideration that the information might be lost or stolen.
"This loss demonstrates that when bodies such as housing associations enlist the services of contractors and outside organisations, they must ensure that they obey data protection best practices and can be trusted with sensitive information. For their part, contractors that are entrusted with the sensitive details of thousands of third parties through their employers should have far greater regard for data protection," he added.
"It is important to note it was a third party contractor that lost the data and not trained internal staff and thus highlights the need to selectively block or encrypt all devices connecting to your network in order to protect sensitive data," added Edy Almer, VP product management, Safend.
