Shredded Neat carried out a survey considering the major causes of data loss for businesses in the United Kingdom, taken from hundreds of public sources.
The exact details of loss are often difficult to determine for several reasons, but the most significant ones are:
- The people involved do not know how the loss came about
- They attempt to distract attention from poor practice and hide information
Data losses which are subsequently made public, either in the press or because of action by the Information Commissioners Office (ICO) can be broadly placed in four main categories. Our research showed that the four reason below accounted for all the data losses and were all responsible for about the same 25% level, as a cause.
Poor Storage is a common cause of data loss. This usually related to more bulky data in the form of paper files, which have been stored badly or with poor security applied to the storage location. In our survey, documents were left in buildings that had been vacated only to be found by contractors later, or found by the incoming tenants.
Alternatively, hard copy files had been stored in buildings with poor security and subsequently been accessed either by vandals or maliciously, sometimes they had just been dumped in inappropriate buildings (outhouse!). Sometimes data had been loaded onto computers not recorded on the organisations list of IT assets, then subsequently been lost, stolen or sold. In one case, documents were blown out of a high-level office into the street below.
Case Study 1 – Belfast Health and Social Care Trust (2007 – 2011)
The Trust was formed from the amalgamation of six former trusts in 2007, which resulted in it taking on the responsibility for 50 disused sites. Patient data ranged from the 1950’s through to the present day and included 100,000 paper records; X rays, scans, microfiche and laboratory results, as well as staff employment records.
On amalgamation, the storage site was not properly inspected, but security patrols were put in place. Within a year the CCTV failed to record the access doors and fire and intruder systems had been isolated due to continual faults. Trespassers gained access and removed records and photographs which were later posted on the internet in 2010. Despite the publicity following this earlier security breach and data loss, further incursions occurred during 2011.
The Trust was prosecuted and fined £225,000 by the ICO then required to examine all stored records and either dispose of/retain the records and establish a decommissioning policy for their site.
Theft is also a common cause of loss. Usually this is associated with goods of value, such as computers, laptops, mobiles where the criminal is interested in the hardware and any access to sensitive data on the equipment is a potential bonus. Paper document theft is rare, however when it occurs it can be catastrophic. Paper documents are stolen to order, they may contain important information on state security and thus attractive to terrorists, or contain commercial information of interest to competitors or fraudsters. In one very high profile series of incidents, repeated theft of documents from the waste bins of mainly law firms, led to a cache of over 200,000 documents being found in the thief’s home.
On IT equipment, data loss Incidents of theft were usually with laptops stolen from homes, HDD’s appropriated from secure storage, target thefts of information by disgruntled ex-employees and losses from car break-ins.
Case Study 2 – Benji the Binman (1986-2000)
Benji the Binman may not yet have fulfilled his wish to be famous but his brush with Downing Street certainly raised his profile. Benjamin Pell, a professional muckraker who made a decent living going through rubbish, specialised in stealing waste. Dressed in overalls and a fluorescent jacket, he drove around London emptying bins and black plastic bags into the back of his van. Addresses of prominent people and firms were targeted and paper waste was collected ritually according to precise timings, mainly at night. When he was initially arrested for these activities, police found 200,000 documents in the garden shed at his home.
Benji was paid handsomely by the major newspapers, including News International, Mirror Group and the Mail on Sunday for his data discoveries, and he often worked through well-known PR agent, Max Clifford for some of the very public disclosures.
Many well-known celebrities and politicians had major unwanted information disclosed in lurid press stories following the minor theft of paper wastes from their professional adviser’s offices, or even their own homes.
Case Study 3 – Brighton & Sussex University Hospitals NHS Trust (2010)
The Trust decommissioned several hard drives which were then kept in commercial storage in a locked room protected by CCTV. In April 2010, approximately 1000 of the old hard drives were moved to Brighton General Hospital and stored in a room that could only be accessed using a key code, pending their destruction. The regular contractor for this type of work could not destroy hard drives so they suggested that the work be carried out another Company, which tuned out to be a Company run by one individual.
During September and October 2010 this individual attended the hospital to carry out destruction of the 1000 drives. The hard drives should have been destroyed in the former X-Ray department which again, could only be accessed using a key code. The individual was supervised and occasionally assisted by staff working the main contractor, but not constantly. On completion of the work a “Certificate of Destruction” should have been obtained from the Company containing serial numbers for each drive. Instead, only one generic document was provided for the whole batch.
In December 2010, a data recovery company bought four hard drives via an online auction site from a seller who had bought them from the individual concerned. The data recovery company discovered that the drives held data belonging to the data controller and promptly returned them for further analysis. Amongst various types of personal data, the hard drives held information originating from a database in the HIV and Genito Urinary Medicine Department. The database contained personal data, some of which was highly sensitive, including names; dates of birth; occupations; sexual preferences; STD test results and diagnoses for 67,642 patients in readable format, that was one hell of a data loss
Poor Waste Disposal
Poor Waste Disposal was the largest cause of data loss in the study. In the case of paper documents there are several ways in which they can fall into the wrong hands. In the first instance, unshredded documents are deposited in the general office waste then end being removed by the organisations waste contractor and dumped in a landfill. Sometimes,(this appears to be quite often) the documents have not been removed by a contractor but have been disposed of by an employee in an insecure place, usually the nearest skip outside work.
With data held on HDD’s, these are usually left in place in computer equipment at the time of disposal. Once the old computer has been sold, the buyers access the HDD direct, or purchase the HDD when it comes onto the market for resale, often on eBay.
An important point to make here is where computers or mobiles are sent for recycling. Because someone collects your equipment for recycling, this is no guarantee that they will wipe any data found on the equipment. Unless expressly requested, the recycler will look at all the equipment coming onto their site. Any equipment, whole computers, recovered HDD’s or mobile handsets with residual value will be resold, usually in bulk, to third world markets which are hungry for this type of equipment and this equipment may be sourced specifically by criminals leading to data loss.
Case Study 4 – Inverness Police (2000)
Police files naming people allegedly involved in crimes were found in a rubbish dump. The papers also included an internal memo from a senior member of the force to all inspectors, taking them to task for a lack of action on a particular criminal case. There were police internal files on 126 cases, ranging from bike theft and drugs to serious sex crimes and all with enough detail to identify the suspects involved. The Inverness-based force launched a major inquiry into how such sensitive documents evaded their usual procedure for shredding and disposing of papers. The bundle of papers was posted anonymously to an Inverness newspaper along with a note saying they had been found blowing around a rubbish tip.
Accidental Loss in Transit
Accidental Loss in terms of our definition here, means the accidental loss of data during transit, clearly this can be from the loss of paper files or all other types of media. Common causes for these losses are due to the documents or files being left in cars, trains or the back of taxi’s; or just left in the street in a rucksack!
These are all clearly accidents, but data has also been lost by professional courier companies which are used to transport data disks or backup files between different offices within the UK and sometimes internationally.
Accidental losses often have one very important factor in common, for in over half of the cases of accidental loss we investigated, the data had been lost in a pub or restaurant ! Files, bags, laptops and memory sticks have all been lost in this environment. The moral of this part of the story is ‘Don’t Drink & Data’.
Case Study 5 – Ruth Crawford QC (2011)
The ICO was informed on 30 August 2011 of the theft in summer 2009 of an unencrypted laptop from the study of Ruth Crawford QC’s home. The laptop, which was not encrypted, contained sensitive personal data relating to many individuals who were involved in cases on which she was instructed to act.
The theft occurred while she was on holiday, having left plumbers to fit a new boiler at her home. The QC provided the plumbers with keys and the code to her alarm. She highlighted the importance of keeping her front door locked and of activating the alarm when leaving the house. Upon returning from holiday she discovered that her laptop and a purse were missing from her study. She subsequently reported the matter to the police. The ICO in their prosecution noted that physical security measures were in place at the time of the incident, but that there was insufficient technical security employed on the laptop to protect the data. As this incident took place before April 6, 2010, the ICO was unable to serve a financial penalty in this instance. But this case should act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000 – it could affect their careers too
Case Study 6 – Croydon Borough Council (2012)
A social worker’s bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. The data controller did not appear to have provided any information security training to the social worker involved and the onus was on staff to update their own knowledge and read the data controller’s policies in the intranet. No checks were made to ensure that staff had read or understood these polices.
The Council was fined £100,000 since it was clear that although there was a need to take sensitive data outside of the office, the Council had no policies in place to ensure this was done securely