STE WILLIAMS

The scale of data-handling gaffes at local authorities has been revealed by a new report that uncovered 1,035 incidents where confidential information about British citizens was lost.

Privacy campaign group Big Brother Watch (BBW) submitted 433 Freedom of Information Act requests to councils across the UK that covered a three-year period from August 2008 to August 2011.

The FOIs asked the authorities to report the number of cases where sensitive information had been lost by council staff, as well as explain the nature of the data loss. BBW also requested details about how many employees had been subsequently disciplined, sacked or prosecuted for such data breaches – and it asked what response each council had given to individual incidents.

In total, the campaigners received 395 replies from local authorities.

“We have uncovered more than 1,000 incidents across 132 local authorities, including at least 35 councils who have lost information about children and those in care,” said BBW in a statement accompanying its report (PDF).

“Highly confidential information has been treated without the proper care and respect it deserves. At least 244 laptops and portable computers were lost, while a minimum of 98 memory sticks and more than 93 mobile devices went missing.”

Despite that, BBW found that local authorities only reported a paltry 55 incidents to the Information Commissioner’s Office, which handles data loss complaints.

The group added that only nine incidents – where data was mishandled by council staff – resulted in the individuals concerned being sacked.

“I welcome this research by Big Brother Watch,” local government minister Grant Shapps told the data protection advocates.

“This reinforces the need for steps to protect the privacy of law-abiding local residents. Civil liberties are under threat from the abuse of town hall surveillance powers, municipal nosy parkers rummaging through household bins and town hall officials losing sensitive personal data on children in care.”

Here’s a snapshot of some of the data losses uncovered by BBW, where the incidents weren’t subsequently reported to the ICO:

• In Bolton a smartphone “slid off a car bonnet” and was said to be “irretrievable without dismantling the car park”. The authority said the phone contained internal contact details of Bolton council workers. It said the “phone was sent a remote wipe command within one hour and the owner of the car park subsequently sealed the cavity with concrete.”
• Schoolchildren’s ID cards in Fife were delivered by post to the wrong addresses, the Scottish authority admitted. It said personal data that may have been leaked included pupils’ names, photos, and possibly their dates of birth, as well as information about entitlement to free school meals. However, no action was taken, other than staff visual checks on all cards swiped by pupils at the school.
• In Kent, scanned case notes relating to children were found on Facebook. They contained data that would identify individuals, the council admitted. The authority contacted the police and the director of children’s social service was also informed about the incident.

The Register asked the ICO to respond to BBW’s findings. It said:

It’s vital that local authorities properly live up to their legal responsibility to keep personal data secure, particularly where it is sensitive information about children and young people.

Four out of the six monetary penalties that we’ve issued so far have involved data losses at councils.

Our concern isn’t just that councils have the right policies and procedures in place; it’s about bringing about a culture among staff whereby everyone takes their responsibilities seriously and effective data handling becomes second nature.

We’re calling for powers to conduct compulsory audits in the local government sector and will this week submit a formal business case to the Ministry of Justice asking the government to give us such powers.

The watchdog pointed us at its own list of local authority data cock-ups where “enforcement action” was taken over the past two years. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/23/big_brother_watch_report/

An online game that invites surfers to disclose potentially sensitive information has returned in a slightly different guise, two years after its first appearance.

A viral game that surfaced on Twitter back in May 2009 encouraged users of the service to come up with their “porn star name” – which was made up of the name of their first pet and the name of the street they lived in as a kid.

A marginally altered form of the same ruse surfaced on micro-blogging site Tumblr this week, encouraging trendy netizens to disclose the name of their “first pet” and street where they live on, this time to find out their supposed “stripper name”.

There’s no evidence to say that either application is malign but taking part just for a quick giggle is still a bad idea. That’s because, as Chris Boyd of GFI Software points out, handing over information of this nature is a bad idea because it’s often used to reset the passwords of webmail accounts and other similar services.

“Stop and think how many services still ask for your pet name and street name on things such as password reset questions,” Boyd writes. “Then pause to consider an email address you use may be public-facing, and have just such a question bolted onto it.”

“You may want to keep your clothes on and stick to the day job at that point,” he adds. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/23/stripper_name_game_silliness/

Analysis There was always an element of tragedy in the first “Climategate” emails, as scientists were under pressure to tell a story that the physical evidence couldn’t support – and that the scientists were reluctant to acknowledge in public. The new email archive, already dubbed “Climategate 2.0”, is much larger than the first, and provides an abundance of context for those earlier changes.

“I can’t overstate the HUGE amount of political interest in the project as a message that the Government can give on climate change to help them tell their story,” a civil servant wrote to Phil Jones in 2009. “They want the story to be a very strong one and don’t want to be made to look foolish.”

Having elevated global warming to the most dramatic, urgent and over-riding issue of the day, bureaucrats, NGOs, politicians and funding agencies demanded that the scientists must keep the whole bandwagon rolling. It had become too big to stop.

“The science is being manipulated to put a political spin on it which for all our sakes might not be too clever in the long run,” laments one scientist, Peter Thorne. While Professor Jagadish Shukla, a lead IPCC author, IGES founder, and one of the most senior climate experts writes that, “It is inconceivable that policymakers will be willing to make billion-and trillion-dollar decisions for adaptation to the projected regional climate change based on models that do not even describe and simulate the processes that are the building blocks of climate variability.”

With the release of FOIA2011.zip, the cat’s now well and truly out of the bag.

To their credit, some of the climate scientists realised the dangers of the selective approach politicians demanded, which meant cherry-picking evidence to make it suitably dramatic, and quietly hiding caveats. “We need to communicate the uncertainty and be honest,” pleads Thorne, in another email from 2005. Thorne noted that a telltale “signature” of greenhouse gas warming was absent. “Observations do not show rising temperatures throughout the tropical troposphere unless you accept one single study and approach and discount a wealth of others. This is just downright dangerous.”

“What if climate change appears to be just mainly a multidecadal natural fluctuation?”

Elsewhere, discussing the homogeneity of temperature readings from different sources, Thorne mulls the need to “balance the text so this is not the message”, and expresses his discomfort with making claims that conceal the uncertainty. But such were the demands of activists, agencies and the political class, uncertainty was not on the menu.

This was why the first Climategate caused such repercussions. The revelations came as little surprise to those few who follow state of temperature reconstructions, but they rocked supporters who had put their trust in climate scientists. Clive Crook, a believer in the manmade global warming hypothesis and supporter of carbon reduction measures, expressed it like this:

“The closed-mindedness of these supposed men of science, their willingness to go to any lengths to defend a preconceived message, is surprising even to me. The stink of intellectual corruption is overpowering.”

Next page: Intellectual corruption

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/23/climategate_2_first_look/

Identity-hoarder Google has killed various social products that failed to capture the interweb’s hive brain in the way it clearly thinks Google+ has done.

As part of Larry Page’s drive to make the Chocolate Factory’s products appear more uniform across the vast Google estate, the company confirmed it was culling a host of webby experiments that didn’t take off.

“Overall, our aim is to build a simpler, more intuitive, truly beautiful Google user experience,” said Google.

It is taking out and shooting Wave, Friend Connect, Bookmarks Lists, Gears, Search Timeline and Knol.

A common theme runs through all of these products: each one having been dipped in Web2.0rhea.

Sadly none of them came up smelling of roses.

Wave was in fact binned by Google in August last year, after it confirmed that the unpopular product would live on until at least the end of 2010.

Come the end of January next year Google said it would make Wave a read-only online ghost town. The ad broker will kill that product come 30 April 2012.

“You’ll be able to continue exporting individual waves using the existing PDF export feature until the Google Wave service is turned off. If you’d like to continue using this technology, there are a number of open-source projects, including Apache Wave and Walkaround,” Google said.

The Friend Connect product will be culled in March. In the meantime, Mountain View is urging users of that service to create a *drum roll* Google+ page.

And Gears will very shortly be switched off. The kill date is set for next month.

“Gears-based Gmail and Calendar offline will stop working across all browsers, and later in December Gears will no longer be available for download,” the company explained.

“This is part of our effort to help incorporate offline capabilities into HTML5, and we’ve made a lot of progress. For example, you can access Gmail, Calendar and Docs offline in Chrome.”

You can pay your respects by viewing the full death warrant list here.

The company also gave up on TRYING TO SAVE THE WORLD today. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/23/google_ditches_failed_social_products/

The UK government says it isn’t exercising any control over the sale of surveillance software nor stopping it from finding its way into the hands of repressive regimes.

At the start of the month, Lord David Alton of Liverpool called on the Coalition to ban the export of espionage software and equipment, and questioned previous sales of UK software to Iran and Yemen.

However, Foreign Office minister Lord David Howell of Guildford has said that there is “no evidence of controlled military goods exported from the United Kingdom being used for internal repression in the Middle East and North Africa”.

In terms of spying software, Lord Howell said, in a written reply, that the government doesn’t usually keep an eye on where it was going because it could be used for legitimate purposes.

“Surveillance equipment, including telephone intercept equipment, covers a wide variety of equipment and software, and generally is not controlled because of its use for a wide variety of legitimate uses and its easy and widespread availability,” he said.

If the gear’s export is subject to licence, the application would be considered on a case-by-case basis, the minister explained.

“The UK will not issue licences where we judge there is a clear risk that the proposed export might be used to facilitate internal repression,” he added.

But since, as he mentions, the government is actually not really controlling the sale of this type of software, that’s probably not all that comforting.

We need to talk about Iran

Lord Alton had also asked the government about a particular company, Creativity Software, claiming that it had sold “lawful intercept” software to Irancell, an Iranian telco.

Despite some very specific requests for information about any discussions the government may have had with the company on their activities in Iran, who was present in these meetings, when they occurred and whether or not the firm had service contracts on the technology it sold to Iran, Lord Alton got rather fobbed off with a literal interpretation of his question.

“The UK Government National Technical Authority for Information Assurance provides technical advice to BIS on whether information security products are subject to export controls. In this capacity, on 31 March 2009 officials from this authority had a meeting with Creativity Software to consider products that the company wished to export,” wrote the department of Business, Innovation and Skills’ Baroness Wilcox in her reply to Lord Alton.

However, she did add that “there has been no export licences issued to Creativity Software to Yemen, Iran or Syria over the past five years”.

Creativity Software itself released a statement a few days after the initial allegations, saying that it had only sold location-based technology to Irancell to enable it to offer commercial services to its customers.

“The first services that have been launched are zone based billing and a mobile social networking service (“Friend Finder” and “Family Finder”) – which have been used by over 3 million people in the country since it was launched in January this year,” the company said.

However, the firm acknowledged that it was bound by contract to respect the confidentiality of its customers where they wanted it. The statement also pointed to the legitimate uses of location-based softwares for “public safety services, national security and law enforcement applications, as well as commercial” purposes.

All of which seems to neatly sum up the crux of the problem with using surveillance software: it all depends on who is setting the national security agenda, who gets to say what is a “legitimate use” and how this may differ in regimes that would prefer to silence dissenting voices. ®

Bootnote

According to Cambridge’s Christ’s College, human rights lobbying Lord Alton was the first parliamentarian to visit North Korea, and as chairman of the British-DPRK All-Party Parliamentary Group, he met the chairman of the Supreme People’s Assembly, Choe Thae Bok. Last month he gave a talk at Pyongyang University of Science and Technology on “good science and good ethics”, telling students: “It is better for men to build bridges than to build walls”.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/23/surveillance_software/

Federal officials said there’s no evidence to support a report that hackers destroyed a pump used by an Illinois-based water utility after gaining unauthorized access to the computer system it used to operate its machinery.

In an email sent on Tuesday afternoon to members of the Industrial Control Systems Joint Working Group, officials with the ICS-CERT, an offshoot of the US Computer Emergency Readiness Team, said investigators from the US Department of Homeland Security and the FBI have been unable to confirm the claims, which were made in a November 10 report issued by the Illinois Statewide Terrorism and Intelligence Center, also known as the Fusion Center.

“After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois,” the email, which carries a subject of “UPDATE – Recent Incidents Impacting Two Water Utilities,” stated.

“There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant.”

The email went on to say the investigators “have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported.”

DHS representatives didn’t respond to an email seeking comment.

The statement comes five days after Joe Weiss, an ICS security expert, disclosed contents of the Illinois report claiming that attackers triggered a pump failure after accessing the supervisory control and data acquisition system used by a US-based water utility. The report, he went on to say, warned that the intruders hacked into the maker of the SCADA system used by the utility and stole passwords belonging to the manufacturer’s customers. If true, that would have meant that other industrial systems might have been breached by the same actors.

A day after the report, Curran-Gardner Water District Chairman Don Craver was quoted by a local ABC News affiliate as saying: “There’s some indication there was a breach of some sort into a software program – the SCADA system – that allows remote access to the wells, and the pumps, and those sorts of things.” He has yet to explain his comments in light of Tuesday’s statement.

Weiss said he was surprised by the competing versions of events provided in the latest report.

“If they’re right, that means what in the world is the Illinois Center doing putting out a report like that that has no verification,” he told The Register. The earlier report “was straightforward. There were no caveats in there.”

The update went on to say that officials are still investigating additional claims that a second water plant in Texas was breached by someone who gained unauthorized access to systems controlling its machinery.

The entire text of Tuesday’s update is:

Sent: Tuesday, November 22, 2011 2:38 PM Subject: UPDATE – Recent Incidents Impacting Two Water Utilities

Greetings:

After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.

There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant.  In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported.  Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.

In a separate incident, a hacker recently claimed to have accessed an industrial control system responsible for water supply at another U.S. utility. The hacker posted a series of images allegedly obtained from the system. ICS-CERT is assisting the FBI to gather more information about this incident.

ICS-CERT has not received any additional reports of impacted manufacturers of ICS or other ICS related stakeholders related to these events. If DHS ICS-CERT identifies any information about possible impacts to additional entities, it will disseminate timely mitigation information as it becomes available. ICS-CERT encourages those in the industrial control systems community who suspect or detect any malicious activity against/involving control systems to contact ICS-CERT.

Regards,

ICS-CERT

E-mail: [email protected] Toll Free: 1-877-776-7585 For CSSP Information and Incident Reporting: www.ics-cert.org

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/23/water_utility_hack_update/

Google engineers have enhanced the encryption offered in Gmail, Google Docs, and other services to protect users against retroactive attacks that allow hackers to decrypt communications months or years after they were sent.

The feature, a type of key-establishment protocol known as forward secrecy, ensures that each online session is encrypted with a different public key and that corresponding private keys are never kept in long-term storage. That, in essence, means there’s no master key that unlocks multiple sessions that may span months or years. Attackers who recover a key will be able to decrypt communications exchanged only during a single session.

Google security guru Adam Langley said his team built the feature into Google’s default SSL protection using a preferred cipher suite that’s based on elliptic curve cryptography and the Diffie-Hellman key-exchange method. They have released their code as an addition to the OpenSSL library to reduce the work necessary for other websites to implement the protection.

“We would very much like to see forward secrecy become the norm and hope that our deployment serves as a demonstration of the practicality of that vision,” Langley wrote in a blog post published on Tuesday.

The move preserves Google as the uncontested leader in offering its users default protections. Last year, the web giant rolled out end-to-end SSL by default for users of its Gmail service. Last month, it introduced encrypted search. Competitors such as Twitter and Facebook – and to a much lesser extent – Microsoft frequently follow suit in the months that follow such releases.

Forward secrecy, which is also known as perfect forward secrecy, is important for protecting the continued confidentiality of encrypted communications over long periods of time. As computers grow faster and more powerful, it often becomes feasible to use brute-force attacks to crack encryption keys that only a decade earlier were considered unbreakable. Encrypted communications not protected by forward secrecy can be recorded and stored and only decrypted much later, once its single private key can be deduced.

The protection works by default with all versions of the Mozilla Firefox and Google Chrome browsers. Microsoft’s Internet Explorer also supports the feature when the browser is running on Vista, and later versions of Windows, although not by default. That’s because IE isn’t compatible with some of the elements contained in the ECDHE-RSA-RC4-SHA cipher suite chosen by Langley’s team.

As Langley explained in a deeper technical description, the Google implementation uses a single-session public key based on the elliptic curve, ephemeral Diffie-Hellman protocol that is then signed by a separate RSA private key belonging to Google. This makes the task of eavesdropping on someone over an extended period of time much harder, since each new session is protected by a different key.

The scheme also relies on TLS session tickets, which are cookie-like files that are stored on end-user machines and contain keys and other settings required by Google servers to resume a session. The use of session tickets is most likely intended to reduce the load on Google servers, but it also introduces potential security risks, particularly if an attacker could intercept or forge a valid file.

“This is actually a step backwards,” cryptographer Nate Lawson, who is principal of the Root Labs security consultancy, told The Register. “You’re putting all your trust in the clients and hoping you don’t make any mistakes on the server side.”

Of course, if Google does the cryptography right, there’s little risk posed, and if the method significantly reduces the load on servers, it could bring forward secrecy to the computing masses. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/22/google_perfect_secrecy/

A law enforcement Trojan takes advantage of the same recently patched iTunes flaw also used by Ghost Click botnet, according to a demo at a recent German trade show.

Spiegel Online reports that a promo video for a variant of the FinFisher spyware application shows it exploits a vulnerability in iTunes to update the software on targeted systems. Prior to a recent update, iTunes used an unencrypted HTTP request to poll for the latest version of Apple’s media player software. This technique created an opening for man-in-the-middle attacks, providing Apple Software Updater is not in play*.

Instead of receiving the URL for the latest version of the iTunes from Apple, an attacker could send a dummy update request that induces victims to visit a counterfeit webpage under the control of attackers.

For the redirection to work, a machine would already need to be infected with the DNSChanger software (in the case of the alleged Ghost Click botnet operators) or in the case of law enforcement agencies using Gamma’s FinFly ISP technology, you’d need ISPs to be in on the redirection ruse.

FinFisher is marketed by Gamma International to cops and spooks as a means to tap the Skype calls, IM chats and emails of suspected criminals. Documents found during the ransacking of Egypt’s secret police headquarters, at the height of the Arab Spring uprising, suggest that the Mubarak regime purchased FinFisher to spy on dissidents. Gamma International, which denies selling its wares to Egypt, ran a stall at the Cyberwarfare Europe conference in Berlin back in September. Delegates to the conference included government and business representatives from the United Arab Emirates, Indonesia and Malaysia.

Don’t ever bother asking journos to leave, it never works

Gamma made sure journalists had left the room when it gave its product demonstration but Der Spiegel nonetheless discovered that its pitch included video showing how its FinFly ISP technology took advantage of the recently patched iTunes flaw to push updates of its remote monitoring tool. Other versions of its technology used a specially adapted USB flash drive (“USB FinFly”) to drop spyware onto systems but this approach, unlike FinFly ISP, requires physical access to computers.

German software developer DigiTask offers similar law enforcement Trojan technology. German federal law allows the use of malware to eavesdrop on Skype conversations, however samples of the so-called R2D2 (AKA “0zapftis”) Trojan that recently came into the possession of the Chaos Computer Club (CCC) had a far wider range of functionality than this, including keystroke logging and establishing a backdoor on compromised machines.

CCC criticised the R2D2 code as both “amateurishly written” and illegal. Five German states subsequently admitted using the controversial backdoor Trojan to spy on criminal suspects. It’s suspected that the R2D2 Trojan was developed by DigiTask, based on similarities in the sample obtained by CCC and the functionality as described in documents published by WikiLeaks last year, but this remains unconfirmed.

The use of law enforcement Trojans is particularly controversial in Germany, which is more privacy-sensitive than most countries thanks in large part to the memory of the invidious spying tactics by the former East German secret police, the Stasi. As Spiegel Online notes, adopting the same tactics as cyber-criminals makes those marketing law enforcement Trojans look even more sneaky. ®

Patchnote

* Apple addressed the underlying vulnerability with a cross-platform update for iTunes, version 10.5.1, last week. The latest version of iTunes requests update URLs over a secure (https) connection, thereby blocking man-in-the-middle attacks.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/22/trojan_exploits_itunes_flaw/

Security biz Websense has drawn up a list of the five most common spam subject lines.

The nuisance list, based on the subject lines of the millions of spam messages blocked by the firm every day, highlights the danger of opening attachments or clicking dodgy links. The most commonly seen subject lines fall into the one of the five categories listed below:

1. Bogus online orders – For example, “Order N21560”, although the numbers vary. These pose as Adobe CS4 licences but actually redirect to sites serving up the Blackhole exploit kit.
   
2. Fake fines – “FW: Re: UNIFORM TRAFFIC TICKET (ID: 239127922)”, numbers vary and subject might appear without FW: or RE:, or “Fwd: Your Flight Order N125-9487755”, again numbers vary. Users are lured to click on a link, which redirects to another malicious site serving the Blackhole exploit kit.
   
3. Package delivery lies– For example, “USPS Invoice copy ID46298”, “FedEx: New Agent File Form, trackid: 1V6ZFZ7FEOHUQ” or “DHL Express Notification for shipment 90176712199”. As before, numbers vary between different spam messages. “Fake emails pretending to be invoices or tracking emails have been around for several years and usually would have an attachment, such as a Trojan like Zeus or SpyEye,” Websense reports. Malicious emails of this type are still been sent out in bulk, using attachments that are repackaged for every campaign, as a tactic designed to get around antivirus defences.
   
4. Tests for working addresses – These often appear under the guise of a patch for World of Warcraft. “Unfortunately, for the criminals, the archive is corrupt and therefore harmless to the recipients,” Websense reports, though other campaigns using the same subject line do appear with working malicious code attached. In other cases the subject line is used by spammers to validate email addresses as active.
   
5. Payment and tax cons – For example “FRAUD ALERT for ACH”, “Your Wire Transfer”, “IRS requires new EIN”, and “IRS Tax report”. Many spam-bots spewing this type of email are misconfigured so that they automatically send out dodgy emails with an August date stamp, even though we are now reaching towards the end of November.
   

Websense adds that spam slurries normally follow the pattern of running for only about an hour or less before disappearing for a while, sometimes only to return with another short-lived tsunami of email crud.

Miscreants often switch between attachments and using links to malicious or compromised websites to distribute malware. Repackaging attachments so they will not be detected automatically by antivirus scanners is also commonplace. Changing the template of spam emails is also extremely commonplace.

A blogpost by Websense on spam subject lines and associated tactics, which features a rogues’ gallery of dodgy emails, can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/22/common_spam_subject_lines_revealed/

Southwark council breached the Data Protection Act after it left an unencrypted computer and papers containing sensitive information on 7,200 people in one of its buildings when it was vacated, which were then disposed of by the building’s new tenant, the Information Commissioner’s Office (ICO) has said.

The local authority vacated the building in December 2009, but the breach was reported in June of this year shortly after the information was found in a skip. The information stored on the computer and the papers included details of peoples’ names and addresses, along with other information relating to their ethnic background, medical history and any past criminal convictions.

While the council did have information handling and decommissioning policies in place, the privacy watchdog said that the policies were not followed when the offices were vacated.

Southwark council has now agreed to take action to keep the personal information it handles secure. This includes introducing new processes governing the transfer and disposal of personal information and making sure that all portable devices used to store sensitive information are fully protected. The local authority has also agreed to an ICO audit in the new year to help them improve their compliance with the Data Protection Act.

Sally Anne Poole, acting head of enforcement, said: “The fact that thousands of residents’ personal details went missing for over two years clearly shows that Southwark council’s policies for handling personal information are below standard. As this information was lost before the ICO received the power to issue financial penalties we are unable to consider taking more formal action in this case.

“Southwark council has committed to putting changes in place and we look forward to completing an audit next year to help them to identify further improvements.”

Separately, Central Essex Community Services has signed an undertaking after the loss of a birth book containing information about the general health of 249 mothers and their babies. The book, which should have been stored in a locked filing cabinet, was stored on top of the cabinet in a locked room due to no secure storage space being available. The book has never been recovered.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/22/southwark_council_breach/