Massive personal data breach by police to G4S

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.cambridge-news.co.uk/Cambridge/Massive-personal-data-breach-by-police-to-G4S-20130423060000.htm

An investigation was launched after private details on a massive scale
were sent to controversial contractor G4S.

The data breach involving personal information about more than 1,000
‘backroom’ staff at Cambridgeshire, Bedfordshire and Hertfordshire
police happened amid negotiations to privatise services.

That deal was scrapped after the private firm was caught up in the
fiasco over providing security for the London Olympic Games.

Campaigners have now urged police to put extra measures in place to
ensure a similar breach does not happen again fearing details could
get into the wrong hands, after the News uncovered the blunder.

Cambridge MP Julian Huppert said: “This is a very worrying issue and
serves to highlight, once again, the danger of storing personal and
confidential data. A simple mistake can lead to serious consequences.

“Fortunately, on this occasion the force acted swiftly taking all
measures to make sure that staff were informed and the data contained
and deleted.

“I hope the investigation will result in tighter procedures being put
in place so nothing like this can happen again in the future.”

Nick Pickles, director of privacy and civil liberties campaign group
Big Brother Watch, fears any data could be “dangerous”.

He said: “This kind of error goes to the heart of the public’s
confidence that the police can keep information secure.

“Given the information wasn’t needed as part of the negotiations, it
was clearly a significant error for such a large number of staff’s
details to be sent to G4S. The important question is to get to the
bottom of how this error was allowed to happen and ensure those
responsible are held to account.

“The risk is that today the data was sent to a responsible person, but
tomorrow the same error could see confidential details end up
somewhere far more dangerous.”

The three forces notified the Information Commissioner’s Office in
February of the breach under the Data Protection Act 1998.

The gaffe occurred as the three forces were developing a deal with
G4S, which was scrapped.

Five files were sent electronically about staff from the three forces
to G4S breaching the Data Protection Act 1998, police admitted.

Deputy Chief Constable John Feavyour from Cambridgeshire Constabulary
said: “The three forces acknowledged, in their letter to the
Information Commissioner, that the sharing of the information was not
fair and proportionate, however the non-disclosure agreement in place
between the three police forces and G4S ensured that no data left the
four organisations involved.

“I wrote to the members of staff affected by this data security breach
in February explaining what occurred and apologised to them.

“G4S responded extremely promptly and professionally when this matter
was raised with them, ensuring that all personal data was deleted from
their hard drives and records.”
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.