The British National Party (BNP) members’ list was posted online in mid November, causing quite a hassle for those exposed, especially since some of them were required by their job descriptions to have no political affiliation.
Apparently, a Nottinghamsire pair is responsible for the leak and they are currently in the custody of the Welsh. A Register article quoting the Guardian stated the police said the pair were held in connection with alleged offenses under the UK Data Protection Act.
“We can confirm that last night Nottinghamshire police arrested two people as part of a joint investigation with Dyfed Powys police and the information commissioner’s office in conjunction with alleged criminal offences under the Data Protection Act,” a Dyfed Powys police spokesman told The Guardian.
The investigation was lead by the Welsh police in collaboration with the information commissioner’s office. What I would like to know now is if those who were about to lose their jobs because of this data breach will actually be fired. Or will it all be let to rest?
In the second half of November, Starbucks disclosed a security breach that had occured a month earlier. A company laptop went missing and was thought to be stolen. It contained private details of 97,000 employees from accross he USA.
The data loss was announced through a memo posted on Starbucksgossip.com and was later confirmed by Starbucks officials. The memo also recommended those affected to monitor their financial accounts and look or any suspicios activities, as well as take all the necesary steps to prevent misusage of the lost records.
According to Seattlepi.com, this isn’t the first laptop containing company information stolen from Starbucks. In 2006, the company discovered it had misplaced 4 out-of-use laptops containing the names, addresses and Social Security numbers of 50,000 former and 10,000 then-current employees. One would expect enhanced security after such an incident.
The US Army has temporarily banned the use of USB devices, along with floppy discs, CDs, external drives, flash media cards and all other removable media devices, to prevent a worm from spreading through its networks. According to the Register, the worm that caused this extreme measure is Agent-BTZ, a variant of the SillyFDC worm.
While the ban itself is bound to cause some distress, as it would in any other organization, the work flow will be more extensively affected in the US Army because for some offices email or online file transfers are not allowed either.
The measure is a bit drastic, but at least something was done. I personally would have expected a safer endpoint security system and protected USB drives, given the Army’s impressive history with lost hardware and data breaches (see some examples here, here and here). Who knows, maybe this time they will learn
Although the numbers of data breaches reported in the UK has been significant this year, the UK Government has recently announced it will not implement a compulsory data breach notification law for the private-sector companies. The decision was made after reviewing a recommendation made in July by information commissioner Richard Thomas.
On the other hand public-sector organizations are obligated to report any significant potential or actual data loss. Their private-sector counterparts should report the losses in the spirit of “good business practice”. So if your data is exposed by a public-sector institution and only 2 others have been affected, or if a private company looses thousands of private record but does not see reporting the incident as good practice, you will never find out.
“After considering the analysis of the experience of the US in the area of data-breach notification legislation, the government is not intending to implement similar legislation to that in operation in the US,” states the Response to the Data Sharing Review Report.
Private-sector companies are not clear of all consequences, as fines for organizations found in breach of data-protection laws will soon be raised. According to the same report, The Ministry of Justice is working with the Information Commissioner’s Office to determine the level of the maximum fine.