Newcastle council credit card file lifted
Up to 54,000 people affected in bureaucratic bungle
Newcastle City Council has compromised private details of up to 54,000 people who made payments to it by credit or debit card between February 2006 and April 2007.
The council said details were "inappropriately released" of transactions for "council tax, business rates, parking fines, and rent payments... other services, such as at leisure centres, tourist information centres, museums, theatres and galleries have not been compromised".
The council says a single file was compromised, containing names, addresses and credit card numbers (although the card numbers were encrypted). No details of either PIN numbers or security code numbers were in the file. Apparently, the file in question was placed on an insecure server and subsequently uploaded to "a computer address registered outside the country".
This was discovered during a council-ordered security checkup by an "independent industry expert".
Newcastle council became aware of the breach last Thursday and has informed the banks, the police, and the Information Commissioner. An investigation is ongoing.
Council chief executive Ian Stratford said:
"We are now fully confident that our systems are properly robust, so we are continuing to receive payments by credit and debit cards. We very much regret that this situation has developed, although would again stress that there has been no indication of any fraud or loss, and that we spotted this situation through the thoroughness of our own security and checking systems."
The Reg has seen a copy of an internal council email highlighting the matter. It says:
"[Council] Staff should be reassured that it only refers to credit and debit card transactions with the council and has no implications for their details on payroll..."
It's always good to see a sense of priorities being maintained. ®
Two penny worth ..
Breaches like this aren't unusual and we can be confident that considerably more are happening than we ever see in the media. By the way we have to thank the media as we do not have any statutory obligations upon organisations to disclose data breaches. Unlike in the US. So it's our closest thing to an ally with regards privacy in this information economy.
Yep it is a monumental problem, though the Council is being a little naive with comments which reflect their opinion that nothing much seems to have happened with regards these lost details. Experience of working within this field has shown that the modus operandi of cyber theft is to store details and create identities and exploit over longer periods of time. Maybe they should get their security specialist back in to explain this.
Comments about the ICO are fine, but I have a lot of sympathy for the department. The Commissioner has made it clear that the state of Data Protection is pretty poor in the UK. He along with the National Consumer Council's CEO want better protection of the citizen’s data. However their current powers and enforcement capabilities are pretty limited in comparison to the amount of data out there and the number of organisations subject to Data Protection Act.
I do however agree with comments that a maximum fine of £5000 is not an effective deterrent. It is a little inequitable when compared to fines handed out for £900,000 for loss of banking information. It is, after all, just different parts of financial information about the individual.
I do believe that attitudes within the public sector will hopefully change. "Trust" will be an essential part of the relationship between society and the state in the future. When I use the terms “Trust” I mean in the people who gather, use and manage information about us in the public and private sectors. Not the IT / ICT systems. After all they do what we tell them to! And in this case they failed, for whatever reason, to adequately assess the risk and control this.
What could make a difference in driving organisations to take data protection seriously? If Newcastle Council received 54,000 complaints someone would have a lot more explaining to do. So in another way the more effective tool would be the general public because they vote for the Councillors to whom the CEO is accountable.
Those who have nothing to fear have nothing to hide
I already know my council (Bedford Borough) makes unauthorised disclosures of personal information. I do my very best to make sure they have as little as possible, so that I can live my life in peace. I wont trust them with direct debits or credit card numbers.
The information commissioner needs to get a grip and actually start prosecuting these organisations and barring them from processing personal data for, say, 6 months to start. Better still, put the chief executive and leader of the council in jail for 6 months as well. Force automatic compensation, but make it personal on the officers and councilors.
In my case, he (the information commissioner) just told them to update their files ! What a waste of paper he is.
We need real data protection with real penalties that actually make these people terrified of anything getting out. They wont talk so glibly of their security procedures again !
Let me predict...
... that the chocolate teapot of the ICO will do precisely sod all