Reported by Julien Weston of WIREDvc today, two London councils, Ealing Council and Hounslow Council, were fined over $100,000 each for failure to properly protect personal information of a total of 1,700 individuals stored on stolen laptops.
Even though the laptops were password protected, the Information Commissioner of the UK declared the protection isufficulent, as no encryption was in place.
Even though, both councils had policy which mandated encryption on such devices.
You can read more on the WIREDvc site.
Reported today by infosecurity-us and others, the two men (Andrew Auernheimer, 25, of Fayetteville, Ark., and Daniel Spitler, 26, of San Francisco, California) who had fleeting fame after publishing insecurities in the AT&T iPad website in June 2010 have been arrested and charged with one count of conspiracy to access a computer without authorization, and one count of fraud in connection with personal information. Each count carries a maximum penalty of five years in prison and a fine of $250,000.
You can find the formal press release on the Justice.gov site.
The original hack involved farming the subscriber details off AT&Ts site by presenting it with random ID codes. Unfortunately, while demonstrating a weakness in a site is often not prosecuted, the pair went on to retrieve 120,000 subscriber details and then passed them on Gawker, who published a redacted list amongst much fanfare. This distribution of personal data will probably get them into a lot of hot water. Read more…
This week as many of you know I’ve been working out of our South African office in Johannesburg, and in particular presented 4 sessions at the McAfee Executive Summit here.
ITWeb, who co-sponsored the event were kind enough to give me a writeup on their site which you can enjoy at your leisure.
Thankyou though to all the customers and partners who came to see us and made the event such a success!
David Meyer from ZDNet reports that Zurich Insurance was hit with a $3.5m fine by the Financial Services Authority (FSA) in the UK for failing to secure customer data. This comes from an incident when a data tape went missing in transit between processing centers. There was no evidence the data on the tape had been used or exposed, but the lack of process and policy was enough to cause the FSA and step in.
The FSA noted in their statement that:
As there were no proper reporting lines in place Zurich UK did not learn of the incident until a year later
An effective breach of the UK Data Protection Act according to the Information Commissioners Office (ICO).
Effective as of July 6th 2010, the new la Ley Federal de Protección de Datos Personales en posesión de los particulares, or “Federal Law for Protection of Personal Data held by Private Persons” enforces obligations of disclosure, and has penalties and fines. Companies must act on requests for information about personal data held, and can deny transfer of data and request deletion.
This week the European Commission requested the UK to strengthen its data protection legislation to align with the EU Data Protection Directive. Claiming the UK regulations offered less protection than those required under EU rules, the UK has two months to consider the opinion and respond with measures to bring them into line.
The EU highlighted the following points:
1. The ICO cannot monitor third party country data protection rules – assessments which should come before international transfer of personal information
2. The ICO can neither perform random checks on people using or processing personal data, nor enforce penalties following the checks.
The full writeup can be found on the Europe EU Law press release page.
Following from the recent $20m class action suit against Countrywide Financial, they, and their owners Bank of America just got slammed with an additional $600m class action suit regarding improper practices.
Luckily, not related to any data breaches though.