Police Pay £120,000 Breach Fine

Stolen USB Drive Contained Investigation Info
Police Pay £120,000 Breach Fine

The Greater Manchester Police Department has paid a £120,000 penalty issued by the UK Information Commissioner's Office after an unencrypted USB drive containing personal information on more than 1,000 individuals with links to serious criminal investigations was stolen.

See Also: Mitigate Risks and Protect Your Users from Cyberattacks, Avoid the Yahoo Data Breach

The ICO imposed a civil monetary penalty of £150,000. But the police department only had to pay £120,000 due to an early payment discount of 20 percent. The fine is for a violation of the UK Data Protection Act.

Case Background

Authorities say an officer brought a USB drive home in his wallet, where it was then stolen during a burglary. The device had no password protection and was unencrypted, according to an ICO statement.

In September 2010, the data controller for the Greater Manchester Police issued an order stating that all staff must use encrypted USB drives. "After the [order] was issued by the data controller, it was not effectively enforced, and no further steps were taken to prevent the use of USB sticks other than encrypted ones issued by the data controller," according to the ICO.

As a result of the breach, the data controller has worked to recover all personal and/or unencrypted devices. Approximately 1,100 USB drives have been recovered, "although it is possible that some of the devices have still not been recovered," the ICO says.

The data controller has taken further steps to implement endpoint security preventing the download of information to unauthorized USB devices, the ICO explains.

"This was truly sensitive personal data, left in the hands of a burglar by poor data security," says David Smith, the ICO's director of data protection. "The consequences of this type of breach really do send a shiver down the spine."

The monetary penalty notice is available online.


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network