Police Pay Â£120,000 Breach FineStolen USB Drive Contained Investigation Info
The Greater Manchester Police Department has paid a Â£120,000 penalty issued by the UK Information Commissioner's Office after an unencrypted USB drive containing personal information on more than 1,000 individuals with links to serious criminal investigations was stolen.
See Also: 2016 State of Threat Intelligence Study
The ICO imposed a civil monetary penalty of Â£150,000. But the police department only had to pay Â£120,000 due to an early payment discount of 20 percent. The fine is for a violation of the UK Data Protection Act.
Authorities say an officer brought a USB drive home in his wallet, where it was then stolen during a burglary. The device had no password protection and was unencrypted, according to an ICO statement.
In September 2010, the data controller for the Greater Manchester Police issued an order stating that all staff must use encrypted USB drives. "After the [order] was issued by the data controller, it was not effectively enforced, and no further steps were taken to prevent the use of USB sticks other than encrypted ones issued by the data controller," according to the ICO.
As a result of the breach, the data controller has worked to recover all personal and/or unencrypted devices. Approximately 1,100 USB drives have been recovered, "although it is possible that some of the devices have still not been recovered," the ICO says.
The data controller has taken further steps to implement endpoint security preventing the download of information to unauthorized USB devices, the ICO explains.
"This was truly sensitive personal data, left in the hands of a burglar by poor data security," says David Smith, the ICO's director of data protection. "The consequences of this type of breach really do send a shiver down the spine."
The monetary penalty notice is available online.