U.K. Trust Fined for Breach
Posted Spreadsheet Containing Employee InformationThe U.K.'s Information Commissioner's Office has fined Torbay Care Trust £175,000 for mistakenly publishing details on almost 1,400 employees online.
See Also: Are You APT-Ready? The Role of Breach and Attack Simulation
A spreadsheet containing sensitive information was published on the trust's website in April 2011. The mistake was reported 19 weeks later by a member of the public, according to a news release from the ICO.
The trust is responsible for providing community health services in Torbay and Southern Devon, England.
Information exposed in the breach included names, dates of birth, national insurance numbers and sensitive details, including religion and sexuality.
An ICO investigation revealed that the trust had not provided its staff with guidance explaining what information shouldn't be posted online. The trust also had inadequate checks in place to identify potential security issues, the ICO says.
"The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable," says Stephen Eckersley, head of enforcement at the ICO. "Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud," he says.
Since the breach, the trust has developed a web management policy to ensure personal data isn't published on its website, the ICO said.