Data Loss

This page contains links to articles in the media about the loss of data from the public and private sectors in the UK.

It is updated from time to time and was last updated on 10 December 2008.

Also see Data Abuse for examples of how data has been abused.

For (non-exhaustive) examples of public sector databases, please see the article entitled, The totality of surveillance proposals.

(Open Rights group also has a page on this.)

March 2009

The BBC reports that “A memory stick containing information on hundreds of police investigations has gone missing in Edinburgh. … It is understood the information on the stick was not encrypted as it was being transferred within a secure compound inside the force’s headquarters in the Fettes area of the city…” Not much of an excuse really.

January 2009

The BBC reports that “A disk containing sensitive personal details of about 2,000 staff of the British Council – the UK’s worldwide cultural body – has been lost. The disk, which was mislaid in December by courier firm TNT, contained names, salaries, national insurance numbers and bank account numbers. But the British Council said the data could not be accessed as the disk was securely encrypted.” As opposed to insecurely encrypted I suppose.  But at least it was encrypted!  One issue is, however, that some foreign powers (e.g. Russia) view the British Council in a bad light.

December 2008

The Register reports that “Leeds Council has apologised for losing a memory stick containing unencrypted details of 5,000 nursery-age children. The council originally believed the stick, which was found by a member of the public, contained no sensitive data. It was not encrypted or protected by a password. It contained names, addresses, dates of birth, phone numbers, child protection information, ethnicity and whether their parents are claiming benefits. … The council could not explain how, or why, the information was put on the memory stick in the first place.”

November 2008

Surrey Today reports that “Personal information regarding thousands of children is in criminal hands after a laptop theft. Surrey County Council (SCC) notified the 7,851 children, parents and carers, whose details were stolen, that there had been a “potential security breach” in a letter over the weekend. Personal, unencrypted data was stored on the laptop swiped from a car belonging to one of the county council’s contractors, Trapeze Group UK Ltd, on November 12.”

The Register reports that “Parents concerned that new government databases might lead to their children’s data being lost or stolen were this week able to pilot the experience courtesy of a Leicester-based nursery, which appears to have “misplaced” a data stick containing details of children in their care. At time of writing, Leicester City Council, which is responsible for the nursery, could not confirm whether the stick was lost or stolen. Nor would it confirm the name of the nursery involved until parents had been fully informed. The council has however launched the obligatory information, reported the matter to the police, and let the Information Commissioner know. It also admits that details of around 80 children could be on the stick, including names, addresses, dates of birth and telephone numbers.”

The Mail on Sunday reports that “Ministers have been forced to order an emergency shutdown of a key Government computer system to protect millions of people’s private details. The action was taken after a memory stick was found in a pub car park containing confidential passcodes to the online Government Gateway system [managed by the DWP], which covers everything from tax returns to parking tickets. An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost.”

The Sunday Mirror reports that “CABINET Minister James Purnell [head of the DWP] has sparked a security row after losing confidential documents on a packed train. The rising Labour star – tipped as a future PM – broke strict guidelines by taking documents out of his “red box” on the trip. … Two women – on a business trip to France – picked up the documents he had left behind on the floor. They tried to find Mr Purnell, but he had disappeared so they had to take the file to Paris with them. Once there, one of the women tried to inform the authorities they had found government papers, but no one would take her seriously. She said: “Even when I telephoned Mr Purnell’s department in London I was told that nothing had gone missing. “In the end we simply put all the documents together and got them back to London early in the new week.” “

October 2008

The BBC reports that “NHS bosses in Lanarkshire have apologised after sensitive patient documents were left unattended and removed from Wishaw General hospital. It follows a complaint for the relative of an elderly patient who was able to lift files left lying on a ward and take them home. The documents contained the names, ages and medical information of 24 patients.”

Computing reports that “There were 176 recorded data breaches in the public sector in the past year, according to figures released today by the Information Commissioner’s Office (ICO). The private sector, by comparison, reported 80 cases. Of those reported by the public sector, 75 were in the health sector, 28 by central government, and 26 by local authorities.”

The Register reports that “Deloitte has admitted losing a laptop containing thousands of people’s pension details, but said the data was encrypted and the machine password-protected, and it had no evidence the data had been misused. The laptop contained 150,000 railway workers’ details as well as details on all UK Vodafone staff with pensions and other unnamed pension funds. The lappy was stolen from a Deloitte staffer’s handbag last month. The machine held personal information but not bank details. Deloitte was auditing the pension funds. A letter sent to Vodafone staff, and seen by The Register, said the details included names, National Insurance numbers, dates of birth, pensionable salary, earnings and contributions.”

The BBC (also the Register, the Times, the Sun) reports that “An investigation is under way into the disappearance of a [unencrypted, portable] computer hard drive containing the personal details of about 100,000 of the Armed Forces [that’s over half of Armed Forces personnel]. [“more than 1.5m pieces of information, including the details of 600,000 potential recruits”, “a small amount of information about bank details. The head [sic] drive contains details of passport numbers, addresses, dates of birth, driving licence details and telephone numbers”.] The information was being held by EDS, which is the Ministry of Defence’s main IT contractor. The MoD said it was told the drive was missing on Wednesday following a priority audit carried out by EDS.  A couple of days later, the BBC said 1.7m people’s details were lost.  Do read SpyBlog’s article on this.

IT Pro reports that Virgin Media has been found in breach of the Data Protection Act following the loss of an unencrypted CD containing the personal details of over three thousand customers. The telecoms provider reported the breach to the Information Commissioner’s Office (ICO) earlier this year following the loss of a compact disc that was passed to Virgin Media by Carphone Warehouse containing the personal details of individuals interested in opening a Virgin Media account in a Carphone Warehouse store.

September 2008

The BBC reports that “Medical notes relating to 39 people have been found in an empty flat in Glasgow, it has emerged. It is understood the flat was the former home of a community healthcare worker who used to work for Greater Glasgow and Clyde health board. The records contain information about identifiable patients who were treated between 2002 and 2004.”

Computer Weekly reports that for 99p, an eBay buyer got access to a West Yorkshire council’s network using a second-hand virtual private network (VPN) server. The server, previously used by Kirklees Council staff to allow secure and remote connections to the council’s network, was bought on eBay for 99p by Andrew Mason from security firm Random Storm. When Mason plugged the Cisco device in and switched it on he was automatically connected to the internal network of Kirklees Council.

Computer Weekly reports that MI6 is investigating how one of its digital cameras containing sensitive terrorism pictures was sold on eBay. The images on the camera, sold on eBay to a Hertfordshire man, included pictures of terror suspects and details of computer operating systems used by MI6. The Sun newspaper reports that the camera’s memory card held sensitive information about al-Qaeda suspects, fingerprints and suspects’ academic records, as well as pictures of rocket launchers and missiles. The camera also had detailed information about an MI6 computer system.

Pulse reports that four NHS trusts in five have lost patient data or suffered a data security breach since the beginning of last year, Pulse can reveal. Our investigation reveals the true scale of confidentiality breaches within the NHS, with trusts reporting more than 1,300 incidents since January 2007. GPs warned the findings would further undermine confidence in plans for electronic care records, with many of the data breaches involving NHS IT.  Figures obtained the Freedom of Information Act from 162 PCTs, hospital trusts and NHS authorities showed that there had been 557 incidents of lost data and 794 breaches of confidentiality over the time period. [including theft of patients’ letters, changes to ex-spouses records, posting pictures of patients to Facebook.] Just 32 out of 162 trusts surveyed said they had not had a data loss or security breach incident. [that they know about!]

The BBC (also the Guardian, the Telegraph, and the Register) reports that the Ministry of Defence (MoD) is investigating the theft of computer files with the records of thousands of serving and former RAF staff on.  The information was stored on computer hard drives at the Service Personnel and Veterans Agency at the RAF Innsworth site near Gloucester.  The theft of the files took place last Wednesday, within a high-security area on the base.  The MoD has set up a helpline for people who have been affected.  It said it was treating the breach “extremely seriously”.

The BBC reports that a computer disk containing the names and addresses of more than 11,000 teachers has gone missing in the post. The General Teaching Council (GTC)’s letter to teachers said it went missing after being sent from Rotherham via Parcelforce to its Birmingham office. A spokeswoman said it held the details of teachers who had filled in a form updating their registration details. She said that no financial information, National Insurance numbers or dates of birth were included. [also it should be noted that the information was encrypted – so not nearly so bad a performance as the Home Office.]

London’s Evening Standard reports that Whittington hospital in Archway spent £25,000 trying to find four CDs containing personal details of almost 18,000 NHS staff. They said the discs had gone missing after being posted – not sent by courier – to a contractor. Bosses spent three-and-a-half days holding briefings with workers and sent out more than 14,000 letters to staff. There were fears the information could be used by identity fraudsters. Marked recorded delivery, they were said to have been put in a tray on 22 July but never arrived in the post room. (Computer Weekly has more.)

Hansard reports that, among other things, 43 laptops have been reported as missing, lost or stolen from the Home Office over the past three years.

The Daily Telegraph reports that Police have lost a computer memory stick said to contain top secret information about terror suspects. The black 4GB stick was lost after being taken out of Castle Vale police station in Birmingham by an officer on patrol last Thursday.

The BBC reports that discs containing personal information, including names, addresses, dates of birth and National Insurance numbers, on almost 18,000 NHS staff have gone missing from a north London hospital. A snapshot poll suggests three quarters of doctors at a top London hospital carry confidential data on unsecured media.

Computing (and the BBC) reports that a USB stick containing details about troop movements has been discovered on the floor of a Cornish nightclub. The storage device contained times, locations and travel and accommodation details on 70 soldiers from the 3rd Battalion, Yorkshire Regiment.

Prison officers are reported to be extremely unhappy that the details of 5,000 of them were on a portable hard drive that has been lost, report Kable and the Guardian (the News of the World broke the story of the loss), and the Prison Officers Association allege that the Prison Service attempted to cover it up.

August 2008

The Register reports that The Ministry of Justice has reported eight data breach incidents affecting around 45,000 people.

The Register reports that, in total, 29m personal records have been acknowledged to have been lost over the past year.

The Register reports that PA Consulting, a company that consults for the Home Office, has lost personal information relating to 84,000 prisoners, including names, addresses and release dates. In September 2008, the BBC reports that the Home Office has ended the £1.5m contract with PA Consulting, reviewing their other contracts with them, and that the stick contained  un-encrypted details about 10,000 prolific offenders as well as names, dates of births and some release date of all 84,000 prisoners in England and Wales – and 33,000 records from the police national computer (the Evening Standard links PA Consulting to the ID Card scheme).

The Financial Times reports that personal information relating to 1m customers of NatWest and the Royal Bank of Scotland was found on computer equipment sold on eBay.

Computing reports that a laptop and several memory sticks containing personal information about children and their families were stolen from a vehicle involved with the production of a BBC TV programme. The information included names, addresses and mobile phone numbers of children, and dates when families were planning to go on holiday. The broadcaster said the vehicle was owned by a contracted company making a programme for children’s channel CBBC.

July 2008

The BBC reports that “more than 100 USB memory sticks, some containing secret information, have been lost or stolen from the Ministry of Defence since 2004, it has emerged. The department also admitted that more than 650 laptops had been stolen over the past four years – nearly double the figure previously claimed. … Previously the MoD had confirmed that 347 laptops were stolen between 2004 and 2007. The Mod said it has no idea on when, where and how the memory sticks were lost. … The official total is now 658 laptops stolen, with another 89 lost. Just 32 have been recovered. In a separate response, ministers said 121 of the department’s USB memory sticks had been taken or misplaced since 2004. [87 classified USB sticks  lost since 2003 according to the Register.]”

The BBC reports that “more than 150 incidents of data being lost at NHS trusts across Wales have put patient and staff details at risk.  Among the examples over a three year period, patient details from an entire children’s ward in Wrexham were found on a piece of paper in a puddle. In another revealed by BBC Wales after Freedom of Information (FOI) requests, a highly confidential child protection file was sent to the wrong address.”

The BBC reports that “Calls have been made for all abandoned Scottish hospital buildings to be examined, after private patient data was found at a disused site in Carluke. BBC Scotland revealed that X-rays marked with patients’ names, photographs and other paperwork were found at the derelict Law Hospital. NHS Lanarkshire admitted mistakes were made in transferring the information between sites and issued an apology.”

June 2008

The Open Rights Group reports that, seven months after the child benefit data fiasco, or Datagate, the Poynter Review has revealed that information security is not a priority at HMRC, and an IPPC “investigation found no visible management of data security at any level”.

Computing reports that an unencrypted laptop containing medical details of several thousand patients was stolen from the car of a senior Colchester University Hospital manager. The details included names, dates of birth, postcodes and treatment plans.

Computing reports that a cabinet minister became embroiled in a government data security scandal with the theft of a computer from the constituency office of communities secretary Hazel Blears. The machine, said to contain sensitive data relating to her constituency work and that of her department, was stolen from her constituency office in Salford.

The BBC reports that police are investigating a “serious” security breach after a civil servant lost top-secret documents containing the latest intelligence on al-Qaeda.  The unnamed Cabinet Office employee apparently breached strict security rules when he left the papers on the seat of a train. In late September 2008, the BBC reports that the official is to be charged under s8.1 of the Official Secrets Act and has been moved to an undisclosed location.

May 2008

The BBC reports that “The Scottish Government has launched an inquiry into how patient information was left at an abandoned hospital. The documents at Strathmartine Hospital on the outskirts of Dundee included details about a girl’s adoption and a child with foetal alcohol syndrome.” The BBC also reports that “The UK’s data protection watchdog has demanded to know why children’s medical details were left at an abandoned hospital in Dundee. The Information Commissioner’s Office (ICO) contacted NHS Tayside about the documents in December and was reassured they had been taken away. However, it came to light this week that confidential papers were still lying around at Strathmartine.”

April 2008

Computing reports that an FSA investigation into 39 financial institutions finds widespread problems involving data security.

Computing reports that thirteen London councils failed to protect personal information on citizens during the last year, according to a BBC survey. The guilty respondents to a Freedom of Information request said that data has been either lost, stolen or ” inadvertently disclosed.” In two separate incidents four months apart, workers at Kensington and Chelsea Borough Council took information on vulnerable childr en into bars, where it was stolen. And in October 2007, 375 student files were stolen from Havering Council.

The BBC reports that The Ministry of Defence says a laptop has been stolen from a member of the military as he was eating in McDonalds. The computer was taken from under the Army captain’s chair, near the MoD’s Whitehall headquarters on 1 April, according to the Sun newspaper. The MoD said the data on the laptop was not sensitive, and was fully encrypted.

March 2008

The Register reports that the Ministry of Defence has lost 11,000 military ID cards in the last two years.

February 2008

The Guardian reports that a Home Office disc containing confidential information was found underneath the keyboard of a laptop sold on eBay.

The Register reports that the CPS loses a disc containing the personal information of 2,000 suspects.

January 2008

The BBC reports that Defence Secretary Des Browne says a probe into the loss of a laptop with details of 600,000 people has uncovered two similar thefts since 2005. The two laptops held similar data to one stolen from a Royal Navy recruiting officer in Birmingham but on fewer people, Mr Browne told MPs.  The head of the Civil Service has told Whitehall staff not to remove laptops with sensitive data from their offices.

Computing reports that the Ministry of Defence lost a laptop containing the personal details of 600,000 people after it was stolen from the car of a junior (probably spin) Royal Navy officer.

December 2007

The Register reports that Dave Hartnett, Director General of HMRC, admits the HMRC is aware of eight data breaches since Revenue and Customs merged in 2005.

The Register reports that the DVLA loses discs containing the personal information of 6,000 Northern Ireland motorists.

Computing reports that the UK government has revealed that a US-based IT contractor has “lost” the records of three million British learner drivers.

The BBC reports that the details of up to 3,000 NHS patients could have been on a computer stolen from a doctors’ surgery. The laptop belonging to the Diabetic Retinopathy Screening Service (DRSS) contained patients’ names, addresses, dates of birth and phone numbers.

The BBC reports that the Driver and Vehicle Licensing Agency (DVLA) has admitted it sent confidential details to the wrong motorists by mistake.  The Swansea-based agency has confirmed at least 100 sensitive documents were sent to the wrong addresses.

November 2007

The Times reports that the HMRC has lost another two CDs containing personal data.

The Register reports that thousands of Standard Life customers are at risk of fraud after the HMRC loses a CD containing their personal data.

The Register reports that Alistair Darling, Chancellor of the Exchequer, has told the Commons that the police have launched an investigation into the HMRC’s loss of the personal information of 25 million people, including the bank records of 7.25 million families (see also Computing).

September 2007

Zdnet reports that “An NHS trust is investigating how one of its hard drives containing confidential information was sold online. The Dudley Group of Hospitals NHS Trust is trying to find out how one of its computers full of confidential medical information was sold on eBay. Disposal of the trust’s computers is carried out under contract to Siemens Medical Solutions, as part of a PFI agreement. Computer Disposals has a subcontract with Siemens to dispose of obsolete IT. All hard drives that leave the trust via this route should undergo data wiping which meets the government’s standard of being overwritten three times.

May 2007

The Department of Transport loses personal information relating to three million driving test candidates.

The Register, Channel 4, and BBC Radio 4 report that a laptop with the personal information of 26,000 Marks and Spencers employees is stolen from a printers.

The BBC reports that HMRC has sent the personal information of 8,000 tax credit claimants to other claimants.

The Register reports that the Information Commissioner’s Office (ICO) is conducting an audit of Halifax Bank of Scotland’s (HBOS) data security procedures after it was revealed that the bank was putting customers’ financial documents in ordinary bins. The act, uncovered by the BBC’s Watchdog programme, is in breach of an undertaking to the ICO signed by HBOS earlier this year after it was found throwing out documents containing customer details.

The BBC reports that sensitive case notes on vulnerable children in Essex have been found on a computer sold on eBay’s auction site. Reports and details about fostering and adoption were found among 1,000 files on a £1.70 computer previously owned by Southend Borough Council. The unsuspecting buyer is quoted as saying, “It was a sort of snap shot of documents from meetings to decide whether or not a child would go to a special school, details of whether they’d been physically or sexually abused”.