ICO fines Glasgow City Council £150,000 for unencrypted laptop chaos

Investigation found 74 unencrypted laptops lost or stolen

Glasgow City Council has been fined £150,000 and heavily criticised after failing to encrypt dozens of laptops, including one containing the personal data of thousands of people that went missing from its offices.

In total, 74 unencrypted laptops are believed to have been lost or stolen from the Council, many of which probably contained persona data but it was a single theft in May 2012 that raised the most serious concerns.

In that incident, a laptop containing the personal data of 20,143 individuals and 17,692 businesses was stolen from its offices along with a second machine. In 6,069 cases, this included bank account details as well as names and addresses.

Both had been locked in office drawers but, importantly, neither had been encrypted due to "problems with the data controller's encryption software."

The ICO discovered that Glasgow City Council was aware of this technical problem but allowed unencrypted laptops to be issued to employees in contravention of its own guidelines.

The employees had also been aware of the need for machines to be stored securely but their efforts had been compromised, the ICO inferred, by refurbishment work to the Council's offices which raised the risk of theft.

During the breach investigation it emerged that dozens of other laptops had also been issued in an unencrypted state, including at least six that had been stolen.

"How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief," said ICO assistant commissioner for Scotland, Ken Macdonald.

"The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people's details have been compromised," he said.

Worse still, Macdonald said, was that the Council had been issued with an enforcement notice in 2010 after losing an unencrypted memory stick.

"To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow. The council should be held to account, and the penalty goes some way to achieving that."

Without doubt, the Council would have faced a far larger fine had the loss happened outside its offices. That the laptops had at least been locked inside a drawer in its offices probably saved it from a record fine.

Join the CSO newsletter!

Error: Please check your email address.

Tags icoPersonal Techsecurity

More about ICO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts