Police Fine Leads Breach RoundupUK Police Lose USB Drive; Breach Affects Univ. of Ga. Staff
In this week's breach roundup, the Greater Manchester Police Department has paid a Â£120,000 penalty after an unencrypted USB drive was stolen. Also, at least 8,500 current and former University of Georgia employees were affected by a breach that revealed personnel records.
Police Pay Â£120,000 Breach Fine
The Greater Manchester Police Department has paid a Â£120,000 penalty issued by the UK Information Commissioner's Office after an unencrypted USB drive containing personal information on more than 1,000 individuals with links to serious criminal investigations was stolen.
The ICO imposed a civil monetary penalty of Â£150,000. But the police department only had to pay Â£120,000 due to an early payment discount of 20 percent. The fine is for a violation of the UK Data Protection Act.
Authorities say an officer brought the USB drive home in his wallet, where it was then stolen during a burglary, according to an ICO statement.
Since September 2010, the police had required the use of encrypted USB drives, but the requirement was not effectively enforced, according to the ICO.
The department has taken further steps to implement endpoint security preventing the download of information to unauthorized USB devices, the ICO explains.
Breach Affects Univ. of Ga. Employees
At least 8,500 current and former University of Georgia employees have been affected by a breach that revealed personnel records, the university announced.
The breach may have occurred as early as Sept. 28. An investigation determined that passwords for two employees in "sensitive" information technology positions were reset by an unknown intruder. The perpetrator then used those accounts to access data that revealed personnel records.
"This appears to us to be a planned intrusion by someone who knew enough about our operations to know which accounts to attack and where the sensitive information was located within the system," says Timothy Chester, the university's vice president for information technology.
Compromised information includes names, Social Security numbers and other personal information. Affected employees are being notified and offered free credit monitoring.
Paper Shredding Error Sparks Breach
Litton & Giddings Radiological Associates in Springfield, Mo. is notifying 13,000 patients about a security breach. A janitorial services company employed by the organization's third-party billing vendor failed to shred paper records before sending them to a Springfield recycling center.
On July 31 and again Aug. 2, a janitor working for the billing company removed documents from a locked shred bin and placed them into a different secured container with other recyclable materials, according to a statement from Litton & Giddings. The secured container was then transported to a recycling center where the items were sorted for recycling and destroyed.
"The recycling process is largely mechanized, but workers in the recycling facility do, at times, manually sort the materials," the statement said.
Although the billing company couldn't identify which patient documents were sent to the facility, it suspects they included names, addresses, dates of birth, diagnosis codes and/or Social Security numbers for patients who had billing activity between July 23 and August 2.
Litton & Giddings says it will provide free credit monitoring to those affected upon request.
U.S. Army Supplied Breached
The Army Materiel Command, the primary provider of all supplies for the U.S. Army, is notifying 400 of its employees of a breach of their personally identifiable information, according to a Huntsville, Tenn.-based TV station's news report.
An AMC employee took paper documents to his residence in the Huntsville area, according to the news report. The documents were then retrieved and secured. The incident was reported to the AMC Privacy Office, the Army Privacy Act Office and the Army Criminal Investigation Division.
Affected individuals will receive free credit monitoring services.