St Edmundsbury Borough Council Stolen Laptop with Payroll Information
Technorati Tag: Security Breach
Date Reported:
9/15/07
Organization:
St Edmundsbury Borough Council (UK)
Contractor/Consultant:
None
Victims:
Council employees
Number Affected:
1,380
Types of Data:
"Bank and national insurance details"
Breach Description:
A laptop was stolen from the home of the one of the council's senior members that contained sensitive payroll information about council employees.
Reference URL:
The EADT24 Story
Report Credit:
EADT24
Response:
From the online resource listed above:
"Bank and national insurance details of 1,380 people on St Edmundsbury Borough Council's payroll were stored on a laptop computer stolen from the home of a council worker on September 6."
"A letter was sent out to staff and members last Wednesday - nearly a week after the theft - and the council's human resources team has been working around the clock to put additional security measures in place to protect its employees from fraud."
[Comfyllama] I'm not sure what a human resources department can do once the data has already been lost or stolen.
"Members at the Tory-run council, which earlier this week accidentally sent out private financial details of a handful of benefit claimants"
[Comfyllama] Two unrelated breaches in one week!
“There will have to be a big inquiry. We are all on the system; it is a lot of people.”
[Comfyllama] A big inquiry and lets hope some serious changes.
"As soon as we found out we took immediate action. We want to apologise to all of those affected and we are doing everything to mitigate the effects of this."
"We have also registered all those affected with the CIFAS Protective Registration scheme. This means that if anyone tries to use the information taken from the laptop they will not be able to access credit or services because extra security information would be required."
"we have a flexible working policy which encourages staff to work at home"
[Comfyllama] One of the reasons we see such an increase in lost and/or stolen laptops is that more and more organizations are permitting and/or encouraging employees to work from home. This is a natural progression based on the technology available. Failing to design security into the program from the beginning can prove disastrous.
Victim Statement:
“There are going to be a lot of questions and this will run and run. The thief will have a lot of information about a lot of people. My main concern is identity theft.”
“This is absolutely appalling and we are all so worried about this.”
Commentary:
It sounds like the council would do well to have outside information security guidance. Two breaches in one week is very concerning, as it the impression that information security was not taken into account adequately prior to encouraging staff to work from home. The two obvious information security issues with this breach are restricting the information stored on laptops and encryption of sensitive data at rest. There are a vast number of workable solutions that could be designed and implemented that would significantly reduce the chances of this breach occuring again.
Past Breaches:
None
Date Reported:

Organization:
St Edmundsbury Borough Council (UK)
Contractor/Consultant:
None
Victims:
Council employees
Number Affected:
1,380
Types of Data:
"Bank and national insurance details"
Breach Description:
A laptop was stolen from the home of the one of the council's senior members that contained sensitive payroll information about council employees.
Reference URL:
The EADT24 Story
Report Credit:
EADT24
Response:
From the online resource listed above:
"Bank and national insurance details of 1,380 people on St Edmundsbury Borough Council's payroll were stored on a laptop computer stolen from the home of a council worker on September 6."
"A letter was sent out to staff and members last Wednesday - nearly a week after the theft - and the council's human resources team has been working around the clock to put additional security measures in place to protect its employees from fraud."
[Comfyllama] I'm not sure what a human resources department can do once the data has already been lost or stolen.
"Members at the Tory-run council, which earlier this week accidentally sent out private financial details of a handful of benefit claimants"
[Comfyllama] Two unrelated breaches in one week!
“There will have to be a big inquiry. We are all on the system; it is a lot of people.”
[Comfyllama] A big inquiry and lets hope some serious changes.
"As soon as we found out we took immediate action. We want to apologise to all of those affected and we are doing everything to mitigate the effects of this."
"We have also registered all those affected with the CIFAS Protective Registration scheme. This means that if anyone tries to use the information taken from the laptop they will not be able to access credit or services because extra security information would be required."
"we have a flexible working policy which encourages staff to work at home"
[Comfyllama] One of the reasons we see such an increase in lost and/or stolen laptops is that more and more organizations are permitting and/or encouraging employees to work from home. This is a natural progression based on the technology available. Failing to design security into the program from the beginning can prove disastrous.
Victim Statement:
“There are going to be a lot of questions and this will run and run. The thief will have a lot of information about a lot of people. My main concern is identity theft.”
“This is absolutely appalling and we are all so worried about this.”
Commentary:
It sounds like the council would do well to have outside information security guidance. Two breaches in one week is very concerning, as it the impression that information security was not taken into account adequately prior to encouraging staff to work from home. The two obvious information security issues with this breach are restricting the information stored on laptops and encryption of sensitive data at rest. There are a vast number of workable solutions that could be designed and implemented that would significantly reduce the chances of this breach occuring again.
Past Breaches:
None
Comments