Laptop Thefts Result in Â£150,000 FineUnencrypted Computers Stolen from City Council's Office
The UK Information Commissioner's Office has fined the Glasgow City Council in Scotland Â£150,000 after the theft of two unencrypted laptops, one of which contained personal information on more than 20,000 individuals.
The two laptops were stolen on May 28, 2012, from an area of the council's office that was being refurbished and where complaints of theft and a lack of security had been made, according to an ICO news release.
One laptop was locked in a storage drawer, and the key to that drawer was placed in a second drawer where the second laptop was located. However, the second drawer was left unlocked overnight, allowing both laptops to be stolen.
One of the laptops contained the council's creditor payment history file, listing the personal information of more than 20,000 people, including more than 6,000 individuals' bank account details. The other laptop did not contain any personal data because it was only used to access the council's secure network remotely, according to the monetary penalty notice.
Upon investigation, the ICO learned that the council had issued to a number of its staff members unencrypted laptops after encountering problems with the encryption software, the ICO said.
While most were later encrypted, the ICO also learned that 74 unencrypted laptops remain unaccounted for, with at least six known to have been stolen.
"How an organization can fail to notice that 74 unencrypted laptops have gone missing beggars belief," says Ken Macdonald, the ICO's assistant commissioner for Scotland. "The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people's details have been compromised."
Three years ago, the council was issued an enforcement notice when an unencrypted USB drive was lost, the ICO said.
Along with the fine, the ICO is requiring the city council it to carry out a full audit of its IT assets used to process personal data and arrange for all of its managers to receive asset management training. The council also is required to conduct an inventory of its devices each year to ensure the registry is up to date.