Mobile Device Thefts Lead Breach RoundupStolen SD Card, Laptop Contained Information on Thousands
In this week's breach roundup, a group of municipalities in southern Ontario is notifying 18,000 participants in a public health program about the theft of an SD card. Also, HOPE Family Health in Tennessee is notifying 8,000 past and current patients about a stolen laptop.
Public Health Program Reports Breach
The Region of Peel, a group of municipalities in southern Ontario, Canada, is notifying 18,000 participants in the Peel Public Health's Healthy Babies Healthy Children program about a breach involving the theft of an unencrypted SD card.
The card was in a bag that was stolen from the car of an employee of the program, according to a statement issued by the Region of Peel. Information contained on the card included the parents' names, addresses, dates of birth, marital status and assessment information. Most of those affected were participants in the program from March 2010 to August 2011.
"As part of our investigation into this breach, we will be examining all of our privacy and protection protocols, and tightening controls on the information that has been entrusted to us," the statement said.
The Region of Peel posted a detailed Q&A about the incident on its website.
Clinic Employee's Laptop Stolen
HOPE Family Health a Westmoreland, Tenn.-based clinic, is notifying 8,000 past and current patients about a breach stemming from the theft of an unencrypted company laptop from an employee's home.
The laptop was issued to a management employee who worked for HOPE's finance department, the clinic says. The device was both password and fingerprint protected.
Information on the laptop includes names, dates of birth, Social Security numbers, billing addresses and other information dating back to 2005.
As a result of the incident, all patient information is being secured on an encrypted server instead of being stored on end-user devices, the organization says.
Loss of Device Sparks BYOD Reminder
An incident at the Royal Veterinary College in London has sparked a reminder from the UK Information Commissioner's Office about the growing bring-your-own-device trend.
The college violated the Data Protection Act when a staff member lost their camera, which included a memory card containing the passport images of six job applicants, according to the ICO. The college had no guidance in place to explain how information stored on personal devices should be protected.
"Organizations must be aware of how people are now storing and using personal information for work, and the Royal Veterinary College failed to do this," said Stephen Eckersley, the ICO's head of enforcement. "It is clear that more and more people are now using a personal device, particularly their mobile phones and tablets, for work purposes, so its crucial employers are providing guidance and training to staff which covers this use."
In its statement, the ICO highlighted six issues organizations should be aware of when allowing staff to use personal devices for work:
- Be clear with staff about which types of personal data may be processed on personal devices and which may not;
- Use a strong password to secure your devices;
- Enable encryption to store data on the device securely;
- Ensure that access to the device is locked or data automatically deleted if an incorrect password is input too many times;
- Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all;
- Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.
Australia News Corp Reports Vulnerability
The Australian newspaper issued a statement on its site that its parent company, News Corp Australia, suffered a vulnerability in the security of its e-mail newsletter database.
Certain personal information about individuals who subscribe to the organization's newsletters was potentially accessible from outside the company, the statement said. Credit card details or passwords were not exposed, according to The Australian.
While details are scarce, News Corp Australia says it shut down the impacted systems and found no evidence of malicious access to the subscriber information.
"We are investigating this matter thoroughly to ensure this does not happen again," the statement said.