Brian Pennington

A blog about Cyber Security & Compliance


November 2011

Combating Cybercrime to Protect Organisations

PWC have released their annual Cybercrime report, “Cybercrime: protecting against the growing threat – Global Economic Crime Survey“, and as usual it makes very scary reading.

The report shows that crime is up and those organisations have been slow to react to the threats. Threats that were highlighted in previous reports.

Organisations of all sizes need to improve their abilities to protect their sensitive data and the report focuses on several area that need addressing, for example awareness of the threats in senior management and training for employees in how to spot crime and how to take the appropriate steps to react to the incident (Incident Response Planning…).

There needs to be adequate protection in the form of technology, procedures and policies for the proposed awareness and training to be effective and efficient.

The report is based upon 3,877 respondents from organisations in 78 countries. The scale of the survey has provided a global picture of economic crime.

The key findings of the report are shown in full, with the remainder of the post focusing on the statistics shown in the report.

Key Findings from the PWC “Cybercrime: protecting against the growing threat” report

Our sixth report paints a dramatic picture of UK organisations still struggling in the face of severe austerity cuts.

Economic crime has risen by 8 percentage points since our 2009 survey, with over half of respondents reporting at least one instance of economic crime in the last 12 months. Even more concerning for Senior executives was the fact that 24% of respondents reported more than ten incidents in the last 12 months.

Our findings suggest that the combination of rising economic crime in the UK, and widespread austerity cuts that limit the resources available to focus on economic crime, has made today’s business environment altogether more difficult and risky.

Cybercrime has become the third most common type of economic crime, whilst levels of ‘conventional’ economic crime have fallen (asset misappropriation has fallen by 8 percentage points since 2009, and accounting fraud by 5 percentage points in the same period). So we think organisations need to take a fresh look at how they deal with fraud.

Cybercrime now regularly attracts the attention of politicians and the media, and should be a concern to business leaders as well. Our survey gave respondents their first direct opportunity to highlight cybercrime as one of the main economic crimes they had experienced, and over a quarter of those who had reported economic crime in the last 12 months did so. The largest number of these were from the financial services sector.

Our survey shows that organisations need to be clear about exactly what cybercrime is, and who is responsible for managing it.

Economic crime perpetrated externally has increased and fraud carried out by employees within the organisation is declining.

Statistics extracted from the report

  • 47% of respondents said the cybercrime threats have increased over the last 12 months
  • 84% of respondents who identified an economic crime had carried out at least one fraud risk assessment in the last 12 months
  • 19% of UK respondents didn’t perform a fraud risk assessment in the last 12 months. This is a much lower figure compared with the global 29% of respondents
  • Over half of UK respondents reported economic crime in the last 12 months, compared with 34% globally
  • 51% of respondents experienced fraud in the last 12 months (UK)
  • 26% of those who experienced an economic crime in the last 12 months reported a cybercrime
  • 48% of respondents felt that responsibility for detecting and preventing cybercrime falls to the Chief Information Officer, the Technology Director or the Chief Security Officer
  • 66% of respondents said they had reported a cybercrime incident to law enforcement, compared with 76% of those who experienced economic crime
  • 54% of respondents representing organisations with offices in more than 20 countries saw an increased risk from cybercrime in the last 12 months. 35% of respondents representing organisations based just in the UK perceived a similar rise

Cybercrime awareness

  • The most effective way to raise cyber security awareness is through face-to-face training. In spite of this, only 24% of UK respondents received this type of training
  • 33% see cyber security as the responsibility of the Chief Executive Officer and the Board, the global figure is 21%
  • One in five respondents said the CEO and the Board only review these risks on an ad hoc basis

Response to cyber crime

  • 16% of UK respondents said their organisation has in place all five of the measures specified in the survey, compared with 12% of global respondents – see the link to the full report below.
  • 83% were concerned about reputational damage
  • 57% of respondents representing UK organisations have a media and public relations plan in place. The global response was 44%
  • 28% of respondents said they didn’t have any access to forensic technology investigators

Profile of the internal fraudster

  • male
  • aged between 31 and 40
  • employed with the organisation for between three and five years
  • educated to high school and not degree level

Top 5 departments perceived to present the biggest cybercrime risk

UK  Global
1. Information technology 52 53
2. Operations 42 39
3. Sales and marketing 36 34
4. Finance 37 32
5. Physical/Information security 22 25

Find the full report here.


Information Commissioner fines two councils for emailing personal information

The Information Commissioner’s Office (ICO) has served monetary penalties to two councils for breaching the Data Protection Act.

North Somerset Council and Worcestershire County Council after staff at both authorities sent highly sensitive personal information to the wrong recipients. The news comes as the Information Commissioner is pressing for stronger powers to audit data protection compliance across local government and the NHS.

1. Worcestershire County Council was fined £80,000 for an incident in March 2011 where a member of staff emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients. The error occurred when the employee clicked on an additional contact list before sending the email, which had only been intended for internal use.

Enquiries by the ICO found that Worcestershire County Council had failed to take appropriate measures to guard against the unauthorised processing of personal data, such as providing employees with appropriate training and clearly distinguishing between internal and external email distribution lists. The council had also failed to properly consider an alternative means of handling the information, such as holding it in a secure system that could only be accessed by members of staff who needed to see it. Fortunately, on this occasion all of the unintended recipients worked for registered organisations used to operating within the council’s protocols about handling sensitive data. Worcestershire County Council has explained to the ICO that as soon as the breach occurred the council employee immediately realised their error and attempted to contact all of the unintended recipients to ensure that the information was deleted.

2. North Somerset Council was fined £60,000 for breaching the Data Protection Act when a council employee sent five emails, two of which contained highly sensitive and confidential information about a child’s serious case review, to the wrong NHS employee.

The incidents, which took place during November and December 2010, occurred when a council employee selected the wrong email address when creating a personal distribution list. The council employee was told about the error by the unintended recipient shortly after the first incident took place. Despite this, information was emailed to the same NHS employee on a further three occasions. The issue was then raised at senior level. Two of the council’s Assistant Directors highlighted the issue with the employee on 9 December but a fifth and final incident took place later that same day. The NHS organisation verbally confirmed to North Somerset Council that it destroyed the emails after their own internal investigation was complete.

The ICO’s enquiries found that, although North Somerset Council had some policies and procedures in place, it had failed to ensure that relevant staff received appropriate data protection training. In response to these incidents, the ICO has recommended that the council adopts a more secure means to send information electronically, including encryption and ensuring that managers sign off email distribution lists.

Information Commissioner, Christopher Graham, said: “Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable. It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils. It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties.

“There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure. Of course this includes having the correct training and policies in place, but it’s also about common sense. Considering whether email is the appropriate medium, checking and double checking that the right recipients will receive the information – and measures like encryption and data minimisation – should be routine. I hope these penalties send a clear message to those working in the social care sector. The Information Commissioner takes this sloppiness seriously – and so should you.”

The ICO is pressing the Ministry of Justice for stronger powers to audit local councils’ data protection compliance, if necessary without consent. The same powers are sought for NHS bodies following a series of data protection breaches.


RSA’S October Online Fraud Report

Below is a summary of RSA’s October Online Fraud Report.

October was Cyber Security Awareness Month. A public relations effort made by several US-based government bodies to increase security-literacy across the tiers that make up our digital society. By encouraging each and every Internet user to “Stop, Think, Connect,” the Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) hope to increase security within the home, business environment, and ultimately within the entire nation. While this effort was founded in the U.S., its aspirations of increasing security literacy among the general public could easily be embraced across the globe.

Ironically, October also marks a major milestone for RSA, reaching the official shut down of over 500,000 phishing attacks around the globe. Sometimes viewed as one of the oldest scams in the book, phishing is still a very popular method among cybercriminals.

RSA recently estimated that worldwide losses from phishing attacks alone during H1 2011 amounted to over $520 million, and losses incurred from phishing attacks during the 12-month period of H2 2010 through H1 2011 reached nearly $1 billion.

Phishing Attacks per Month

The number of phishing attacks identified by RSA in September increased by 45%, setting a new all-time high of 38,970 attacks. As in the month prior, this increase was largely attributed to repeated attacks on a handful of large financial institutions which have been heavily targeted throughout the past few months.

Number of Brands Attacked

The total number of brands attacked decreased 15%, dropping from 351 targeted brands in August to 300 brands in September. Last month, no new brands endured their first phishing attack, compared to seven newly-targeted brands in August. Monthly counts of newly-targeted brands last year hovered around 20 to 25 entities per month indicating a slowdown in the trend of attacks on new targets.

US Bank Types Attacked

In September, the portion of targeted brands among U.S. credit unions dropped from 19% to 6%. In contrast, the portion of targeted brands among regional U.S. banks increased 5%, while attacks against nationwide U.S. banks increased 8%. Nationwide banks continue to be the most lucrative target among phishers likely because their customer bases are large and geographically dispersed.

Top Hosting Countries

The U.S. hosted two out of three worldwide phishing attacks in September. Since September 2010, the only countries that have consistently hosted the highest portions of phishing attacks have been the U.S., UK, and Germany.

Top Countries by Attack Volume

The U.S. and UK continue to remain the top two countries targeted by the highest volume of phishing attacks. In September, they endured 79% of the world’s phishing attacks. Brazil, Canada, and South Africa remained among the top five countries in September in terms of phishing attack volume.

Top Countries by Attacked Brands

U.S. and UK brands accounted for 43% of all the brands targeted worldwide by phishing in September.

The full report can be found here.

The RSA September Online Fraud Report Summary is here.


RSA’s September Online Fraud Report

At bit of a catch up on the excellent RSA Fraud Reports. The results from their September report are below.

At the bottom of the post is the August Report Summary link.

Phishing Attacks per Month

The number of phishing attacks identified by RSA in August increased by 7%, setting a new all-time high of 26,907 attacks. This increase can be mostly attributed to repeated attacks on a number of large financial institutions which have been heavily targeted through the past few months.

Number of Brands Attacked

The total number of brands attacked increased 9% in August, climbing from 321 targeted brands in July to 351 brands in August. Last month, seven brands endured their first phishing attack. Last year, monthly counts of newly-targeted brands hovered around 20 to 25 per month, indicating a slowdown in the attack rate of new targets.

US Bank Types Attacked

The number of phishing attacks targeting U.S. credit unions in August nearly doubled, from 10% to 19%. The portion of attacked brands among the other two sectors decreased – regional U.S. banks decreased 3% and nationwide banks decreased 6%. August 2011 marked a two-year high for U.S. credit union brands being targeted since hitting the 24% mark in August 2009.

Top Countries by Attack Volume

The US and UK remained the top two countries most targeted by phishing in August, accounting for 73% of the world’s attacks. Brazil, Canada, and South Africa all remained in the top half.

Top Hosting Countries

The U.S. hosted 63% of all phishing attacks identified in August. The UK and Germany both accounted for hosting 4% of global phishing attacks followed by France, Canada, the Netherlands, Brazil, Russia, and Australia. In the last year, the countries that have consistently hosted the highest portions of phishing attacks have been the U.S., UK, and Germany.

Top Countries by Attacked Brands

The top five countries whose brands were most targeted by phishing in August, the U.S., UK, Australia, India, and Canada – accounted for 60% of attacks. U.S.

The full report can be found here.

See the RSA August Report Summary here.


The Freedom of Information Act. Power to the people or a tool for busy bodies?

The Palace of Westminster at night as seen fro...

I understood the Freedom of Information Act was a mechanism for me to check what activities my government was doing under my name.

Then I came across a link containing the requests received by the government under the Freedom of Information Act (FOIA) during 2011 and I realised the FOIA has been hijacked by people who seem to be obsessed with the costs of wigs and whether there are any rats in the House of Commons – please insert joke here.

The entire list of 2011 requests is below and whilst they are not all concerned with trivia far too many are, so I decided to see if it was my translation of the FOIA that was wrong and tracked down the definition on the Parliament web site:

“Members of the public have a right to request access to information held by public authorities. The House of Commons and the House of Lords are separate public authorities. Requests for access to information should be directed to the relevant House which may hold the requested information.”

Freedom of Information Act 2000 (FOIA) The House of Commons and the House of Lords are required under the Freedom of Information Act to make information that they hold available to the public.

1. Information must be made available proactively via publication schemes that have been approved by the Information Commissioners Office (ICO).

2. Anyone is entitled to make a request for access to information held by either House that is not already publicly available. The requested information must be disclosed unless an exemption applies.

  • General information on the Freedom of Information Act •
  • Specific information regarding the House of Commons and the Freedom of Information Act
  • Specific information regarding the House of Lords and the Freedom of Information Act “

This means I am wrong, anyone can request information about anything no matter how trivial and no matter how costly gather and produce the information was.

Form the 2011 list there are potentially two dozen examples I would consider trivial or not worth the tax payers money to find out, for example

  • How much is spent on water and what brands are used. This disclosure is here.
  • Instances when pest control services have been requested. One of the several disclosures can be found here.
  • Details of expenditure on language courses. Surely avoiding the usual British thing of pointing and shouting is a good thing if we want our representatives to communicate with our European neighbours. This disclosure is here.

Some items were of interest:

  • On average 13o knives a year are confiscated from staff and visitors to Parliament. This  disclosure is here.
  • MPs who have not paid in full the money that the Legg report said they had to repay. This disclosure is here.

It is almost 50/50, in my opinion, between questions of merit with real public benefit and questions that only affect those with nosy habits or vested interests.

But see for yourself by reading the full list of FOIA Requests for 2011 below, newest first.

FOIA Disclosures October – December 2011 up to 23rd November 2011

  • Banqueting 2010-2011. Details of event and function bookings made by Members on behalf of outside organisations.
  • Claims of Racial Discrimination against the House of Commons administratio.n Details of racial discrimination cases brought against the House of Commons.
  • Details of 14 Tothill Street. Accommodation details of the parliamentary property at 14 Tothill Street
  • Grievances filed against the House of Commons administration by its staff. Details of grievances filed against the House of Commons since 2009.
  • Information about MyUK. Details of the MyUK online learning resource.
  • Items confiscated from staff and the public visiting the House of Commons. A list of items confiscated from members of staff and the public visiting the House of Commons from January 2009 to September 2011.
  • Management Board Papers 2007-2011. All agendas, minutes and related papers of the House of Commons Management Board.
  • Proposed building works on Cromwell Green and Speaker’s Green. Details of proposed building works on Cromwell Green and Speaker’s Green.
  • Select Committee expenses 2010-2011. Details of Select Committee expenses for 2010-2011
  • The amount paid by the House of Commons in relation to employment disputes with MPs staff. Total amount paid by the House of Commons in relation to employment disputes with MPs staff for the last 5 years.

Below is the list of FOI disclosures published by the House of Commons between July and September 2011:

  • Bars in the House of Commons. Details of bars within the House of Commons and their operating costs.
  • Compensation for criminal activity or personal injury. The cost of compensation paid to any victims of a criminal act or personal injury on the Parliamentary estate.
  • Compensation for criminal activity or personal injury. Compensation paid to staff and members of the public due to criminal activity or personal injury on the parliamentary estate.
  • Details of language classes provided to MPs and Parliamentary officials. Language classes provided to MPs and Parliamentary officials.
  • Details Of Mr Speaker Bercow’s official events since taking office. All official events held by Mr Speaker Bercow.
  • Details of spending on procurement cards issued to House of Commons’ staff, 2010 – 2011. Details of all spending on the cards for the last calendar year to May 2011
  • Ethnic monitoring in the House of Commons. Ethnic monitoring in the House of Commons
  • Expenditure on ceremonial garments. Details about ceremonial garments and the costs involved.
  • Financial details of parliamentary catering and retail service.s Revenue, profits, costs and subsidies for parliamentary catering and retail services.
  • House of Commons buildings used as office space. Details about House of Commons buildings primarily used as office space.
  • House of Commons post holders earning a basic salary of £65,000 or more to March 2011. House of Commons post holders earning a basic salary of £65,000 or more to March 2011
  • Inflation index used for MPs pensions. Which inflation index was used to determine the increase in MPs pensions.
  • Instances when pest control services have been requested. The number of times that pests have been found on the parliamentary estate.
  • IT equipment issued to Members 2011. Itemised breakdown of IT equipments issued to Members following 2010 election to 1 February 2011
  • Items reported stolen in the House of Commons in 2011. A list of all the items reported stolen in the House of Commons in 2011
  • MPs who have not paid in full in line with the Legg report. MPs who have not paid in full the money that the Legg report said they had to repay.
  • Reports into the leaning of Big Ben clock tower 2011. The effects of the Jubilee line extension on Big Ben clock tower.
  • Rules for MPs use of stationery. The rules for the use of stationery and pre-paid envelopes.
  • Select Committee expenditure on water. Details about the brand used and cost of water used by Select Committees.
  • Taxable benefit of the Speaker’s accommodation. The taxable benefit of the Speaker’s official residence.
  • The cost of recalling Parliament on Thursday August 11 2011. Some of the costs involved in the recall of Parliament on Thursday August 11.
  • The structural soundness of Portcullis House. Reports carried out into the structural soundness of Portcullis House.
  • The use of social networking media. The use of social networking media by MPs.

Below is the list of FOI disclosures published by the House of Commons between April and June 2011:

  • Cost and vintage of wines 2011. The vintage dates and purchase price of wine stocked in the House of Commons
  • Crimes reported 2009-2011. Details of all the crimes reported within the House of Commons from 2009-2011
  • Details about the trees in Portcullis House. Costs and ownership details of the trees in Portcullis House.
  • Duchy of Cornwall. The procedure determining whether the consent of the Duchy of Cornwall needs to be signified to a bill
  • Expenditure of The Clerk of The House 2011. Expenditure which has been made by the House of Commons relating to the Clerk of the House’s travel, subsistence, entertainment in an official capacity, and other professional and miscellaneous costs.
  • Former Members in receipt of an award from the Resettlement Grant. 1 April 2011 Table showing Former Members who left the House of Commons at the 2010 election and who are in receipt of an award from the Resettlement Grant and Former Members who have not been paid Resettlement Grant.
  • Former Members in receipt of an award from the Resettlement Grant. 5 April 2011 Amounts awarded to each former MP from the Resettlement Grant
  • Funding of the W4MP website. Details of the last 5 years of funding for the W4MP website.
  • House of Commons consultancy costs 2010-2011. How much The House of Commons spent on external consultants during the financial year 2010-2011
  • House of Commons recruitment costs 2010-2011. Recruitment costs for The House of Commons during financial year 2010-2011.
  • House of Commons Wine Stocks 2011. The top highest valued wines in the House of Commons stock and the total value.
  • List of wines stocked in the House of Commons wine cellar 2011. A list of all the wines currently stocked by the House of Commons
  • Members’ comments about IPSA. Members Survey of Services Comments on IPSA made by MPs responding to the Members Survey of Services 2010
  • MPs Expenses repayments 2011. List of Members of Parliament’s outstanding expenses repayments
  • Non British Nationals Research Assistants & Interns 2011. Number and nationality of non-British national researchers who have worked at the House of Commons over the last 15 years.
  • Number of security passes lost or stolen 2008-2011. The number of House of Commons security passes that have been lost or stolen.
  • Palace of Westminster – Condition Survey Report 2008-2010. A report on the outcome of a condition survey carried out over the period 2008-10 during which each space in the Palace of Westminster was subject to a visual inspection.
  • Pest control costs 2008-2011. The costs of pest control across the parliamentary estates from 2008-2011
  • Speaker’s accommodation 2011. Updated list of costs incurred to furnish the Speaker’s accommodation in the Palace of Westminster between 2009 and 2011.

Below is the list of FOI disclosures published by the House of Commons between January and March 2011:

  • Catering and retail prices 2011. Copies of restaurant menus, bar tariffs and other catering tariffs, souvenir price list
  • Catering sales and lists containing drink prices 2011. List of drinks, prices and sales in House of Commons bars and cafeterias
  • Details of all crimes reported in the Palace of Westminster 2008-2011. details of all crimes reported in the Palace of Westminster in the past three years
  • House of Commons Management Board official expenditure 2008-2010. an itemised breakdown of expenses claimed by each member of the Management Board for financial years 2008/09 and 2009/10
  • How much has been spent on 14 Tothill Street premises. The total amount spent on 14 Tothill Street until 28 February 2011.
  • Items reported as missing or stolen 2006 -2010 All items and their assumed monetary value which have been reported as missing or stolen from the Parliamentary Estate
  • Items reported stolen or missing from the Parliamentary Estate 2005-2011. A description of each item reported stolen and/or missing to the Crime and Investigation Unit from the Parliamentary estate
  • Lists of former Members of Parliament and Industry and Parliament Trust pass holders 2011. Names of pass holders – Former Members of Parliament and Industry and Parliament Trust as at 24 January 2011
  • Management Board Papers 2007-2011. Minutes, agendas and associated papers of House of Commons Management Board meetings since its establishment in October 2007
  • MPs and Lords replaced IT equipment. It equipment replaced since 2006
  • New Year’s Eve event 2010/11. Details of the New Year’s Eve event held at the House of Commons.
  • Overseas visits by Transport Committee members. Details of overseas visits by members of theTransport Committee from 01 January 2010 until 10 February 2011.
  • Parliamentary IT and Communication systems, office layouts and access Repayments made by Members 2010. The list of repayments of parliamentary allowances made by current and former Members of Parliament which were received between 19 December 2009 and 12th April 2010
  • Speaker’s Office Budget 2008-2011. Details of the Speaker’s Office Budget and Expenditure 2008-2011

The link to all the disclosures can be found here.


The U.S. Leads the World in Credit Card Fraud

In the Nilson Report: Global Credit Card Fraud Losses they reveal that the U.S. currently accounts for 47% of global credit and debit card fraud even though it generates only 27% of the total volume of purchases and cash, according to the Nilson report: Global Card Fraud.

Payment card fraud losses totaled $3.56 billion last year in the U.S. from all general purpose and private label, signature and PIN payment cards.

“The U.S. has a disproportionate percentage of the global total losses for two reasons, U.S. banks have been slow to adopt newer technologies such as EMV chip cards, and issuers are reluctant to decline card authorization from merchants because they don’t want to alienate their cardholder,” said David Robertson, publisher of The Nilson Report.

“Competition among U.S. issuers, which has resulted in the average cardholder having four credit cards in their wallet, makes any issuer reluctant to decline an authorization. The consumer will just pull out a competitor’s card,” said Robertson.

Institutions across Europe, Latin America, the Middle East, Africa and Asia have introduced security processes and technologies to reduce fraud for example Chip and PIN.

Global card fraud worldwide as a percentage of total volume has decreased. In 2010, total fraud losses equaled 4.46c per $100 in total volume of purchases and cash, down from 4.71c per $100 in 2009.

Total global fraud losses, at $7.60 billion, however, increased in 2010 by 10.2% compared to the prior year, because the rate of spending is outpacing losses.

The payment card industry is expected to continue to grow sales volume at a faster pace than thieves can compromise the system.

The Nilson Report is a highly respected source of global news and analysis of the credit, debit and prepaid card industry. The subscription newsletter provides in-depth rankings and statistics on the current status of the industry, as well as company, personnel and product updates. Nilson Report Publisher, David Robertson, is a recognized expert in the field, and is a frequent speaker at industry conferences.


7,200 peoples’ personal information discovered in a skip

Coat of arms of Southwark London Borough Council
Image via Wikipedia

Southwark Council breached the Data Protection Act by misplacing a computer and some papers containing 7,200 peoples’ personal information which were discovered in a skip earlier this year, the Information Commissioner’s Office (ICO) said today.

The computer and papers were mistakenly left at one of the council’s buildings at the Spa Road Complex in Southwark when it was vacated in December 2009. They were then discovered in June of this year and disposed of by the building’s new tenant. The information stored on the computer and featured in the papers included details of peoples’ names and addresses, along with other information relating to their ethnic background, medical history and any past criminal convictions.

The breach was reported to the ICO on 3 June 2011 shortly after the information was discovered in the skip. The ICO’s enquiries found that, while the council did have information handling and decommissioning policies in place, the policies were not followed when the offices were vacated. The council also failed to make sure the information stored on the computer was encrypted.

The authority has now agreed to take action to keep the personal information it handles secure. This includes introducing new processes governing the transfer and disposal of personal information and making sure that all portable devices used to store sensitive information are fully protected.

The council has also agreed to an ICO audit in the new year to help them improve their compliance with the Data Protection Act.

Sally Anne Poole, Acting Head of Enforcement said:

“The fact that thousands of residents’ personal details went missing for over two years clearly shows that Southwark Council’s policies for handling personal information are below standard. As this information was lost before the ICO received the power to issue financial penalties we are unable to consider taking more formal action in this case.

“Southwark Council has committed to putting changes in place and we look forward to completing an audit next year to help them to identify further improvements.”


QC has unencrypted laptop stolen and is sanctioned by the ICO

The Information Commissioner’s Office has reported on the case of a Scottish Advocate having an unencrypted laptop stolen.

The laptop was stolen from the home of Ruth Crawford QC in 2009 when she was away on holiday. It contained personal data relating to a number of individuals involved in eight court cases the advocate had been working on. This included some details relating to the physical and mental health of individuals involved in two of the cases. The device has not been recovered; however, most of the information compromised would already have been released as evidence in court papers.

The breach was only reported to the ICO on 30 August 2011 when the last case relating to information held on the laptop was concluded. The ICO’s enquiries found that, whilst Ms Crawford had some physical security measures in place at the time of the theft, she failed to ensure that either the device or the sensitive information stored on it was appropriately encrypted.

The QC has now agreed to put the necessary changes in place to ensure this type of incident does not happen again. This includes locking away any personal information stored at her home and following any future data protection guidance issued by the Faculty of Advocates or her stable.

Ken Macdonald, Assistant Commissioner for Scotland said:

The legal profession holds some of the most sensitive information available. It is therefore vital that adequate security measures are in place to keep information secure.

“As this incident took place before the 6 April 2010 the ICO is unable to serve a financial penalty in this instance. But this case should act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000 – it could affect their careers too. If confidential information is made public, it could also jeopardise the important work they do in court.

“The ICO would also like to assure the legal profession that any information reported to this office will not be disclosed unless there is specific legal authority for us to do so. Therefore all breaches should be reported to our office as soon as practically possible.” 


Big increase in communications fraud

CIFAS, a UK’s Fraud Prevention Service, has reported on frauds recorded by its 260 member organisations during the 9 nine months of 2011.

The report reveals a 34% increase in fraud related to communications products, when compared with the same period in 2010.

CIFAS conclude that some “communications” products, for example smartphones like the iPhone handsets are viewed as essential items rather a luxury items which infers an entitlement to commit fraud.

CIFAS have also seen:

  • 93% increase in impersonation of the victim at their current address, also known as current address fraud
  • 85% increase in the use of completely fictitious
  • 64% surge in identity fraud individuals trying to gain a obtain products or services
  • 20% increase in misuse of facility cases

CIFAS Communications Manager, Richard Hurley, notes:

“The rise in current address fraud alarms because it signifies either that fraudsters are becoming increasingly sophisticated (as it is more difficult to impersonate someone at their address and then try to intercept goods or paperwork), or it demonstrates that friends, family and co-habitees are involved. Allied to the similarly enormous increase in the use of completely false identities, this surely indicates that communications products have become so essential that fraudsters not only obtain goods or handsets to sell on but will also attempt to use any identity in order to avoid becoming liable for bills.”

“nearly 100% of this increase can be accounted for by regular payment fraud, where fraudulent direct debit instructions are given in an attempt to evade the payment of bills. The reality of the situation is that the communications product, device or service has become so embedded in our lives that many of us seem unable to do without them. With sacrifices having to be made by most individuals and households, these figures depressingly indicate that many people feel that, economically, they have no choice but to attempt fraud in order to continue receiving such services.”


  1. CIFAS is the UK’s Fraud Prevention Service, a not for profit Membership organisation with over 260 cross sector Members including banking, credit cards, asset finance, retail credit, mail order, insurance, telecommunications and the public sector. Members lawfully share information on frauds in the fight to prevent further fraud.
  2. The following tables show a summary of communications fraud cases recorded by CIFAS Members, broken down by the type of fraud identified. Definitions are given below the table.
Jan to Sept 2010 Jan to Sept 2011 % Change
Application Fraud 3,679 4,347 18%
Facility Takeover Fraud 5,292 4,330 -18%
Identity Fraud 12,673 20,842 64%
Misuse of Facility Fraud 3,430 4,125 20%
Total 25,074 33,644 34%

Create a free website or blog at

Up ↑

%d bloggers like this: