Memory stick found in pub had details of 26,000 tenants

Neither company was fined, despite around 800 instances of customers' bank details being on the memory stick

By Kevin Rawlinson
Sunday 23 October 2011 07:49

Personal information belonging to tens of thousands of people, including bank account details, were on a memory stick found lying in a pub, it has emerged.

The details, held unencrypted on the USB memory stick, related to more than 26,000 tenants of two London housing companies, Wandle Housing Association and Lewisham Homes, both of which were found to be in breach of the Data Protection Act by the Information Commissioner’s Office (ICO) yesterday.

Neither company was fined, despite around 800 instances of customers’ bank details being on the memory stick, which was lost by a contractor working for Lewisham Homes and 20,000 of the people whose details were lost were their customers. He had previously worked for Wandle.

Sally-Anne Poole, the ICO’s acting head of enforcement, said: “Saving personal information on to an unencrypted memory stick is as risky as taking hard copy papers out of the office. This incident could so easily have been avoided if the information had been properly protected.”

Graham Cluley, a security expert with Sophos, said: “The key is that they seem to have leaked multiple types of data. The more information you have about a person, the easier it is to put the pieces of the jigsaw together and commit identify theft.

“The potential for harm is quite considerable. Put simply, organisations should be encrypting information. Even if it falls into the wrong hands, it is useless.”

Mark Fullbrook of security company Cyber-Ark, said: “Firms need to ensure the same high level of security used within the organisation is used to defend its information in the outside world.”

Both companies have agreed to ensure that data held on all portable devices are encrypted in the future. A spokesman for Lewisham Homes said “In March 2011, without our knowledge one of our contractors took confidential information and put it onto a data stick, which he subsequently lost.

“This was in breach of our Data Protection procedures and as a result of this breach the contractor has now been dismissed." The stick, the company said, was immediately handed to the police.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments