The Metropolitan Police – and its data processing partner LogicaCMG – suffered embarrassment when it emerged that three laptops containing payroll details were stolen from LogicaCMG’s offices.
Approximately half of the Metropolitan Police’s employees are thought to have been affected by the theft of the laptops. But neither party has given full details on what data has been stolen, or confirmed how many employees have been affected, because an investigation into the theft is still “ongoing”.
Some reports have claimed, however, that the laptops contained the payroll and pension details of more than 15,000 Metropolitan Police officers.
According to the Metropolitan Police, a risk assessment of the data on the laptops has been conducted, and it believes there is little risk of identity theft.
However, the theft is sufficiently serious that the fraud prevention service CIFAS, payment services organisation APACS and various credit reference agencies have all been consulted about what action to take to safeguard staff against becoming victims of fraud.
LogicaCMG UK has confirmed that an opportunist break-in had occurred at one of its premises last Thursday, but neither party has said whether or not the data on the laptops was encrypted, or whether security procedures had been followed at LogicaCMG.
That’s the key point – encryption. As similar incidents in the US have proved, it is often the lax security where third parties are processing data that reflects poorly on the company affected. As a matter of course, data on the Met’s laptops should have been encrypted. There are obvious lessons here that should be heeded by all companies whose payroll and pension data is being processed by third parties.