The loss of a memory stick containing the personal details of over 26,000 tenants of two London housing associations shows many UK organisations still have poor operating policies, say experts.
A contractor left an unencrypted memory stick with details of over 20,000 tenants of Lewisham Homes and 6,200 tenants of Wandle Housing Association in a pub.
The Information Commissioner's Office (ICO), which found two London housing bodies in breach of the Data Protection Act, said the memory stick was given to the police and safely retrieved at a later date.
"There have been enough warning signs now for organisations to start getting the hint that sensitive information must be afforded the right level of protection," says Mark Fullbrook, director, UK & Ireland at identity management firm Cyber-Ark.
Data will always need to move beyond the four walls of an organisation, he says, which means organisations need to rethink their existing practices and ensure that the same high level of security used within the organisation is used to defend its information in the outside world.
The fact that the contractors were holding unencrypted details from both associations on a single memory stick shows little or no consideration that the information might be lost or stolen, says Chris McIntosh, chief executive officer of ViaSat UK.
"This loss demonstrates that when bodies such as housing associations enlist the services of contractors and outside organisations, they must ensure that they obey data protection best practices and can be trusted with sensitive information," he said
Contractors that are entrusted with the sensitive details of thousands of third parties through their employers should have far greater regard for data protection, he says.
It is important to note it was a third-party contractor that lost the data and not trained internal staff, says Edy Almer , vice president, product management at security firm Safend: "This highlights the need to selectively block or encrypt all devices connecting to your network in order to protect sensitive data."
Sally-Anne Poole, acting head of enforcement at the ICO says saving personal information on to an unencrypted memory stick is as risky as taking hard copy papers out of the office.
"Luckily, the device was handed in and there is no suggestion that the data was misused. But this incident could so easily have been avoided if the information had been properly protected," she said.
Both housing associations have agreed to make sure that all portable devices used to store personal information are encrypted. All staff, including contractors, must follow existing policies and procedures on the handling of personal information.
All staff, including contractors and temporary staff, will also be monitored to ensure they are taking the appropriate measures to keep the personal information they are handling secure.