Hartlepool nuclear plant report lost on unencrypted memory stick

The UK Office for Nuclear Regulation has lost an unencrypted USB memory stick containing a safety assessment of Hartlepool’s nuclear plant

An employee of the UK Office for Nuclear Regulation (ONR) has lost an unencrypted USB memory stick containing a safety assessment of Hartlepool’s nuclear plant.

The assessment was carried out after the radiation scare at the Fukushima nuclear plant in March 2011 after an earthquake and tsunami hit Japan.

After the incident, EU governments agreed that all 143 of Europe's nuclear plants should undergo stress testing to common standards.

The ONR, which seeks to protect people from the hazards of the nuclear industry, is an agency of the UK’s Health and Safety Executive (HSE).

The USB stick containing the Hartlepool assessment went missing during a conference in India, according to The Guardian.

But the ONR claims that no "significantly sensitive" data was lost, and that most of the report has since been put in the public domain.

However, the ONR is investigating why the employee was using an unencrypted USB memory stick for documents with a security classification, which breaches ONR policy.

Terry Greer-King, UK managing director for security firm Check Point, said the loss of the memory stick highlights the risks that businesses expose themselves to when using unencrypted devices.  

“In November 2011, we surveyed 320 UK public and private sector firms, and 50% of them were not encrypting data on USB sticks despite the high-profile security breaches of recent years.  So these events are likely to keep on occurring,” he said.

Mark Darvill, chief technology officer at security firm AEP Networks said data in high risk industries such as the nuclear industry should always be encrypted.

“What may seem mundane to some is a treasure trove of potentially damaging information in the wrong hands,” he said.

According to Darvill, critical infrastructure providers are already a prime target both for the common cyber-criminal and for rogue foreign states.

“There would be nothing to stop an opportunist coming into contact with this stick from selling this material to the highest bidder  Any critical infrastructure provider or contractor working for them needs to ensure it has the highest levels of security deployed, to stop cyber-attacks at the first hurdle,” he said.

Read more on Privacy and data protection

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

and King are correct, this was bound to happen sooner or later. These data
losses will continue, it's a matter of human error in most cases but that
doesn't mean it has to be inevitable.

Largely untrained employees plus vast amounts of on-demand data is a real risk
for most companies nowadays.

Encryption, although a great policy, isn't the only option however, you can to
an extent close the door after the horse has bolted through measures such as
USB keys that can have their memory turned off, or deleted remotely, and even
located through GPS and GSM. Simple, effective measures such as this can at
least help avoid the material damage resulting from data and, more importantly
perhaps, the reputational damage to a brand.

Norman Shaw,
MD, ExactTrak, makers of Security Guardian