Tuesday, November 23, 2010

First fines for data act breaches

A county council that faxed details of a child sex abuse case to a member of the public is to be fined �100,000 for breaching the Data Protection Act.

Hertfordshire County Council is one of two bodies fined by the Information Commissioner - both have apologised.

Sheffield-based A4e was fined �60,000 for losing an unencrypted laptop with the details of thousands of people.

The commissioner said the fines - the first he has issued - would "send a strong message" to those handling data.

Commissioner Christopher Graham was granted the authority to serve financial penalties for data protection breaches in April of this year.

Hertfordshire County Council was fined after two incidents where two faxes containing highly sensitive personal information involving a child sex abuse case and care proceedings were sent to the wrong recipients.

Fax mistakes

The breaches occurred in June, when employees in the council's childcare litigation unit accidentally sent two faxes to the wrong recipients on two separate occasions. The council reported both breaches to the Information Commissioner's Office (ICO).

The first misdirected fax was meant for a barristers' chambers but was sent instead to a member of the public.

"Start Quote

These first monetary penalties send a strong message to all organisations handling personal information - get it wrong and you do substantial harm to individuals and the reputation of your business"

End Quote Christopher Graham Information Commissioner

The council subsequently obtained a court injunction prohibiting any disclosure of the facts of the court case or circumstances of the data breach.

The second misdirected fax, sent 13 days later by another member of the council's childcare litigation unit, contained information relating to the care proceedings of three children, the previous convictions of two individuals, domestic violence records and care professionals' opinions on the cases.

The fax was intended for Watford County Court but was mistakenly sent to a barristers' chambers unconnected with the case.

The commissioner ruled that a penalty of �100,000 was appropriate, given that the council's procedures failed to stop two serious breaches taking place.

And after the first breach occurred, the council did not take sufficient steps to reduce the likelihood of another breach occurring, the ICO said.

Laptop theft

Mr Graham said: "It is difficult to imagine information more sensitive than that relating to a child sex abuse case. I am concerned at this breach - not least because the local authority allowed it to happen twice within two weeks."

A spokesman for Hertfordshire County Council said it accepted the commissioner's findings.

"We are sorry that these mistakes happened and have put processes in place to try and prevent any recurrence," he added.

The A4e data breach also occurred in June, after the company - a private sector company which provides information on employment and starting a business - issued an unencrypted laptop to an employee so they could work at home.

The computer contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.

But it was later stolen from the employee's house and an unsuccessful attempt to access the data was made shortly afterwards.

Personal details recorded on the system included full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence.

A4e reported the incident to the ICO and the company subsequently notified the people whose data could have been accessed.

'Substantial harm'

The commissioner ruled that A4e did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data that would be on it.

Mr Graham said the theft of the laptop was "less shocking" than the council's security breaches.

But he said it "also warranted nothing less than a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data".

He added: "These first monetary penalties send a strong message to all organisations handling personal information - get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds."

A4e chief executive Andrew Dutton said: "We acted very swiftly after the incident in June, including making a voluntary report to the ICO. We alerted all customers, partners and relevant authorities affected and continue to update them.

"This incident occurred as a result of a breach of our security procedures. It also came at a time when A4e was rolling out a new, robust, company-wide set of security controls and procedures.

"Our priority has always been, and remains, our customers and partners. We have apologised for any distress caused to those involved in this one-off incident in Hull and Leicester and we do so again."



Powered by WizardRSS | Best Membership Site Software

Iran denies nuclear virus damage

Iran has denied that the Stuxnet virus has caused any delays in its nuclear power programme.

It issued the denials following speculation from a former UN nuclear inspector that Stuxnet had managed to damage key equipment.

But Iran said it had caught Stuxnet before it managed to reach its intended target - controllers for centrifuges.

The country accused the West of trying to sabotage what it called its "peaceful" nuclear power plans.

The denial came from Iranian Vice President Ali Akbar Salehi who oversees the country's nuclear project.

"From more than a year ago, Westerners tried to implant the virus into our nuclear facilities in order to disrupt our activities but our young scientists stopped the virus at the very same spot they wanted to penetrate," he said in comments reported on an Iranian state television website.

Stuxnet is the first malicious program that targets key parts of industrial plants. Analysis by security firm Symantec suggest that Stuxnet was intended to wreck the centrifuges used to concentrate uranium - a key part of the nuclear power generation process.

Reports suggest that Iran has taken thousands of centrifuges offline in recent months and its nuclear programme is known to have suffered significant delays.

Speculation about whether this was caused by Stuxnet came earlier this week from two sources - an unnamed official from the UN's International Atomic Energy Agency and Olli Heinonen deputy director at the IAEA until August.

The anonymous official told AP that Western intelligence gathering suggested that Stuxnet had infected control systems in Iran's nuclear plants.

Mr Heinonen confirmed that Iran had experienced problems with centrifuges and said they could have been caused by technical problems or Stuxnet, but added that there was no proof that the worm was responsible.



Powered by WizardRSS | Best Membership Site Software

PC vaccine needed in botnet fight

The equivalent of a government-backed vaccination scheme is needed to clean up the huge numbers of PCs hijacked by cyber criminals, suggests research.

In Europe, about 5-10% of PCs on broadband net links were hijacked and part of a botnet in 2009, it suggests.

ISPs are key to wresting control of these machines away from criminals, says the Dutch report.

Initiatives in Germany and Australia show how official help can boost efforts to clean up infected machines.

Home invasion

The survey of botnet numbers was carried out in an attempt to understand the scale of the problem and reveal the forces influencing how many PCs on a particular network are hijacked.

Botnets are typically networks of home computers that malicious hackers have managed to hijack by tricking their owners into opening a virus-laden e-mail or visiting a booby-trapped website.

They are then commonly used to pump out spam and attack websites.

It drew up its by analysing a pool of 170 million unique IP addresses culled from a spam trap that amassed more than 109 billion junk mail messages between 2005 and 2009.

With 80-90% of all spam being routed through hijacked PCs these IP addresses were a good guide to where infected machines were located, said Professor Michel Van Eeten from the Delft University of Technology who lead the OECD-backed research.

Analysis of this huge corpus of data showed that about 50 ISPs were harbouring around half of all infected machines worldwide. Confirmation of this finding came from other non-spam sources - the 169 million IP addresses that were part of the Conficker botnet and 130 million IP addresses collected by net security watchdog SANS.

The numbers of machines on these networks varied widely, said Professor Van Eeten, but infected rates on individual networks were quite stable over time relative to each other.

What was also clear from the research, he said, was that ISPs were not going to be able to clean up the large numbers of infected machines without some kind of central aid. In Holland, ISPs have dramatically increased their efforts but are still only cleaning up about 10% of infected machines.

At the moment, he said, two bottlenecks were preventing ISPs doing more to clean up machines.

The first, he said, was the lack of comprehensive data about the numbers and location of infected machines.

An initiative by the Australian government to pool data on infections and provide it to the nation's ISPs showed how this could be overcome, said Prof Van Eeten.

"The second bottleneck is that it costs money to notify customers and get them to clean up their machine," he said.

"An incoming call is very costly especially as those kinds of calls need experts," he said. "ISPs can completely lose their profit margin on a customer like that."

South Korean and Germany had tackled this problem, he said, by setting up national call centres to which ISPs can refer infected customers where they can get advice about disinfecting their machine. The call centres are publicly funded - though Germany will only pay for its centres temporarily.

"Governments can be very helpful," he said.

Prof Van Eeten said the numbers and prevalence of botnets suggests we should perhaps see them as the modern-day equivalent of the epidemics that struck in Victorian times and prompted the creation of government-backed vaccination schemes.

A similar system delivering a digital vaccine might again be part of the solution, he said.



Powered by WizardRSS | Best Membership Site Software

Auction of codebreaker's papers

Papers published by World War II codebreaker Alan Turing are expected to fetch about �500,000 at auction later.

The Manchester University scientist, who killed himself in 1954, created a machine at Bletchley Park to crack messages in the German Enigma code.

Last year, the then prime minister Gordon Brown gave him a posthumous apology for the "appalling" treatment he received for being gay.

The documents will go under the hammer at Christie's in London later.

Turing, who has been called the "father of the computer", published only 18 papers in his short career.

He was prosecuted for having a sexual relationship with a man and two years later he committed suicide by biting into an apple which he had laced with cyanide.

He was found dead at his home in Wilmslow, Cheshire, where a plaque has been erected to pay tribute to him.

Since it was announced that the papers were going to be sold, IT journalist Gareth Halfacree has been trying to raise the cash to buy them and donate them to Bletchley Park Trust in Milton Keynes.

So far he has raised �85,000 having just received a �62,784 donation from Google.

"We are still a bit short of what we need but I still hope that Microsoft or Apple might donate at the last minute," Mr Halfacree said.

Bids for the collection, which contain his first published paper, his pioneering work on artificial intelligence and the very foundations of the digital computer, have to be submitted by 1030 GMT.

They will go under the hammer at 1400 GMT.

Mr Halfacree added: "If we do not raise enough, which is looking increasingly unlikely, I hope whoever buys it donates the papers to Bletchley Park so we can all benefit from them."

He said the money he has raised so far will still go to the trust whether it is used to buy the papers or not.



Powered by WizardRSS | Best Membership Site Software

Challenge to Twitter 'joke' trial

A man who was convicted and fined for a Twitter message threatening to blow up an airport has said he will take his case to the High Court.

Paul Chambers was convicted in May for sending a menacing electronic communication.

A recent appeal failed to overturn the conviction, sparking outrage amongst Twitter users.

The 27-year-old accountant will now be represented by high-profile human rights lawyer Ben Emmerson.

The challenge will centre on whether or not section 127 of the Communications Act, under which he was convicted, was "appropriately applied".

Mr Chambers and his lawyers have until 2 December to challenge the conviction.

His lawyers regard Mr Chambers' conviction as a test case, as it was the first time that the Communications Act was applied to an offence on a social network.

"We want to establish what constitutes a menacing communication, what should be the level of intent required for the offence to be committed, and whether or not Paul's message was sent by means of a public electronic communications network," said David Allen Green, his solicitor.

Doncaster Crown Court recently upheld his original conviction causing a wave of outrage on Twitter, with thousands of supporters retweeting Chambers' message, which read: "Crap! Robin Hood airport is closed. You've got a week to get your shit together, otherwise I'm blowing the airport sky high!"

The so-called "I'm Spartacus" campaign was inspired by the famous scene in the 1960s blockbuster, when slaves stood up one by one to claim "I'm Spartacus" in order to save their fellow gladiator from detection.



Powered by WizardRSS | Best Membership Site Software