Last month I blogged about how a USB drive had been lost containing confidential data about every prisoner in England and Wales.
There is now uproar in the British media as it has been revealed that a 500GB portable hard drive, containing the names, dates of birth and National Insurance numbers of 5000 prison guards and jail governors has been lost.
Tabloid newspaper “The News of the World”, who broke the story, was contacted by a whistleblower who revealed that the disk had been in the care of IT firm EDS since July 2007, but was only discovered to be missing two months ago.
Justice Secretary Jack Straw, who was told of the missing data yesterday by the newspaper, says he is ordering an urgent inquiry into the data loss. Presumably he will also be asking questions as to why he was not informed of the missing hard disk earlier, especially as the British authorities have been rocked by a series of similar embarrassing incidents in the last year.
What worries me is not so much that the hard drive has gone missing – but there is no mention anywhere of the data being encrypted. The implication, once again, is that organizations are being too careless with the personal information of their employees.
Using encryption would have meant that even if the data had been lost it would have been inaccessible and useless to any potential data thief who might get his paws on it.
At the same time, firms and organisations need to take their response to a data loss incident more seriously – if stories like this can make the headlines of national newspapers and TV and radio stations, then they are clearly of grave concern. If you think classified information has been lost inside your company, ensure that senior management – and possible affected parties – are aware so they can take the appropriate actions.