A report by Glasgow City Council has revealed a series of security failings that have potentially put sensitive data at risk after an internal audit.
Scotland's largest council carried out an audit of its IT estate following the theft of two laptops in May, only to find that some 286 laptops and 487 desktop PCs were unaccounted for, as well as close to 100 other items, such as smartphones and memory sticks. According to the report, an additional nine incidents of theft involving 37 pieces of equipment were recorded from council departments throughout the city.
Perhaps more startling is the revelation that the council does not encrypt data held on its desktop PCs and laptops as a matter of course. The two computers stolen earlier in the year contained details of approximately 17,000 bank accounts belonging both to major businesses and individuals.
Organisations should act as responsible custodians of sensitive information they are charged with.
A spokesman for Glasgow City Council admitted to IT Pro that the report shows the council has been poor at keeping accurate records of its IT equipment.
"We are now dealing with that situation and with the unencrypted IT equipment," he said.
This is not the first high profile data loss suffered by the UK's third city. In 2009, a similarly unencrypted USB stick containing personal details of listed sex offenders was lost and found its way into the hands of the media.
Chris McIntosh, CEO of security and communications specialists ViaSat UK said this latest report is merely the latest in a string of data leaks suffered by the public sector.
"A recent FoI request from the ICO found that local government accounts for a disproportionate amount of data breaches: Glasgow City Council's loss of 750 devices ... supports these findings by demonstrating a seriously flawed approach to protecting the sensitive information of customers and constituents," said McIntosh.
"Organisations should act as responsible custodians of sensitive information they are charged with and ensure that any contractors or external organisations they work with are held to the same level of accountability. Furthermore, data should be secured and wherever possible encrypted to ensure audits like these no longer throw up such dour surprises in future," he added.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolenCapita told the pension provider to “work on the assumption” that data had been stolen
-
Gumtree site code made personal data of users and sellers publicly accessibleNews Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
-
Pizza chain exposed 100,000 employees' Social Security numbersNews Former and current staff at California Pizza Kitchen potentially burned by hackers
-
83% of critical infrastructure companies have experienced breaches in the last three yearsNews Survey finds security practices are weak if not non-existent in critical firms
-
Identity Automation launches credential breach monitoring serviceNews New monitoring solution adds to the firm’s flagship RapidIdentity platform
-
Neiman Marcus data breach hits 4.6 million customersNews The breach took place last year, but details have only now come to light
-
Indiana notifies 750,000 after COVID-19 tracing data accessedNews The state is following up to ensure no information was transferred to bad actors
-
Pearson fined $1 million for downplaying severity of 2018 breachNews The SEC found the London-based firm made “misleading statements and omissions” about the intrusion
