A police force has been fined £150,000 by the Information Commissioner. The penalty results from the theft of a memory stick with information on over 1,000 people involved in drug squad investigations.
The USB stick – which was neither password protected nor encrypted – was stolen in a burglary of a Greater Manchester Police officer's home in July 2011. Apparently it had been left in a wallet on the kitchen table. The stick contained personal data on 1,075 people gathered over 11 years by the officer, who worked in the force's serious crime division, including its drug squad. The data had been downloaded from files held on the force's network, to act as a backup and a quick reference while the detective was out and about. It has not been recovered.
David Smith, the ICO's Director of Data Protection, said: "This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine." He continued "It should have been obvious to the force that the type of information stored on its computers meant proper data security was needed. Instead, it has taken a serious data breach to prompt it into action."
The force had actually issued the officer with an encrypted memory stick, but he replaced this with a larger capacity device when it filled up. The ICO claims that several members of Greater Manchester Police regularly used unencrypted memory sticks, even after the force had been warned about data protection after a similar security breach two years ago. The previous incident was taken into account when the watchdog issued the penalty. It has the power to fine organisations up to £500,000 for breaches. The force will take advantage of a 20% early payment discount and pay only £120,000.
The ICO's Smith concluded "This is a substantial monetary penalty, reflecting the significant failings the force demonstrated. We hope it will discourage others from making the same data protection mistakes."
Greater Manchester Police has now put in place security measures to stop downloads of data to unauthorised devices. In an amnesty held after the data breach, Manchester officers handed in about 1,100 personal or unencrypted USB sticks.