Thousands of criminals’ details lost on USB key

22 Aug 2008

It has emerged that a memory stick containing personal details of criminals in Ireland and the UK has been lost.

The data, which includes the details of around 10,000 prolific offenders, as well as information on all 84,000 prisoners in England and Wales, is not encrypted and is therefore not protected from being accessed by anyone who finds the device. 

The data lost includes information on around 30,000 people with six or more convictions in the past 12 months, including their names, addresses, dates of birth and release dates.

The UK Home Office was notified by PA Consulting on Monday that the device was missing and despite scouring CCTV footage and searching its premises, it was confirmed that the stick had not been found.

“One of the challenges for businesses moving data around is the lack of security of mobile devices, notably removable storage devices such as USB memory sticks,” said Greg Day, a security analyst with McAfee.

“A recent paper from ENISA, published in June 2008, stated that USB devices present considerable risk as they usually lack security controls and are rarely covered by corporate security policies. With such gadgets being widely used in business today, companies need to be able to protect and account for the data stored on them, as they can easily be lost or left behind.”

Day said this latest data loss incident clearly highlights the challenge for businesses when sharing sensitive information with third parties, whether that data is being transferred electronically by email or carried around on storage devices such as USB sticks.

“Today, many organisations are still struggling to get a handle on their own data security practices, but as this example has again highlighted, they need to rise to the challenges relating to the sharing of information with third parties and understand their responsibilities resulting from such practices.

“It seems that a number of businesses are still catching up with their security procedures in order to bring themselves in line with data protection legislation. 

“This latest loss of information illustrates again that these issues need to be addressed sooner rather than later, in order to avoid any further embarrassments and to protect those people whose details may be at risk. Had the data on the memory stick been encrypted, its loss would have posed no risk.

“As a result of insufficient security procedures, this information could provide valuable information to those who may misuse it,” Day warned.

By John Kennedy

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years