Aberdeen City Council faces major data breach fine

Sep 23rd, 2013 / Category: Managed File Transfer

The importance of data security applies to organizations of all kinds. For-profit businesses have obvious incentives to protect their sensitive information, both in order to keep secret their intellectual property and to avoid a backlash from customers in the event that clients' personal data is stolen or exposed. Yet nonprofits and government agencies are also responsible for ensuring the integrity of the data they have been entrusted with. Failing to do so can not only undermine relations with participants and constituents, but also lead to serious fines and other sanctions.

This last point was recently demonstrated in Scotland, where the Aberdeen City Council was hit with a major fine following a data breach. Such incidents further emphasize the need for secure file transfer and related solutions for government organizations.

Paying the price
The fine was levied by the Information Commissioner's Office (ICO), which is tasked with enforcing a number of data protection laws that apply to U.K.-based organizations. If a firm experiences a data breach and negligence is found to be a primary cause, the ICO will likely fine that organization.

Such was the case with the Aberdeen City Council, which received a fine of more than $160,000 following a data breach which exposed data concerning the care of vulnerable children.

The breach occurred in November 2011, when an employee inadvertently uploaded a number of sensitive files to an online database. The accessibility of these records was only discovered in February 2012 by another employee.

Unsecured policies
The cause of the data breach was a lack of data protection policies combined with employee error.

The employee used her personal PC to access a number of detailed, sensitive Aberdeen City Council records from her own home. This PC featured a file transfer program that automatically uploaded all of these files to an unsecured online database.

The Aberdeen City Council was found negligent in this case because it did not have an established work-from-home policy, nor did it have security measures in place which could prevent sensitive records from being exposed.

"As more people take the opportunity to work from home, organizations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure," said Ken Macdonald, assistant commissioner for Scotland at the ICO. "In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information."

Better solutions needed
Speaking to Computing, Richard Anstey, CTO EMEA for Intralinks, said that this incident should serve as a warning for other organizations, and should lead to improved practices.

"Too many councils are getting fined and we are seeing this way too often - clearly lessons aren't being learned. Organizations should consider secure enterprise collaboration services which can maintain a higher level of document security and allow full and auditable proof of receipt," said Anstey, according to the news source.

A significant part of such an effort should be the adoption of advanced secure file transfer solutions. With these tools in place, employees are enabled to send and receive the documents they need whenever they need to, without a greater risk of data loss, theft or exposure. Only by offering workers these solutions can organizations prevent mishaps such as this one. After all, if employees are not provided with secure file transfer options, they will almost certainly pursue less secure solutions, instead.