ICO raps UK Student Loans Co for leaking MEDICAL files and more

Computer says d'oh


The Information Commissioner’s Office (ICO) has criticised Blighty's Student Loans Company for handing students' medical reports and other private files over to the wrong people.

In various blunders, records including medical notes and a psychological assessment were accidentally leaked to an unnamed outside organisation, sent to an unnamed third-party or simply posted to the wrong addresses.

The ICO carried out an investigation into the cock-ups, and faulted insufficient checks – particularly during the scanning of documents to add to accounts – for the mix-ups. The more sensitive the files, the less they were scrutinised by the loan company, the watchdog concluded.

Stephen Eckersley, head of enforcement at the ICO, commented on Tuesday: “For the majority of students, the Student Loans Company represents a crucial service that they rely on to fund their studies. Students are obliged to provide personal information to the loans company, both while they receive the loan and in the years when they are paying it back, and they are right to expect that information to be properly looked after."

The Student Loans Company (SLC) has since promised to improve [PDF] its procedures and staff training. Further failures, particularly ones along the same lines, are likely to result in fines against the non-profit organisation by the ICO.

In the undertaking to try harder next time, the SLC noted:

The Information Commissioner was provided with a report on the 29 August 2012 which stated that medical details of a customer, containing sensitive personal data, had been sent to an external organisation in error. The Commissioner received another report on the 04 October 2012 that a further two incidents had occurred, one in which a psychological assessment of a customer, containing sensitive personal data, was disclosed to a third party in error and a second in which two items of correspondence were sent to an incorrect address.

Following investigation it was established that in the first reported incident the medical evidence had been incorrectly scanned onto another customer’s account. It was also found that whilst checking procedures were in place at the time of the incident, in the particular department processing the documents, items containing sensitive personal data were subject to fewer checks than those containing less sensitive data.

Martin Sugden, chief exec of data classification and secure messaging firm Boldon James, said that the softly, softly approach to enforcement taken in this case so far is appropriate.

“The Information Commissioner’s Office continues to play 'good cop' with organisations that are careless with users’ data, but in this instance I believe they have done the right thing in allowing the Student Loans Company time to improve their data security practices," Sugden said.

He added: "Whilst this data loss incident may have only involved a small number of records, it’s highly concerning that there were fewer checks in place around the handling of sensitive documents than there were against other customer data. The student loan company knew the issues and they didn’t follow it through." ®

Bootnote

If you're wondering why on Earth Blighty's Student Loans Company has medical records to lose, consider that disabled undergraduates have to provide evidence of their conditions to apply for support grants.

Similar topics

Broader topics


Other stories you might like

  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading
  • India gives local techies 60 days to hit 6-hour deadline for infosec incident reporting
    Customer data collection and retention requirements also increased, including for crypto operators

    India's Computer Emergency Response Team (CERT-In) has given many of the nation's IT shops a big job that needs to be done in a hurry: complying with a new set of rules that require organizations to report 20 different types of infosec incidents within six hours of detection, be they a ransomware attack or mere compromise of a social media account.

    The national infosec agency stated the short deadline is needed as it has identified "certain gaps causing hindrance in incident analysis."

    Organizations can use email, phone, or fax to send incident reports. Just how the analog mediums will improve improve analysis gaps is uncertain.

    Continue reading
  • Coca-Cola probes pro-Kremlin gang's claims of 161GB data theft
    Life tastes not so good right now

    Coca-Cola confirmed it's probing a possible network intrusion after the Stormous cybercrime gang claimed it stole 161GB of data from the beverage giant.

    "We are aware of this matter and are investigating to determine the validity of the claim," Coca-Cola communications global vice president Scott Leith told The Register on Tuesday. "We are coordinating with law enforcement."

    The ransomware gang, which has declared its support for the Russian government's illegal invasion of Ukraine, this week bragged it "hacked some of the company's servers and passed a large amount of data inside them without their knowledge." It's now trying to sell the stolen data for about $64,000, or nearest offer "depending on the amount of data you want," Stormous wrote on its website where it leaks pilfered information.

    Continue reading
  • Intuit sued over alleged cryptocurrency thefts via Mailchimp intrusion
    Financial software giant slammed for 'poor security practices'

    Intuit is being sued in the US after a security failure at its Mailchimp email marketing business allegedly led to the theft of cryptocurrency from one or more digital wallets.

    In a proposed class-action lawsuit [PDF] filed in federal court in northern California on Friday, the plaintiff – Alan Levinson of Illinois – claimed he and potentially others fell victim to a sophisticated phishing attack in which their Trezor cryptocurrency wallets were unlawfully accessed and funds siphoned.

    Someone earlier stole from Mailchimp details of Trezor's mailing-list subscribers, and used this information to reach out to those users with an email engineered to trick them into installing malware designed to hijack their digital wallets. Levinson said he believes millions of dollars in crypto-coins were stolen in this attack, including $87,000 from his own wallet.

    Continue reading

Biting the hand that feeds IT © 1998–2022