Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.
The Information Commissioner’s Office (ICO) issued Nottinghamshire County Council a fine of £70,000.00 for leaving sensitive personal data exposed online for half a decade.
The watchdog discovered the council’s ‘Home Care Allocation System’ (HCAS) was shared with care home providers using a simple link that did not require a username or a password.
The system contained a lot of personal information belonging to prospective and current care home users. Created in July 2011, the council was finally alerted to the security risk when a member of the public searched for HCAS online in June 2016 and found files readily accessible and completely unrestricted.
The unnamed individual who discovered unrestricted access to the sensitive data was horrified and noted the following:
“Should someone who would wish to prey on a vulnerable person, e.g. a thief, obtain these details it would not be very difficult for them to attend one of the streets listed, find where the carers attend and subsequently consider attempting a burglary or similar knowing the service user is very likely to be vulnerable or elderly.”
They also note the available information included whether the care home resident had been admitted to hospital recently, meaning someone could easily impersonate hospital staff and pay a ‘visit’ for illegitimate reasons.
At the time the security flaw was discovered, 81 users of care homes were reportedly listed on the HCAS directory.
Available information included:
This is enough to do some serious damages; especially to elderly and vulnerable people who can be more susceptible to scams. As rightly noted by the individual who discovered the flaw, once a criminal has access into a care home under false pretences, they could easily steal money and belongings from residents who may be powerless to stop them.
Head of Enforcement of the ICO, Steve Eckersley, condemned the council’s complete disregard for the vulnerable people’s data protection and safety, saying:
“This was a serious and prolonged breach of the law. For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.”
He also addressed the responsibility organisations have when it comes to data protection:
“…given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.”
Nottinghamshire County Council have since taken HCAS off the public domain, but it notably took them five years and a £70,000 fine to do what they should have done when the system was first created.
The content of this post/page was considered accurate at the time of the original posting and/or at the time of any posted revision. The content of this page may, therefore, be out of date. The information contained within this page does not constitute legal advice. Any reliance you place on the information contained within this page is done so at your own risk.
EasyJet admits data of nine million hacked
British Airways data breach: How to claim up to £6,000 compensation
Are you owed £5,000 for the Virgin Media data breach?
Virgin Media faces £4.5 BILLION in compensation payouts
BA customers given final deadline to claim compensation for data breach
Shoppers slam Morrisons after loyalty points stolen
Half a million customers can sue BA over huge data breach
Lawyers accuse BA of 'swerving responsibility' for data breach
The biggest data breaches of 2020
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.