The Information Commissioner’s Office (ICO) issued Nottinghamshire County Council a fine of £70,000.00 for leaving sensitive personal data exposed online for half a decade.
The watchdog discovered the council’s ‘Home Care Allocation System’ (HCAS) was shared with care home providers using a simple link that did not require a username or a password.
The system contained a lot of personal information belonging to prospective and current care home users. Created in July 2011, the council was finally alerted to the security risk when a member of the public searched for HCAS online in June 2016 and found files readily accessible and completely unrestricted.
About the leak
The unnamed individual who discovered unrestricted access to the sensitive data was horrified and noted the following:
“Should someone who would wish to prey on a vulnerable person, e.g. a thief, obtain these details it would not be very difficult for them to attend one of the streets listed, find where the carers attend and subsequently consider attempting a burglary or similar knowing the service user is very likely to be vulnerable or elderly.”
They also note the available information included whether the care home resident had been admitted to hospital recently, meaning someone could easily impersonate hospital staff and pay a ‘visit’ for illegitimate reasons.
At the time the security flaw was discovered, 81 users of care homes were reportedly listed on the HCAS directory.
Available information included:
- Gender
- Location (including if the user was currently in hospital)
- Personal care needs
- Care package requirements
A dangerous data leak
This is enough to do some serious damages; especially to elderly and vulnerable people who can be more susceptible to scams. As rightly noted by the individual who discovered the flaw, once a criminal has access into a care home under false pretences, they could easily steal money and belongings from residents who may be powerless to stop them.
Head of Enforcement of the ICO, Steve Eckersley, condemned the council’s complete disregard for the vulnerable people’s data protection and safety, saying:
“This was a serious and prolonged breach of the law. For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.”
He also addressed the responsibility organisations have when it comes to data protection:
“…given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.”
Nottinghamshire County Council have since taken HCAS off the public domain, but it notably took them five years and a £70,000 fine to do what they should have done when the system was first created.