Sixteen thousand Council workers have been put at risk of identity theft after a laptop containing their personal data was stolen from IT supplier, Serco.

The laptop contained names, addresses, National Insurance numbers and bank details and was stolen in a street robbery in February 2007. Serco had the personal data as it is building a new human resources and payroll system for Worcestershire County Council.

The Council did not disclose the theft for more than a week in an attempt to avoid alerting the robber to the nature of the data contained on the laptop. The Council has since informed its staff of the theft and set up a hotline number to handle enquiries. A spokesperson for the council attempted to allay fears and said the authority was “not completely sure of the level of encryption” on the stolen laptop, “but our understanding is there was security on the machine”.

A joint investigation by Serco and the Council reported that “an employee of Serco, whilst wholeheartedly commited to the task in hand, allowed sensitive data to be inappropriately stored, contrary to Worcestershire County Council and Serco’s expectations.” The report adds: “Serco apologises unreservedly to the County Council, its partner agencies and staff for the loss of the data and the circumstances surrounding its loss.” The incident had resulted in unplanned costs “which in due course will be reimbursed by Serco”.

What you should do

Recent reports revealed that a criminal could obtain as much as £85,000 from each stolen identity in the UK. With this kind of exposure for staff – and the added threat of falling foul of the Data Protection Act - all public sector organisations should ensure they implement a policy addressing security of all mobile devices including laptops, PDAs and USB memory sticks.

We recommend the following:

  1. Establish a security policy of mobile devices:
    • Determine which users are entitled to use mobile devices
    • Define what types of file or data can be downloaded / synced by which users. For example, ensure that personal data is not stored on a mobile device
    • Make sure password protection and encryption are on
    • Ensure each device has up-to-date personal anti-virus and firewall settings
    • Enforce connection security
    • Enable device lockdown and allow for remote data destruction
    • Log device usage for compliance and enforce the policy where there is non-compliance
  1. 2) Make users aware of the policy through their service agreements
  2. 3) Review and update the policy regularly to keep up with change
  3. 4) Add clauses to contracts with suppliers to ensure that they abide by your security policy