News RSS Feed


Ford's Future in Southampton Paul Poolton Hannah Foster Murder Trial Echo Forums


Health details of Hampshire workers stolen

12:31pm Wednesday 4th June 2008

comment Comments (11)   Have your say »


CONFIDENTIAL tapes containing the personal and medical details of thousands of staff from Hampshire firms.

The tapes contained highly sensitive information including details ranging from illnesses to home addresses.

Thieves targeted a security van while it was transporting the tapes between offices to be backed up.

The stolen data includes information on staff from a number of companies in Hampshire including finance giant Skandia.

Thousands of people have received letters telling them their details were on the stolen tapes that were owned by the company Medisure which handles healthcare cover for a number of firms in the county.

While the stolen tapes are said to contain no financial information, they did contain employee names, home addresses, age, details of dependants, details of any health care claims and scanned copies of correspondence.

Medicare insist that the data would not be easy to retrieve from the tapes to someone without specialist knowledge and that the risk of identity theft is low.

Skandia - which employs more than 1,700 people in its Southampton office - enrolled its staff on a scheme which was operated by Medisure.

One former Skandia employee, who wished to remain anonymous, said: "When you entrust important details to a respected company providing health care through your employer you expect your documents to be properly safeguarded.

"I understand from Medisure that the data was stolen by an opportunistic thief, surely a passing criminal shouldn't have the opportunity to steal my personal details because it falls into their lap."

Another said: "There may have been no financial information on the disk this time but surely that was just good luck not judgement. It is very concerning."

Lorren Wyatt, Director of HR at Skandia UK said: "Skandia operates a strict policy for data protection which insists that data is held securely.We have no reason to believe Medisure failed to meet its obligations.

"Our contract with Medisure ended four years ago and this incident is regrettable.

However, we are reassured that the risk of the data being misused is low.

"Skandia has worked closely with Medisure to ensure all those affected, including past as well as current employees, are contacted and given full information about the situation."

A Medisure spokesman said they could not say how many people's details were on the stolen tapes or what other Hampshire companies were affected.

He said: "Our primary consideration throughout has been to work with each of the clients affected. All have been advised of the situation."

Somerset and Avon police are investigating the theft which took place in Bristol in April, although letters from Medisure to those affected have only just been sent out. A spokesman added that an arrest had been made.

The Financial Services Authority and Information Commissioner were also notified of the crime.

Print article » Email to a friend »

Your Say YourThis is Hampshire

Andy, Locks Heath says...
8:11am Wed 4 Jun 08

It may be embarrassing for Skandia but this was most likely an opportunist theft - if the data were encrypted it would be very secure even from companies with the facilities to read it, and even if it wasn't encrypted there aren't that many thieves around with industrial quality DLT or LTO tape readers. If they did however they need to have the various metadata and security information in order to read and make sense of the data on the tape (they were probably database logs), so I suspect we'll find the tapes dumped somewhere and a rather annoyed toerag cursing his luck. A lot of these scare stories in the media are more about incompetent procedures than danger of identity theft.

Report this post »

clair, All over Britain says...
2:24pm Wed 4 Jun 08

This is the age of disclosure - whatever details one gives on one's personal data, eventually it is public property and open to criminal intent. If you wish to keep one's life personal, one has to be a tramp of no fixed abode. I invite ideas as to how to keep one's life, social security, bank and married status free from these criminal sewer rats!!

Clair

Report this post »

Paul, Northampton says...
3:55pm Wed 4 Jun 08

Once again I see that "informed people" are saying it would be hard to read and the comment that "Industrial Quality" LTO or DLT drives are not available to thieves. Have a look at Ebay and you can get these drives easily and as to reading the data it is very straightforward. The defence that is being put up is just to try to cover the incompetence of companies when handling data. Targeted theft of data tapes started in the US once people realised it is an easy way to get large amounts of up to data. If they are not encrypted they can and will be read.

Report this post »

Andy, Lock Heath says...
10:11pm Wed 4 Jun 08

Paul, just try it. There are so many obstacles to a casual thief that it is hard to know where to start in demolishing your scaremongering. If you want to trade knowledge go ahead. Almost all tapes backed up by an industrial software product such as backup Exec, RMAN, TSM etc will not even allow the tape to be read onto another server owned by the same company. Tell me, after you have bought your DLT unit on ebay, then what? What is your next move? And the move after that? Face it, even if you were in the market for a bit of personal data you don't even know what product backed these tapes up. You think it's just a matter of reading a bit of ASCII? Think again chum.

Report this post »

Andy, Locks Heath says...
10:21pm Wed 4 Jun 08

I forgot to mention, these days any company worth their salt only do incrementals or differential backups anyway so unless you have the original base backup tapes which may have been taken months ago then the offset data on the tapes you've pinched is just garbage. The important thing is not just to think of the theoretically possible but to assess the probability of all the other pieces of the jigsaw being there as well. THink of the upfront investment in time - months of effort attempting to decode all that data without even knowing if you are going to get any end product worth having. Would you? It's not even a question of reading the tapes if you did manage to break all the rest of the security conditions - how are you going to interpret the meaning of all the figures and numbers when they are locked up in a schema that isn't even on the tape because all you've got is the logs? Silly overreacting scaremongering.

Report this post »

Glyn - on shift, Fareham says...
2:14am Thu 5 Jun 08

Andy – most backup software writes data in plain text, TSM being a little different as you need to understand the basic relationship between the database and the data on tape – that said if these tapes are to be used for DR purposes they WILL have all the information required to bring your business back from the dead.

Your assertion that the data could not re read on another server, even one owned by the same company is a complete fantasy (a very poor backup philosophy if you can only restore data to the server it was backed up from) – We recently bought some second had tapes on ebay, when we loaded them onto our system low and behold they had data on them – we were able to read this data – employee details, HR disciplinary cases the lot – in just 10 minutes!

It would seem you have a basic misunderstand of the way backup regimes work – incremental and differential backups are used in conjunction with the base full backup to recreate your system. If you only have these without the base full you can’t recover your own data.

Most companies as you say run this regime but must take a full backup or create a synthetic full to ensure data can be recovered in a timely fashion – this is normally done on at least a weekly basis so that in the event of a disaster the business can be brought back to a functioning state QUICKLY - imagine having to perform an incremental restore from your last full backup which was taken 1 month ago

The purpose of sending tapes offsite is to ensure that even in the event of a fire/flood/access to building being denied (as in the case of Buncefield) or some other failure which requires you to move from your normal business premises that data can be recovered and you can continue to function as a business – I’d hate to have you running my DR strategy if you only send your DB logs offsite.

The reason you take a backup is so that you can restore the data in case of a failure – by necessity it has all of your business on it – try explaining to the board why your backup tapes only contain useless logs and not the data required to send out invoices or pay your staff.

Report this post »

Andy, Locks Heath says...
7:56am Thu 5 Jun 08

Depends on which backup regime you are using Glyn. You seem to base your entire note on one particular software product and the working practices you use at your workplace which, as someone who buys tapes on Ebay, leave something to be desired. When you use phrases like "complete fantasy" to describe my assertions you lose the argument though hyperbole. You have decided in your mind that these are DR tapes with a general restore capability not backup tapes. You've also decided they are uncompressed, which is unlikely. You've also decided they are not using deduplication algorithms, which is now a big company practice. When you buy things on Ebay you will not be buying into industrial strength working practices so you should not equate professional company practice with the kind who sell (or indeed buy) tapes on ebay. You have no idea how many times those tapes were used or how they were stored, so how are you going to know when the replace them - wait until they break? Unfortunately for all the technical knowledge you have of your own backup system and practice you aren't thinking out of the box. Stop insulting me and I'll go easier on you - one informed source to another.

Report this post »

Andy, Locks Heath says...
8:08am Thu 5 Jun 08

Glyn, you misunderstand the difference between "data" and "information". What did you gain on your ebay tapes that you could not have got from the phone book or the electoral roll - how are you going to interpret all those codes without the schemas to interpet their meaning? Where one field ends and the next begins? A 1 is just a 1 without the metadata. Describe exactly how you could have gained from the apparent information on your tapes no matter how juicy it looked at first sight? By the way,your understandng of progressive incremental technology is limited by the product you are using (Backup Exec? Arcserve? Check out backupset technology from TSM as an example of better science. Quicker to backup, quicker to restore. You are a small company practitioner with a one company product knowledge. Quits?

Report this post »

Lisa, says...
8:40pm Fri 6 Jun 08

I am looking at an encryption service for data called IronKey, which is designed for personal, business and home use . . different versions. The average thief may not be able to sort through these back up tapes to gain useful information, but what if it was not a crime of opportunity and these are tech savvy?

Report this post »

Darren, says...
3:53pm Wed 11 Jun 08

This is all getting very heated! This is just another case of corporate negligence - I'm sure we're all used to that by now! Companies lose data every day. Goto privacy rights dot org to see hom much. Until regulations are enforced the only reason for companies to worry about protecting their customer / employee / supplier data with encryption is in case they get fined for losing it like Nationwide did. If anyone is interested in how to read data from backup tapes there's a video on you tube from Bosanova that explains how to do it. They read IBM AS400 tapes which have been described as 'protected by obscurity'. As far as the data itself goes it's all about quality and quantity. Lots of records for use for identity theft might cost 40p per record from India whereas high quality data with bank account details and account balances is worth up to $100 per record from Russia. Oh, don't forget that HMRC got away with it whereas BNY Mellon are being sued billions of dollars. The difference? In the US you have disclosure laws, in the UK you don't.

Report this post »

John Taylor, says...
5:17pm Wed 11 Jun 08

With all the bravado about DLTs, encryption algorythms, and whether or not a thief has or doesn't have the ability to hack a tape, everyone here is simply handwringing or strutting their mis-understanding. Quite simply it is the law that anyone who aggregates presonal or non-public information has the responsibility to protect it. That's it. There is no way to be absolutely certain that it won't be stolen or misplaced, but every business, municipality, school, hospital, etc has the responsibility to do the absolute best they can to adhere to the three faderal, and myriad state laws enacted for just that purpose.
Failure to adequately protect data entrusted to any entity constitutes a breach of trust and can result in prosecution and civil actions.

Report this post »

Comments are closed on this article.

In this section

Essential Links

Sponsored Links



Video News Food & Restaurant Reviews

Local Information

Enter your postcode, town or place name

House prices »   Schools »   Crime »   Hospitals »