Data breach hits thousands of motorists

Another week, another data breach. Personal details of thousands of drivers in Northern Ireland have gone astray after two CDs sent by courier failed to arrive at their destination.

An internal inquiry has been launched after staff at Northern Ireland's Driver and Vehicle Agency (DVA) admitted losing data on a total of 7,685 vehicle owners and their vehicles. The missing information consists of the owner's name and address and details of the vehicle, including its make, model, colour, registration and chassis number.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below or emailing us at editorial@silicon.com.

The data, which was contained on two CDs, was being sent from the DVA in Coleraine to the DVLA (Driver and Vehicle Licensing Agency) in Swansea in response to vehicle manufacturers needing to contact owners about potential faults with vehicles. The CDs went missing in transit after being sent via a Parcelforce Worldwide tracked courier service.

In a statement about the breach to the Northern Ireland Assembly, Department of Environment minister Arlene Foster said the CDs had been tracked at every stage of the handling until they reached the company's central hub in Coventry but said there is no record of the packages leaving the depot.

She said: "Parcelforce believe they were dispatched to their Swansea depot but did not arrive there. In spite of extensive searches at the depot, they have not yet been found."

The data has already been resent to the DVLA via a different method but Foster said courier delivery has been used for sending "this type of data… without incident for many years".

She said: "Due to the nature of the data on the disks, encryption was not used. It is ironic that an internal review instigated by the Agency after the child benefit disks went missing in GB identified this method as a systemic weakness a week after the disks had been sent."

The DVA has written to every vehicle owner involved and each record has been flagged to alert staff in the event of any misuse of the data, according to Foster. A helpline has also been set up for customers to call with any concerns. But "in view of the limited nature of the data on the disks", it is not likely any of the people involved would need to take any action, she said.

Foster added: "I sincerely regret that this error has occurred and any inconvenience or concern caused to the keepers of the vehicles involved. As well as the internal review carried out by the Driver and Vehicle Agency, all issues regarding the handling and transmission of data are being examined urgently as part of the review across all departments… on the security of personal data.

The data protection watchdog the Information Commissioner has been informed and has agreed to carry out an audit of data security in the DVA.

In related news, a consultation has been launched into how personal information is used and shared in the public and private sectors, as part of an independent review of data-use announced by the UK government back in October. The consultation is being led by the Information Commissioner, Richard Thomas, and Dr Mark Walport, director of the Wellcome Trust and a member of government advisory body the Council for Science and Technology.

Among the questions it will consider are whether the Data Protection Act offers sufficient safeguards and whether there are lessons the UK can learn from other countries.