To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39167618,00.htm

Orange pulled up by privacy watchdog
Littlewoods also gets a rap on the knuckles from the Information Commissioner

By Tim Ferguson

Published: Friday 22 June 2007

Orange and Littlewoods have been found to be in breach of the data protection act (DPA) by the Information Commissioner's Office (ICO).

The finding relates to customer details being left open to potential fraud or retained without customer consent.

Orange call centre employees were found to be sharing log-in details for the customer information database, meaning there was no way of knowing who had accessed data.

An ICO spokeswoman said: "It [the database] was potentially open to fraudulent use. It could potentially be quite serious."

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

However, an Orange investigation found no evidence to suggest customer data was disclosed to anyone who shouldn’t have access to it.

As soon as the company became aware of the issue, procedural compliance was tightened and a company-wide communication was sent out reminding employees it was against Orange policy to share log-in details.

Littlewoods were investigated after a customer continued to receive marketing material after requesting their details be removed from the company's database.

In a statement, Littlewoods said the issue affected one individual and was caused by a "clerical error which has now been rectified".

A Littlewoods spokeswoman said: "It's not indicative of a general failure to uphold the general data-protection principles."

Both companies have signed a formal undertaking with the Information Commissioner to comply with the principles of the Data Protection Act.

Paul Skinner, underwriting specialist at Chubb Insurance, said the ICO's ruling should be a "wake up call to businesses throughout the country to adopt stricter measures and working practices to protect confidential data".

If the two companies continue to fail they could be subject to further ICO action which could lead to unlimited fines in the event of the issue reaching a crown court.