Glasgow City Council puts data at risk as 750 computers go missing

A report by Glasgow City Council has revealed a series of security failings that have potentially put sensitive data at risk after an internal audit.

Scotland's largest council carried out an audit of its IT estate following the theft of two laptops in May, only to find that some 286 laptops and 487 desktop PCs were unaccounted for, as well as close to 100 other items, such as smartphones and memory sticks. According to the report, an additional nine incidents of theft involving 37 pieces of equipment were recorded from council departments throughout the city.

Perhaps more startling is the revelation that the council does not encrypt data held on its desktop PCs and laptops as a matter of course. The two computers stolen earlier in the year contained details of approximately 17,000 bank accounts belonging both to major businesses and individuals.

Organisations should act as responsible custodians of sensitive information they are charged with.

A spokesman for Glasgow City Council admitted to IT Pro that the report shows the council has been poor at keeping accurate records of its IT equipment.

"We are now dealing with that situation and with the unencrypted IT equipment," he said.

This is not the first high profile data loss suffered by the UK's third city. In 2009, a similarly unencrypted USB stick containing personal details of listed sex offenders was lost and found its way into the hands of the media.

Chris McIntosh, CEO of security and communications specialists ViaSat UK said this latest report is merely the latest in a string of data leaks suffered by the public sector.

"A recent FoI request from the ICO found that local government accounts for a disproportionate amount of data breaches: Glasgow City Council's loss of 750 devices ... supports these findings by demonstrating a seriously flawed approach to protecting the sensitive information of customers and constituents," said McIntosh.

"Organisations should act as responsible custodians of sensitive information they are charged with and ensure that any contractors or external organisations they work with are held to the same level of accountability. Furthermore, data should be secured and wherever possible encrypted to ensure audits like these no longer throw up such dour surprises in future," he added.

Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.