Home » Topics » Cybersecurity » Glasgow City Council fined £150k after unencrypted laptops stolen

Glasgow City Council fined £150k after unencrypted laptops stolen

Avatar photoby Ben Rossi

Scotland’s largest local authority faces has been fined £150,000 after two unencrypted laptops containing thousands of citizens' personal information were stolen.

An investigation by the Information Commissioner’s Office (ICO) found that laptops were stolen from unlocked storage lockers in Glasgow City Council’s offices on the 28 May last year, during refurbishments.

One of the laptops contained the personal information of over 20,000 people, including 6,096 people’s bank account details.

The ICO's investigation discovered that a further 74 unencrypted laptops belonging to the council remain unaccounted for. At least six of these known to have been stolen, the data protection watchdog said. 

“How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief,” said Ken Macdonald, the ICO’s assistant commissioner for Scotland.

“The fact that these laptops have never been recovered and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people’s details have been compromised.”

This is not the first time Glasgow City Council has been slammed for data protection breaches. In 2009, a memory stick was lost containing sensitive data including the details of sex offenders, their victims and witnesses. 

The ICO says it had warned Glasgow City Council to encrypt mobile devices in 2010, and again in 2012, and that the latest breach of policy shows what the ICO called "fragrant disregard for the law and the people of Glasgow." Most devices were encrypted but the unencrypted laptops were issued to staff due to software problems.

As part of the report, the council was criticised for failing to ensure that IT suppliers issue encrypted laptops.

“This data loss should not have happened and we took immediate steps to ensure it does not happen again,” said a spokesperson for Glasgow City Council in a statement.

“It is important to note that the number of unencrypted laptops was already coming down when this theft occurred.”

The council said it is co-operating fully with the ICO and has informed those potentially affected of the incident. Iit is taking “significant remedial action” but declined to offer any further details. An enforcement notice has been served requiring the council to carry out a programme of retraining for managers and full of audit of its IT equipment. 

Serco, which delivers IT services for Glasgow City Council, told Information Age it is working closely with the council but had nothing further to add.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Breach
Government & Politics

Related Stories

Cybersecurity

How AI will shift the security landscape in 2024

The impact of AI within cybersecurity is expected to grow significantly this year, says Alex Holland, senior malware analyst at HP

AI & Machine Learning

NCSC releases guidelines for secure AI development

New guidance from the National Cyber Security Centre (NCSC) aims to help businesses securely innovate with AI and minimise risks

Cybersecurity

3 cybersecurity compliance challenges and how to address them

Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy.

Cybersecurity

70% of UK firms reported cyber insurance changes in past year

According to research from Databarracks, seven in 10 UK businesses have seen changes to their cyber insurance in the past 12 months, as requirements rise