UK: Global Data & Privacy Update - 13 August 2015

2.4m customers' data compromised in Carphone Warehouse hack

The UK's Information Commissioner (ICO) is investigating a cyberattack that reportedly netted the names, addresses, bank details and credit card numbers of up to 2.4 million customers of mobile retailer Carphone Warehouse. The hack was discovered last week and the company began contacting affected customers at the weekend. The ICO issued a warning to customers to be aware of the risk of identity theft.

Pharmacies to gain access to NHS patient data

The body that oversees National Health Service provision on England has approved a proposal to grant pharmacies access to patient records, it emerged this week. Patient records will be available to large pharmacies and their concessions in supermarkets provided the patient consents, following a public consultation. Privacy campaigners warned the huge new resource will prove irresistible to large pharmaceutical companies, but NHS England said data protection laws do not allow health data to be shared for commercial gain. 

Cash lender fined for losing servers

The ICO revealed this week that it fined cash lender The Money Shop £180,000 for losing servers containing thousands of customers' personal data. The UK's privacy watchdog investigated the company following reports of a server being stolen from one store in Northern Ireland where they had not been stored in a separate, locked room in accordance with data protection rules. Another server belonging to a branch in Swindon went missing while being transported by couriers. The lost servers were thought to contain the details of thousands of local and national customers and employees with minimal encryption.

Survey reveals UK councils' data breaches

More than 4,000 data breaches were recorded against local authorities in the UK in three years from 2011, according to a study by privacy group Big Brother Watch. The study, based on responses to freedom of information requests, revealed how data was mistakenly shared or disclosed on more than 600 occasions, 5,000 letters containing personal data were sent to the wrong addresses and almost 200 devices such as USB sticks or laptops were stolen from councils across the UK. A spokesperson for the Local Government Association said there were relatively few breaches considering the volumes of data being processed.

Facebook urged to tighten privacy loophole

Facebook was warned last week of a "loophole" that makes it possible to harvest data from accounts which are linked to a mobile phone number. In research presented to an internet security conference, software engineer Reza Moaiandin showed that by using the site's "Who Can Find Me?" function to search for a user's mobile phone number, it was possible to exploit default privacy settings to obtain a user's profile pictures, name and location even if the user has chosen not to make their mobile number public. Moaiandin warned that criminals could use a simple algorithm to harvest data from thousands of profiles and potentially sell them on to the internet black market. Facebook responded by saying it did not consider the search feature a weakness.