The Information Commissioner’s Office (ICO) has looked into an incident during which the personal data of many MPs was left open to exploitation during ongoing IT work carried out in the summer of 2010.
As a result of the ICO’s investigation, the Independent Parliamentary Standards Authority (IPSA) has said that it will be clamping down to ensure that such an eventuality is not possible in the future.
For almost a full 24 hour period, details from bank account numbers to home phone numbers were available to anyone who had access to an MP’s expense account login. This could have allowed rivals to search for incriminating evidence or for unscrupulous workers to sell the data for personal gain.
The ICO’s Mick Gorrill explained that maintenance work on IT systems and databases would have to be completed with an adequate level of security in place to protect the details stored within. He also said that thorough testing of such systems subsequent to tinkering would avoid exposures such as this.
Mr Gorrill pointed out that the MPs whose data was revealed during this incident could have become the victims of fraud as a result.
Prevention of future events will be handled by the IPSA, which has followed in the footsteps of other public and private sector organisations by committing to one of the ICO’s formal undertakings. A reappraisal of how admin accounts are managed and breach detection monitored will be a key step instigated by the undertaking.
IPSA released a statement in which it explained that 11 MPs were directly impacted by this incident and upon being notified of the breach it immediately removed the offending data access before alerting the ICO. It also said that in the aftermath of the incident, it was quick to act and plug any possible loopholes in the system following on from the maintenance.
The data loss incident has caused a complete restructuring of the access hierarchy for the Parliamentary expenses data, with greater restrictions added to stop unwarranted exploitation of sensitive information and augmentation of the monitoring abilities, to make detecting these issues much simpler in the future.
