Greater Manchester Police has been fined £150,000 over the theft of a memory stick with information on more than a thousand people involved in drug squad probes.
The unencrypted USB stick was stolen in a burglary of a police officer's home in July 2011, the Information Commissioner's Office said on Tuesday. The device, which had no password protection, was left in a wallet on the kitchen table, according to the privacy watchdog.
It contained personal data on 1,075 people gathered over 11 years by the officer, who worked in the Manchester police force's serious crime division, including its drug squad. The information was downloaded from files held on the force's network, to act as a backup and a quick reference while the detective was out and about.
"This was truly sensitive personal data, left in the hands of a burglar by poor data security," David Smith, the ICO's director of data protection, said in a statement. "The consequences of this type of breach really do send a shiver down the spine."
"It should have been obvious to the force that the type of information stored on its computers meant proper data security was needed. Instead, it has taken a serious data breach to prompt it into action," he added.
The force had issued the police officer with an encrypted memory stick, but the detective replaced this with a bigger-capacity USB when it got full. The stolen USB has not been recovered.
According to the ICO, several members of the Manchester police regularly used unencrypted memory sticks, even though the force had been warned about data protection after a similar security breach two years ago.
The privacy watchdog took this previous incident into account when deciding to hit the Manchester force with the £150,000 penalty. However, the force will only cough up £120,000, as it is taking advantage of an early payment discount of 20 percent. Under powers granted a few years ago, the ICO can fine organisations up to £500,000 for breaches.
"This is a substantial monetary penalty, reflecting the significant failings the force demonstrated. We hope it will discourage others from making the same data protection mistakes," Smith said.
The squad has now put in place security measures to stop downloads of data to unauthorised devices. In an amnesty held after the data breach, Manchester officers handed in about 1,100 personal or unencrypted USB sticks.