Anatomy of a Breach

Anatomy of a Breach: Greater Manchester Police — 1,075 People Linked to Serious Crime on a Lost USB Stick

> series: anatomy_of_a_breach —— part: 045 —— target: greater_manchester_police —— records: 1,075 —— method: lost_usb_stick<span class="cursor-blink">_</span>_

Hedgehog Security 30 September 2012 11 min read
data-breach gmp police usb-stick uk-breach ico-fine encryption serious-crime series
Breach #045

1,075 people linked to serious crime. On an unencrypted USB stick. Lost in a burglary.

In 2012, the Information Commissioner's Office fined Greater Manchester Police (GMP) £150,000 after a police officer lost an unencrypted USB memory stick containing sensitive personal data relating to 1,075 individuals linked to serious crime investigations. The data included information about victims, witnesses, and suspects — people whose safety could potentially be compromised if the data fell into the wrong hands. The USB stick was lost when the officer's home was burgled. It was never recovered.

The ICO's investigation found that GMP had failed to have adequate measures in place to prevent the loss of personal data stored on portable devices. Officers were using personal, unencrypted USB sticks to transfer operational data — a practice that was widespread but in direct contravention of data protection requirements. The breach echoed the MoD laptop theft of 2008 and the broader UK government data loss epidemic — the same failure (unencrypted portable media containing sensitive data), the same consequence (data loss through physical theft), the same root cause (policy without technical enforcement).

The Recurring Failure
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Unencrypted USB sticks — the breach that keeps happening.

The GMP breach was not an isolated incident. Throughout this series, we have documented the same failure repeatedly: sensitive data on unencrypted portable devices, lost through theft, carelessness, or burglary. The HMRC CDs (2007), the MoD laptop (2008), the Zurich Insurance backup tape (2008), and now the GMP memory stick (2012) — all share the same root cause and the same solution.

No Encryption = No Protection
An unencrypted USB stick provides zero protection when it is lost or stolen. The data is immediately accessible to anyone who finds it. Full-disk encryption for laptops and hardware-encrypted USB sticks are baseline controls that <a href="/cyber-essentials">Cyber Essentials</a> mandates. Our <a href="/penetration-testing/windows-build-review">build reviews</a> verify that encryption is enforced on all portable devices.
Personal USB Sticks in Operational Use
GMP officers were using personal, unencrypted USB sticks to transfer operational police data. This indicates both a policy failure (officers should not use personal devices for operational data) and a technical failure (USB ports should be restricted to approved encrypted devices). Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses USB port policies and removable media controls.
Victim and Witness Safety at Risk
The lost data included information about victims and witnesses in serious crime cases. If this data reached the wrong hands — the criminals being investigated — the consequences could include intimidation, witness tampering, or physical harm. The sensitivity of the data demanded the highest level of protection, and received the lowest.
Pattern Not Broken Since 2007
Five years after the HMRC breach prompted mandatory encryption across government, a UK police force was still using unencrypted USB sticks for operational data. The enforcement pattern we documented in the <a href="/blog/anatomy-of-a-breach-uk-government-data-loss-epidemic">data loss epidemic article</a> continued: policies existed, technical enforcement did not.
For Law Enforcement and Public Sector

The controls that prevent this exact breach.

For law enforcement, local government, and any public sector organisation handling sensitive personal data: Cyber Essentials certification mandates encryption on portable devices and removable media. Our penetration testing and build reviews verify that encryption is technically enforced — not just documented in a policy that officers and staff may not follow. SOC in a Box for Local Government provides continuous monitoring including data loss prevention that detects when sensitive data is being copied to removable media. And UK Cyber Defence provides incident response when a data loss is discovered.

Portable Device Security

The same breach keeps happening. Has your organisation solved it?

<a href="/cyber-essentials">Cyber Essentials</a> mandates encryption. Our <a href="/penetration-testing/windows-build-review">build reviews</a> verify it is enforced. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for data being copied to removable media. Because in 2012, five years after HMRC, unencrypted USB sticks were still losing the UK's most sensitive data.

Commission a Build Review Next: South Carolina DOR
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 October 2015

Anatomy of a Breach: TalkTalk — The SQL Injection Heard Around the UK

Breach #082. On 21 October 2015, TalkTalk disclosed a 'significant and sustained' cyberattack that compromised the personal data of approximately 157,000 customers — including 15,656 bank account numbers and sort codes. The attack exploited a SQL injection vulnerability in a legacy web application that TalkTalk had acquired through its purchase of Tiscali. CEO Dido Harding appeared on live television unable to confirm whether the data was encrypted. A 15-year-old and a 16-year-old were among those arrested. The ICO fined TalkTalk £400,000 — and the breach became the UK's defining cybersecurity incident of 2015.

data-breach talktalk
14 min read
Anatomy of a Breach 30 September 2015

Anatomy of a Breach: Carphone Warehouse — 2.4 Million Customers and an ICO £400,000 Fine

Breach #081. In August 2015, Carphone Warehouse disclosed that attackers had gained unauthorised access to the personal data of up to 2.4 million customers and 90,000 encrypted credit card records through a division running the company's online services. The ICO later fined Carphone Warehouse £400,000 — its largest fine at the time — for systemic security failings including outdated software, inadequate testing, and lack of rigorous security measures. The breach came just two months before the TalkTalk attack would dominate UK headlines.

data-breach carphone-warehouse
12 min read
Anatomy of a Breach 30 June 2020

Anatomy of a Breach: Blackbaud — The Charity Software Vendor That Exposed UK Universities, NHS Trusts, and Charities

Breach #138. In July 2020, Blackbaud — a cloud computing provider serving nonprofits, charities, and educational institutions — disclosed that ransomware attackers had accessed and exfiltrated customer data before the company detected and stopped the attack. Blackbaud controversially paid the ransom and stated it had received 'confirmation' the data had been destroyed. The breach affected hundreds of organisations worldwide — including UK institutions such as the National Trust, the University of Birmingham, De Montfort University, Young Minds charity, and multiple NHS trusts. Blackbaud later admitted that the breach was more extensive than initially disclosed.

data-breach blackbaud
13 min read
All Posts Get in Touch