Barnet Homes regrets to announce the risk of a data breach that could involve the personally identifiable data of our customers following the theft of an employee’s work laptop. There is no evidence to suggest that any information has been accessed, and only those residents living on the following estates in the Hendon area are believed to be affected by the risk of a data breach:
• Belle Vue
• Church End
• Brent Hill
• Woodburn Close
Barnet Homes has taken swift actions to contain the incident and is currently working with its IT department and the Information Commissioners Office (ICO) to investigate the incident and minimise any ongoing disruption.
On the evening of Saturday 22 May 2021 an employee’s work laptop was stolen from their car. The incident was immediately reported to the police and to Barnet Homes’ Data Protection Officer.
Barnet Homes’ IT equipment has robust security in place, with endpoint password protection in place on the laptop itself. Company information is further secured behind Microsoft Windows 10 Enterprise version with Multi-Factor Authentication. This requires the user account to be verified against the registered licence agreement before access is granted. The user account also needs be verified against a registered license agreement before being granted access, and a two-factor secure ID token is also required to verify active user accounts before a user is granted access to London Borough of Barnet’s’ firewall for sensitive data whilst working remotely. We therefore believe the risk of an unauthorised third party accessing this is extremely low. Network passwords have been changed to further minimise this risk.
Some customer information including names, addresses, contact details, and bank details is believed to have been saved on the laptop. Although the risk of this information being accessed is believed to be low, due to the potential risk of identity theft or fraud if it is accessed, we are making our customers aware so that they can be alert and take steps to protect themselves if necessary.
There is, however, no evidence at this stage to indicate that any information has been accessed, and we believe the risk to be very low due to the security measures that are in place.
Regardless, we recognise the concern and anxiety this may cause and deeply regret that on this occasion our customers’ confidential information could be at risk. Anyone concerned that their data or that of a close family member may have been breached should follow the guidance below under “What can you do?”. You can also email us at firstname.lastname@example.org, marking the email for the attention of the Data Protection Officer, if you have any questions.
The Information Commissioner’s Office has been informed and we have started an internal investigation into the full circumstances surrounding the incident and lessons to be learned. Our staff have been reminded of the need to ensure the security of work devices and customer data at all times.
Tim Mulvenna, Group Chief Executive of The Barnet Group, said:
“We take our obligations to protect people’s data extremely seriously. Please be assured that we value the information security of our customers, and we are currently working to resolve this situation. We have commenced a swift and thorough internal investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure our customers that we have taken immediate steps to ensure the strength of our working practices.
Even though we believe this incident puts our customers at low risk of identity theft, we felt it was essential to notify them of the incident. While this is worrisome, we have no evidence that any third party has accessed any customer data. However, we want to advise our customers to be extra alert to signs of possible misuse of their personal identities.”
What you can do?
Signs that your identity has been stolen could include, for example, bills arriving for things you haven’t bought or for services you haven’t ordered, solicitor’s letters about debts that are not yours, an unexpected change in your credit rating, or credit cards arriving in the post that you did not apply for.
If you think that your identity or personal information has been stolen, report the problem immediately to Action Fraud, the UK’s national fraud reporting centre by calling 0300 123 20 40 or by visiting www.actionfraud.police.uk.
You can also contact CIFAS (the UK’s Fraud Prevention Service) to apply for protective registration. Once you have registered you should be aware that CIFAS members will carry out extra checks to see when anyone, including you, applies for a financial service, such as a loan, using your address.
CIFAS – The UK’s Fraud Prevention Service, 6th Floor, Lynton House, 7 – 12 Tavistock Square, London, WC1H 9LT
The Information Commissioner’s website includes more information that you may find useful: www.ico.org.uk/your-data-matters/identity-theft