Last week I worked on a Sunday Times investigation into data breaches at internet cafes. Three reporters checked internet cafe computers around the country to see whether confidential data had been left in the computer memories.
And how. Simply by checking the desktop, documents and ‘my pictures’ folder, we stumbled across a treasure trove of private information: scanned copies of passports, visa applications, birth certificates, legal documents; a report from the editor-in-chief of a well-known property magazine detailing its legal struggles with a “confessed reformed cocaine addict”; a fax to a resident at the Dorchester referring to ‘the hostage situation in Cameroon’ and several databases of names, addresses and private details of vulnerable individuals left by care workers or civil servants.
The chain Mailbox Etc were the worst offenders, with no log-in/out process and irregular wiping of computer memories. I found documents dating back to mid 2012 on some machines. Many small independent cafes were among the best, such as the L2K Internet Gaming Centre in Manchester, which restricted users’ access to the computer memory.
The Information Commissioner announced that it would be investigating a number of bodies for a breach of confidentiality as a result of our investigation.
Full text is available on the Sunday Times website here, or after the fold.
Your secrets served up at internet cafes
Health, legal, banking and passport data is being unwittingly left on public computers for anyone to see
Published in The Sunday Times, 19 May 2013
A few minutes spent on pay-to-browse computers around the country uncovered a mine of sensitive, potentially damaging information left behind by customers.
Among the files were:
■ Care worker documents containing the names, home addresses and disabilities of vulnerable people
■ A database belonging to a government-affiliated company, listing the personal details of unemployed 18-24-year-olds
■ A draft of an internal company report mentioning the cocaine habit of a prominent businessman
■ Details of child models used by John Lewis for in-store advertising — left behind by one of their stylists
■ Private legal documents belonging to a celebrity
■ Numerous passports, bank statements, plane boarding passes, visa applications and insurance claims.
After being alerted to the findings, the Information Commissioner’s Office (ICO) has started investigating several companies for possible breaches of the Data Protection Act by their employees who had left information behind.
Reporters tested more than 50 internet cafes in London, Manchester, Birmingham, Nottingham and Carlisle. At each cafe we bought up to one hour’s use of at least one computer, and opened document folders freely accessed from the PC’s desktop or menu.
Many cafes have timed sessions and delete such folders after each customer logs out, but others have no such process of document deletion.
The worst offender was the office services chain Mail Boxes Etc (MBE), which has some 140 outlets in the UK, and on average charges £3 for half an hour. At an MBE branch near Victoria station in London we found more than 100 documents that had been scanned in by customers.
Among them were dozens of passports; a bank statement detailing transactions; a doctor’s note about a severe epilepsy sufferer; employment contracts; a signed power-of- attorney paper; a Visa application form; a chauffeur’s invoice listing clients and itineraries; and a literary agent’s invoices detailing a client’s royalty payments.
One cafe customer had left a spreadsheet headed “Database, Tower Hamlets Project”. This contained the personal details of 60 inner city youths believed to be on a government unemployment scheme.
There were also a series of scans headed “Respect Care Services — Community Care Worker Time Sheet”, which contained the details of the care-workers’ clients, their addresses and a description of the care they require.
After being told of our findings, Respect Care Services said it had suspended two members of staff and would refer itself to both the Care Quality Commission and the ICO.
Worryingly, another care company document, a rota for Plan Care, showing equally sensitive patient details, was found at an internet cafe in Paddington, west London. Leaving sensitive client information in a public place is a breach of the Data Protection Act.
Gillian Anderson Price, who runs a vintage boutique in Mayfair and is an antiques expert on the ITV show Storage Hoarders, used her local MBE internet cafe in west London to download and scan some sensitive legal documents.
She was horrified to hear that reporters found them within minutes. “It is very sensitive personal information and I tried to delete the files when I was finished, by dragging them into the trash folder, but the system wouldn’t let me,” she said. “So I asked a member of staff to make sure he deleted them. I’m very upset that he hasn’t.”
There was also intrigue in the form of a handwritten fax addressed to a diner at Alain Ducasse at The Dorchester — an upmarket London restaurant — that appeared to be straight out of a thriller.
The communiqué, which we found at MBE’s Marylebone cafe in London, said: “I inform you that I had to make an emergency round trip on Cameroon in view of the events with the hostages.” The sender promises that despite the “international situation” he will settle “the case” shortly, and deliver payment of two cheques.
In Manchester, an MBE computer in Piccadilly included a draft report to the board made by the editor-in-chief of a property magazine.
It discussed the publication’s longstanding legal dispute with a named — and well-known — “confessed, reformed cocaine addict”.
Across the city, in the Deansgate branch of MBE, were CVs, job applications, boarding passes and scanned documents — including driving licences and a visa application written for a civil servant employed at HMRC, with his personal details.
At Brights Launderette in Mansfield Road, Nottingham, the downloads folder on one computer contained a letter from the regional director of a company operating a government contract helping people get back to work. The letter gave details of an investigation of a complaint by a client about an alleged data breach.
The ICO pledged to investigate the potential data-protection breaches. Anyone found responsible of failing to protect client data could face a fine of up to £500,000, says Steve Eckersley, the head of enforcement at ICO, adding: “As a matter of best practice, internet cafes should wipe their customer data after every session.”
Simon Cowie, director of Mail Boxes Etc UK, said: “We only offer internet access at a small number of our outlets, but we will investigate this.”
Mike Rispoli, spokesman for Privacy International, said the internet cafes who fail to wipe customer data were “lazy”.
“It’s laziness on behalf of the cafes not to just wipe this information after each session. There should be regulations and prohibitions in place. Until then, people just have to take responsibility and be careful about what they are sharing on these computers.”
Additional reporting: Ross Slater