Newcastle City Council has compromised private details of up to 54,000 people who made payments to it by credit or debit card between February 2006 and April 2007. The council said details were "inappropriately released" of transactions for "council tax, business rates, parking fines, and rent payments... other services, such …
I've said it before
"Apparently, the file in question was placed on an insecure server and subsequently uploaded to "a computer address registered outside the country"."
Please see my comments on data breaches over the last six months.
It's called "operator headspace error"
How many more?
Just how many more of these "inadvertent" releases of sensitive data are we going to see before the Government acknowledges that keeping lots of sensitive data in one place is A BAD IDEA? These things are honeypots. The riff-raff will keep on coming back to them until they get away with the goodies.
NHS NPfIT, IPS Nat ID Register, DVLA Driving Licence Register, big company HR records (must contain copies of passport or similar to prove entitlement to work). The sort of abuse described in this article in one of these database systems will destroy the lives of innocents caught up in the drive to record everything about everyone.
Say US Banks do it in bigger numbers on a daily basis with impunity!
Just how difficult is it to create a PGP'd "virtual" drive
to store this data?
fundamental security problems
"we spotted this situation through the thoroughness of our own security and checking systems"
Hmm. From reading the press release on Newcastle City Council's website it sounds to me like their online payments system was configured incorrectly.
They appear to use RadiusICON. According to the literature for this product:
"On-line authorisation of the payment is key to the Local Authority, as it guarantees payment ... The call to the acquiring Bank or merchant service provider is via an ISDN line ... In the case of RadiusICON, a separate secure card server makes this connection and stores the card transactions. On successful completion of the payment, a record is also written to the RadiusICON database."
I would suspect that they erroneously put the "secure card server" in their DMZ and allowed public access to it. Or perhaps, to save cost, they ran the card server and the web server on the same box.
A question to ask is why they are storing credit card information at all. All they need to store is whether the payment was successful or not.
In any case, it implies that they failed to properly consider the security when setting the system up. A serious failing indeed, I am not at all reassured by their claims that their systems are now "properly robust".
Let me predict...
... that the chocolate teapot of the ICO will do precisely sod all
legislate big fines
Why cant we have a simple system that says "you hold my details and loose them you give me 1000 pounds towards rectifying it" so in this case the fine would be 54,000 x 1000 54 million. That is a bit more of a deterrent to companies to be bit more bloody careful with MY data.
Currently there is NOTHING aside from bad pr to get the bean counters to spend money on decent data security.
"Just how difficult is it to create a PGP'd "virtual" drive to store this data?"
Have you ever worked for the gummint? If so, have you ever tried to suggest anything remotely sensible to your superiors? "Why don't we do (n) instead of (x,y,z)? It would be easier and take half the time."
They look at you like you've got two heads.
Those who have nothing to fear have nothing to hide
I already know my council (Bedford Borough) makes unauthorised disclosures of personal information. I do my very best to make sure they have as little as possible, so that I can live my life in peace. I wont trust them with direct debits or credit card numbers.
The information commissioner needs to get a grip and actually start prosecuting these organisations and barring them from processing personal data for, say, 6 months to start. Better still, put the chief executive and leader of the council in jail for 6 months as well. Force automatic compensation, but make it personal on the officers and councilors.
In my case, he (the information commissioner) just told them to update their files ! What a waste of paper he is.
We need real data protection with real penalties that actually make these people terrified of anything getting out. They wont talk so glibly of their security procedures again !
Two penny worth ..
Breaches like this aren't unusual and we can be confident that considerably more are happening than we ever see in the media. By the way we have to thank the media as we do not have any statutory obligations upon organisations to disclose data breaches. Unlike in the US. So it's our closest thing to an ally with regards privacy in this information economy.
Yep it is a monumental problem, though the Council is being a little naive with comments which reflect their opinion that nothing much seems to have happened with regards these lost details. Experience of working within this field has shown that the modus operandi of cyber theft is to store details and create identities and exploit over longer periods of time. Maybe they should get their security specialist back in to explain this.
Comments about the ICO are fine, but I have a lot of sympathy for the department. The Commissioner has made it clear that the state of Data Protection is pretty poor in the UK. He along with the National Consumer Council's CEO want better protection of the citizen’s data. However their current powers and enforcement capabilities are pretty limited in comparison to the amount of data out there and the number of organisations subject to Data Protection Act.
I do however agree with comments that a maximum fine of £5000 is not an effective deterrent. It is a little inequitable when compared to fines handed out for £900,000 for loss of banking information. It is, after all, just different parts of financial information about the individual.
I do believe that attitudes within the public sector will hopefully change. "Trust" will be an essential part of the relationship between society and the state in the future. When I use the terms “Trust” I mean in the people who gather, use and manage information about us in the public and private sectors. Not the IT / ICT systems. After all they do what we tell them to! And in this case they failed, for whatever reason, to adequately assess the risk and control this.
What could make a difference in driving organisations to take data protection seriously? If Newcastle Council received 54,000 complaints someone would have a lot more explaining to do. So in another way the more effective tool would be the general public because they vote for the Councillors to whom the CEO is accountable.