The Prime Minister pledged today to give the Information Commissioner the right to perform spot checks on government departments in the wake of the HMRC ID debacle. However, Gordon Brown’s statement will do little to placate the ICO, which has demanded it be allowed to launch criminal prosecutions against organisations that play …
Haven't we been here before?
We've been through the "Government should be open to criminal charges if they do <X>, <Y> or <Z> wrong". We've already heard their answers -- having the Government dragged through the courts for its fuck-ups isn't in the public interest, because it undermines public confidence in the Government. And yes, they do say this with a straight face (an achievement for which *total* respect is due IMO!).
Of course they're not going to give the ICO the teeth to bite them in their own arses!
"down to an individual circumventing the regulations"
What utter crap. Anybody with the slightest understanding of information security knows that this is a complete fabrication and a pathetic attempt to offload the blame from the criminally incompetent management of this department.
The questions that need to be asked are:
1) Which senior managers in the NAO and HMRC agreed the transfer request for the data? If none then file criminal charges against the directors of both departments and dismiss the ministers / civil servants responsible.
2) When senior manager permission for the data transfer was given what analysis was done of which data fields were actually necessary for the purposes of the NAO work to allow the data to be masked before transit? This was clearly not done as there is too much identifying information, the records are clearly just a database dump. The resolution here is the same, criminal charges for directors and immediate dismissal of the ministers / civil servants responsible.
3) How was a junior who was unaware of the alleged processes able to access this data without senior management approval? How many thousands of pimply faced youths in HRMC have un-audited and unrestricted access to this data? With this level of systemic insecurity we must regard the data as completely compromised from the instant HMRC have it as the probability of it not leaking out is almost zero. The resolution is again, criminal charges for the directors and immediate dismissal of the politicians / civil servants responsible.
4) Why did the access log for the database that showed a complete export not flag a security check that required confirmation of receipt instead of waiting for the PFY to report it? The explanation is simple, there is no access security or logging in use on this system, it was designed be the incompetent at the request of the inept. (consultant - politician). Same resolution except the directors may wish to point the finger at the outsourcer in their court defence. In a private company the restrictions on who has access to a customer database for an export are significant and any unauthorised access attempt is logged and actioned.
The issues around the alleged processes, data encryption, method of shipping are all competely secondary, this was not an IT failure. This is indicative of a pervasive and systemic failure of all involved from the minister down to understand even the basics of information security, be it on paper, disk or any other media. You have to understand that sooner or later you will lose media and have processes that work in this inevitable circumstance.
With a previous employer where we did managed hosting we would not even allow customers data to be sent to a shared tape library without being encrypted first to avoid the risk of accidentally restoring one customers data to another customers system.
The idea that the UK government is competent to operate a national identity register would be laughable if it were not so serious. Once the NIR is in place the brain dead politicians and plod will assume that your identity is valid unless you can prove otherwise, "it was checked 'gainst yer biometrics weren't it?". How do you plan to prove otherwise when every dodgy 419er can bittorrent your entire NIR entry and print out some contact lenses and false fingerprints?
Perhaps we should transfer Sir Ian Blair's MP5 toting death squads to the Information Commissioner's office, perhaps the threat of immediate and permanent resolution of data security issues would change behaviour in government and industry. Whilst there are no effective penalties why should anybody care about these laws?
"the HMRC breach was down to an individual circumventing the regulations"
I'm sorry but with technology you dont just write up a set of regulations. along with policy and procedure these are next to useless for the real thing. instead you ensure that you have technical barriers that prevent such bahaviour.
ie you enforce the regulation.
simply put, there is no reason why 'junior' could do a "select * from child_benefit;"
(or even "mysql_dump child_benefit > /dev/dvdr" ;-) ) - you ensure the database
is protected and that accounts can only do certain things. this is basic 101 SQL management.
as for legal proceedings. highly pointless. not a single thing happened in the
cash for honours (though it is blindingly obvious!) and not a single action has been taken for the UK going into an illegal war. both as serious, if not worse!
I predict the future!
I just know what's going to happen here................................ Government agress that the criminalising of loss of data is a good idea, but should not apply to government due to reasons X, Y and Z.
The rest of us end up with onerus legal requirements, that the government ignores (like it does now anyway), and we pay for their 'learning oppertunities'.
Enforceable outside the UK
Can they charge the poor folk in the Indian contact centres where the work is/has moved to?
What about eastern europe where their 'Consultants' outsourced the 'IT type stuff'...
So its a load of hot air!
It's not about the individual . . .
"Brown defended Whitehall’s record on data protection and its rules, saying the HMRC breach was down to an individual circumventing the regulations."
Privacy cannot be ensured by the existence of regulations. It is ensured by systems that can be shown to substantially enforce those regulations, regardless of individual behaviour. Nobody should be too concerned about the individual who did this; internal procedures will deal with him/her appropriately.
No individual, up to and including Gordon Brown, should have been able to copy the data onto CD. It should have been simply impossible. The NAO's request for a copy of the data should have been flatly refused. What they (presumably) required was the ability to make specific accesses to the database, or possibly statistical extracts. Bank account details???? NI numbers? Personal identity information? Boggle.
Nice to know...
...that things are just as f*cked up on both side of the pond.
Who'd of thought that if you merge two enormous departments, sack a quarter of the staff and then get yourself into a situation where the outsourced IT contract is so inflexible that running a simple SQL query is a chargeable extra, that something might go a bit wrong?
And just for the record - "junior official". Bollocks. Senior manager trying to keep his job more like.
Just one bloke ?
Yeah, right, Channel 4 news just reported it was a management-level decision to send all of the data when only some of it was requested.
Now, will it be understood ....
.. that having nothing to hide does not mean nothing to fear.
How many times do we hear those with nothing to hide have nothing to fear ? Yet, here is precisely the reason why there is always something to fear.
What will happen, a few platitudes in Parliament, a bit of grovelling by ministers and then ? Nothing, nothing at all.
Do you want YOUR personal information broadcast to anyone that wants it ? Do you want the hassle of identify theft ? Have you realised that you DO have something to hide and there there is PLENTY to fear.
Get real, support No2ID and let your MP know that if he votes for ID cards, you wont vote for him.
Criminal penalties for data breach
Probably a good idea on the whole, but beside the point in the present case - HMRC staff are already subject to them, I think it's up to two years. I assume that this includes stupidly disregarding the rules practice as seems to have happened this time.
The usual suspects
If you wanted to predict the size or the exponential of the sub-prime market in the UK for the next 30 years you'd run a query like that wouldn't you?
Have you heard of the biggest bank heist in the history of civilization? It's called the £26Billion Treasury Reserve Heist. "You can pay for it but you can't have shares in it". Sounds like a good deal, not! Coming soon, no actually it's still happening, oh dear.
Not only did they want to keep all the dosh, they wanted to run a tiny little database query as well, as a sweetener like. And everything was fine of course until ....
'ello, 'ello, 'ello? What's going on here then? You're all nicked, said the formerly disgruntled AC rubbing his hands together with glee. 'Never look a gift horse in the mouth me ol china plate' I said, 'e said 'you're not wrong.'
Do you feel a class action coming on? All aboard!!! Oh... aren't they above the law? Oh dear.
All conjecture I assure you. Haw haw. The hapless office junior is to be commended. He or she is a subcultural hero. (blink).
Systemic failure not an individual
Oh so easy to paint ( or encourage the media to paint)a picture of a pimply youth downloading data to a couple of CDs and sticking it in the 'post'. Let the "Knowledgeable" IT community bemoan the lack of any intelligence in their brethren in the public sector.
Running a 25m record dump is not a trivial task,
To get this data would have required approvals, change requests and costs from the IT supplier, There were opportunities to say "hang on a minute" but they were not taken. Systemic failure not a rogue operator
They are parallels elsewhere Barings, space Shuttle 'o' rings, Texas City Refinery, the list goes on and as with all of these the consequences will unravel in ever increasing circles
Auditing - we don't do it, but we know a man who can.
Even with all that's gone on the PM said (as reported)
[quote] ....that the ICO should be able to carry out spot checks on government departments to audit their data protection procedures.[/quote]
Though all large private companies have to be audited, something that is carried out internally and externally at least twice a year, this government seems to admit it is not something that is currently undertaken - how do they get away with this?
Then there's the Newsnight interview with a treasury spokesperson who states that there will be lessons learnt. Is the storage of private citizen's personal data something new, something that has just started to happen in the last two months? NO, it's been happening for decades.
The biggest problem today, in the public and even the private sectors is that the larger the remuneration package you're on tends to be directly proportional to your IT illiteracy.
All too often the “junior official’s” judgement and thoughts, those that work at the technical level, are dismissed and policies defined to secure data are waved aside to facilitate those in the higher echelons who are IT backward and think it beneath them to learn how to use the IT tools provided to them, appropriately.
When it comes to government there should not be one single person responsible for any IT capability in a position where not-knowing would denigrate the security of any individual’s personal data security.
IT education isn’t enough; it’s significant IT experience that truly counts.
Goverment are all numpties
Is it just me, or does anyone else think that all MPs and MSPs are all a complete waste of space and money??
Gordo, you can stick the national ID database up where the sun don't shine if you are going to use a scapegoat every time someone copies one of our naional databases onto CD and posts it.
This country has had it, basically we just all sit here and take the rubbish, high taxes, fuel prices, carbon neutral spin, incompetence of the highest order and of course we pay these people in the government a lot of money to giev us this utter guff.
Doesn't matter which party is in power, they are all the same, complete garbage, they justwear a different colour of rosette on polling day.
EDS involved - no surprises there, then
It says in The Times that:
"...the NAO requested data on child benefit claimants in a “desensitised” form, with bank accounts and other personal data removed, in March.
"...the reason given for turning down the NAO request was that desensitising the information would require an extra payment to the data services provider EDS."
So that means that EDS supplied a system that doesn't let you specify which fields you want downloaded, AND that HMRC doesn't have any IT staff who can write a simple SQL statement. Brilliant.
@ Scott - Goverment are all numpties
The Uk is governed and controlled by expensive, self serving morons.
But if we are so smart - why are we letting them do this to us?
If we are in charge of IT and the UK cannot function without IT lets hold a national "outage" day - I suggest the first Wednesday of Every month.
If we were all "maintaining" our networks and systems at the same time perhaps we could bring about change.
Cost of a SQL query
Enormous expense? 'select ..., ..., from ...'?
How many companies apart from HMG are allowed to select their own data for the auditors to look at ?
I don't think we're being given the full story. Based on my experience at a government department (where my wife still works) I would guess that:
The involvement of the junior official was probably limited to putting the disks in the post.
A more senior official would have had to request the data from the IT provider (EDS?). As this was an ad-hoc request then there would have been a charge. This charge was probably less for a database dump than for selecting specific data.
Errm, retroactive abortions?
hmmm, design a system for any idiot and an idiot will break it. seems calling for data security prosecution and investigations after this latest juggernaut are a wee bit too late.
it's time for gubmnt retroactive abortion -- where if you leak, you die.
Gov IT policy
Unfortunately, this is the way govt IT is going to 'reduce costs'. As an admin (who has a clue BTW) on a defence IT system, the 'new and improved' DII system that's supposedly coming in will make me redundant, outsource IT services (and data) to unvetted individuals and introduce fixed fees for such simple requests, such as £80 to restore a file from backup.
While I sympathise with the ICO what's the point? You prosecute and the organisation in breach is given a big fine. This is paid by HMRC (i.e. the Treasury) and given to, er, the Treasury. The deterrent value is what exactly?
I predict the following: A massive backlash bolting down all the Government's data tighter than a gnat's chuff. The whole Civil Service will be completely paralysed by the draconian security restrictions. The usual suspects providing Goverment IT will make a massive wodge of cash out of the process and the taxpayer. The fallout will cause questions in the House, senior Heads Will Roll and suffer the usual draconian punishment of, er, a massive payoff and retirement on a full index-linked pension.
From the OED, Civil Service edition: Accountability - something odd that happens in the Private Sector when they balls things up catastrophically. Gravy Train - see "Terms of employment".
The NAO have been doing slightly dodgy fraud checks for years (eg http://www.foi.gov.uk/sharing/information-sharing.pdf see para 4). The ICO had something to say about this once, can't find a link. Over that time they've built up a relationship with a drudge at the inland revenue.
The NAO want the data again, so they either (i) make a request for filleted data, or (ii) just make the usual request. In case (i) the tame drudge says no can do, but I'll winzip the mdb on to a couple of cds; case (ii) the drudge winzips the mdb on to a couple of cds as usual.
Cue shit and fan: the NAO say we only asked for the filleted data but the oppo couldn't do that (it's a security thing, permissions or something, I always run as Administrator personally) but the oppo managed to get hold of a local copy (see our learned friend from local govt. somewhere in some comments about this) and whizz it off to his mate in the NAO.
If you're a local authority employee, your data are matched with any other data the NAO can get it's hands on. You then get news items like this http://www.express.co.uk/posts/view/25897/Benefit-adviser-fiddled-handouts-for-himself
You may think this is a good thing. I think, at the least, it should be done openly.
more on the NAO's data trawling requirements here: http://www.audit-commission.gov.uk/nfi/dataspec/index.asp
News just in...
It’s now been confirmed that the Storm worm has crossed the man-machine divide.
The affects of the infection render the human liable to expose the data of private individuals by distributing it via CD or any other mechanism.
The source of the outbreak was identified as a building in the North of England though secondary reports of similar infections are now coming from Canada. See http://canadianpress.google.com/article/ALeqM5gXw0XtAiJejlZVkiOaVZMZpWvhGQ for further information.
World leaders are hoping the infection can be restricted to the commonwealth.
@ Anonymous Coward
'If we are in charge of IT and the UK cannot function without IT lets hold a national "outage" day - I suggest the first Wednesday of Every month.'
Afraid that won't work as it will only inconvenience the general public.
An agreement that none of us will handle the systems that pay our elected representatives their salaries, pensions and expenses should sort it in short order.
Hit the people that cause the problem!!!
Anon for obvious reasons!!!!
@national "outage" day
You might be on to something there - not doubt we would get the sack for taking down services like that (unless EVERYONE did it), but there is certainly some merit to the idea of technology professionals saying something like "Look, all these ridiculous f***ing schemes hinge on technology - we are here to tell you that you don't have a clue. Oh, and by the way, to work in this job means that at least a fair proportion of us have the brains to see your bullshit for what it is."
NAO didn't request sensitive data
There have been reports that the NAO didn't actually want details of bank accounts (and potentially other parts of the data) but when requesting the information they wanted/needed from HMRC they were told it was too onerous to disaggregate the info and they could only have the full dataset.
Surely someone other than a "junior official" was involved in that decision (which is also bizarre given a simple database query could easily achieve that).
This shows that the government has learnt nothing from the abuse it has (rightly) taken over the past few years for its obsession with spin and lying to the public when their first reflex is still cover up.
How long do we have to wait for an election?
Re: How long do we have to wait for an election?
Who are you going to elect? The Tories? The Liberals?
This is a phony democracy; a comfortable dictatorship; not a democratic state. The UK Government is an organised crime monopoly - vote and you get the same result, whatever you do. Don't vote and they call it 'apathy' (well they're not going to admit it's disgust and disinterest, are they?). The only reason I pay my taxes is that these people threaten my liberty.
The trick with this particular kind of totalitarian state is to make it comfortable enough to live in that people will not revolt, while shuffling faces occasionally without significant policy impact to give the impression of democracy. They're doing pretty well at it here; can anyone imagine a revolution? Not me. Thankfully there's still the option of emigrating.
@ Chris O'Brien
Re a simple database query to filter records
You would think so wouldn't you?
However - I have seen system vendors selling lock-in systems where they end up controlling your data and charging you for each different report. Had one in who wanted to provide reports in .pdf format - they had no intention of allowing the data owner to be able to access the data other than through their proprietaries and it was not possible for the customer (i.e. data owner) to run a query at the (SQL) database. The system was cancelled eventually but not over this issue. Government managers are quite happy for systems to prevent them from doing stuff because then they can't be expected to do it.
We have a duty
"We have a duty to do everything that we can to protect the public"
Except, obviously, what is actually necessary to protect said public. Such as implement proper procedures and authorizations and technical barriers that would enforce said duty.
Or maybe, just maybe, the word "public" is not actually used to mean the citizens but, in this case, when used by a politician, means "my colleagues who have monumentally screwed up" ?
I have to wonder about that.
"to work in this job means that at least a fair proportion of us have the brains to see your bullshit for what it is."
I'm a technical author and process analyst and I've been telling bullshit managers this for years. They actually know sweet FA about their own businesses which is quite scary. I work in IT and I'm constantly f*****g horrified about managers' attitudes to data. It's all down to Bottom Line.
The usual suspects ... again
It does appear that the said data has found its way to the 'square mile', The City of London. A powerful centre of world banking. Now there's a surprise eh? (see previous comment).
Join the dots people. We've got no idea how far reaching the whole scam is .. yet, don't forget. If I was Old Bill I'd be down there double quick, locking down their mainframe and going through all the log files with a fine tooth comb eh?
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Exploits no more! Firefox 26 blocks all Java plugins by default
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Google embiggens its fat vid pipe Chromecast with TEN new supported apps
- Review Hey Linux newbie: If you've never had a taste, try perfect Petra ... mmm, smells like Mint 16