Her Majesty's Revenue and Customs (HMRC) has lost two further CDs containing private information. Staff at HMRC have told police that another two CDs are missing, according to the Times. They contain information on thousands of people and were sent to offices in London, but have yet to appear. We called the Met, but it refused …
At this rate.....
....it would be easier for them to pick up on Intels new idea (Googles old idea!) about portable datacentres....then they could lose the lot without having to both with buring data to CDs in the first place!
no surprise, been going on for years
Every business that has outsourced it's IT or has remote call centres has a gaping hole in it's security. None of these companies have complete control over their data - most won't even know where it all is (there could be copies all over the place, unknown to the "owner").
Outsourcing usually goes to the lowest price bidder. That in itself is not compatible with top quality security (security == delays, reviews, processes, permission, authorisation, audits ....). Add to this the outsourcer will employ people predicated on salary, not professionalism.
Question: can you apply UK data security laws if the IT operation is run in another country? Or is that one of it's "benefits"?
Bad analogy ?
Icebergs float with 7/8 volume submerged - are you saying that there are another (25 000 000 x 7) records that have been lost ?
Sending personal data in this way has been happening on and off since I started with <small NHS trust in Scotland>. On at least one occasion, central offices have requested details of our entire payroll (thousands of staff) including addresses and bank account details, e.g. for the purposes of fraud prevention - the so-called National Fraud Initiative. I know that this initiative involves other major government financial agencies, principally the Benefits Agency, and continues right down to local government housing benefit and employment records etc.
Our local data protection officer offers no resistance to this practice and, when challenged on the matter, insists that sending the discs is allowable within the provisions of the DPA - i.e. the all-encompassing "anti fraud" clause.
What's more, these discs are actually sent twice - once from the payroll providers to our office for review and release (by computer-illiterate middle management) then a second time from our office to whatever agency has requested the data. The data is password "protected" with weak encryption and a weak password. Anyone with basic knowledge and software could get at the data with a simple dictionary attack within seconds.
I hope to f*ck this really blows up in some senior faces because I know that even within our small trust, this practise is green-lighted by board-level execs.
Re: At this rate.....
... it may be cheaper to try an AOL-esque free disc giveaway!
oh, individual isolated incident was it?
Further proof that the problems in dealing with sensitive data is systemic and nothing to do with what an unskilled junior clerk does....
This one doesn't count,
because they lost all this data last week. Shouldn't matter the second time around...
HMRC ain't the only one's
Following on from Anonymous Coward.
I'm unhappy to say the people running the NHSPfIT send round unanonymised patient data in a similar way on a regular basis.
Even more (NHS)
root certificates, with passwords, unencrypted, in unencrypted e-mails..
endemic lack of security awareness (PS the security guys do complain about all the practices that occur, but people just ignore them, its cheaper that way)
no alarms and no suprises
way back when i was working for da police in gloucestershire...each day sensitive material (cases involving rape, child abuse etc) had to be sealed and driven to court by an actual police officer. one week there was no-one to do it, so every day i would stroll across town with this nasty stuff under my arm. pretty scary, i felt, that it should fall to me a perpetually hung-over student to make sure this material got to its intended location - thing is, i was background checked and had to sign the official secrets act before i could even get into police HQ.
yes, i was a 'junior staff member' with access to a lot of sensitive info but had anything happend it wouldn't have been too difficult to trace the source of any leak. who is accountable, then, for the loss of an entire nation's personal details?
Old fashioned technology
Here's hoping that such departments will get the funding they need to upgrade all of their CD burners to DVD burners. I think we'll then see fewer discs going missing, don't you?
I'm just going to email Amazon UK and ask them if they have gone over to using TNT..If the answer is yes, they're out of the frame for my online shopping this Xmas.
Get that clerk!
I bet this junior official is responsible for every one of these leaks. Probably inserted the 45-minute claim, too. Get him!
Wonder where all these discs will surface? I assume they're being held by a sinister, disfigured individual with a bad accent and a white Persian...
At the values being discussed lately, I imagine the ransom demand could be quite substantial...
If your management doesn't pay attention to you...
... to whom should the local security person raise the issue of crappy data/security practices?
a) Direct to the Information Commissioner?
b) A stiffly worded letter to The Times?
c) To their blog?
d) On to Facebook?
e) A comment on el-Reg?
The Data Protection Act
According to the Data Protection Act:
As an individual you may claim compensation from the data controller for damage or distress caused by any contravention by a data controller under the requirements of the Data Protection Act.
The laughable thing is we'd end up paying for our own compensation.
Adding to the list...
... so we have gov't, NHS, what about education, just think how many schools and colleges hold data on their students. FE and HE are slightly more comprehensive as well, as fee paying students will have had to register their payment details. How up on Data Protection are these institutes?
There's a steady flow of information out of Newcastle.
My brother, having lived in France for years, reached pension age a while ago. So he contacted the DHSS for the first time in years, and gave them the brand new address he'd just moved to.
As he says: "It was notable that I received the El Gordo scam when ONLY the DHSS had my new address.
@Adding to the list
I can't vouch for any other LEAs but certainly all the schools in Northumberland are transmitting their data between between sites (within the LEA) securely. There are several methods in place for this (I wont go into details here) and one of the lesser used (because it hardly ever works properly and is a pain in the ass) is the DfES secure data transfer site. It requires a pretty secure password (so all the secretaries write it in their SIMS manuals for the time when they need to send data) to access an SSL encrypted site where the school can place files into the destination school's area of the site. The destination then receives an email to inform them there are new files waiting and they can log in and download them.
@ "If your management doesn't pay attention"
Have you ever tried to do this? I have, and it's an absolute minefield of grey areas. Quite apart from the fact that actually reporting anything to the IC is near-impossible at the best of times, once anyone says the magic words "fraud prevention" it's like "well no we need to supply all this data because, duh, they're the Good Guys - what's your problem, do you have something to hide?"
public responsibility to fess up all the crap
calling all public employees: its time to dish the dirt on all the crap that the government (along with its shoddy outsourcing program) is doing to the country with its pathetic ability in IT.
...is that I am so disillusioned with any British bureaucracy that I am actually not surprised by these revelations.
I already know that the DVLA give out details to pretty much anyone with £5 and a vague reason. NHS trusts always seem to be in the news for lax data security. The Inland Revenue's own auditors apparently can't even sign off their department's figures because they don't know what they are. Banks leave confidential data in bin-bags on the streets. Even if you're added by mistake, you can't be removed from the DNA database. In fact, I can't think of a single Government Database which is a shining example of efficiency, security and best-practice. How can these self-evidently incompetent, blame-dodging, bunch of numptys think they can keep blaming junior staff who, inexplicably, have unfettered access way in excess of their position? And how can they seriously expect us to think it will somehow be better when ID cards are introduced? It beggars belief!
But is it better in Europe? No, the EC's auditors have again refused to sign off the whole of Europe's accounts due to endemic corruption...
I work for a local authority. Apparently we have a data protection guru (official title - Data Protection Expert!) who advises on all aspects of information security and data protection.
Nobody knows who they are.
That's some guru!!
Mothers maiden names ......
Just had an significant thought there, what with this being child benefit records and all, surely there will be a big chunk of data relating to childrens' mothers maiden names.
If this data did end up in nefarious hands perhaps it will rear it's head in 15 or so years when children listed open bank accounts etc....?
Don't worry the discs will turn up as a free give away with The Mail on Sunday
Why can't we accept human error and be reactive as well as proactive
The majority of the fire service's activities are based around prevention rather than cure. This is perfectly sensible but there are still fires that they have to put out, people cut out of cars and cats recovered from trees.
There are all sorts of proactive ways to 'ensure' data security on computers or other devices but let's face it computers and their data are stolen. This can not be denied, all over the modern world. When this happens it is not good enough to blame a junior official or to dissect internal procedures. Somebody has to react. In the recent case of the HMRC disks then the police are now scraping around in landfills, hoping for the best. But with computers, in particular mobile computers, this needn't be the case.
A stolen laptop can be located anywhere in the world that there is a mobile phone signal (quite some estate) and before a potential data thief can start probing the contents the data can be deleted to US Department of Defense standards (seven sector sweeps). Surely this method provides a level of reassurance not previously available.
I have seen companies such as Virtual Network Partners who claim to be able to offer a similar service to this. There is more information at www.virtualnetworkpartners.eu
- Game Theory The agony and ecstasy of SteamOS: WHERE ARE MY GAMES?
- Intel's Raspberry Pi rival Galileo can now run Windows
- Hello, police, El Reg here. Are we a bunch of terrorists now?
- Microsoft and HTC are M8s again: New One mobe sports WinPhone
- Worstall on Wednesday Wall Street woes: Oh noes, tech titans aren't using bankers