A Hard drive containing personal details of three million candidates for the UK driving theory test has gone missing from a "secure facility" in, perplexingly, Iowa, Transport Secretary Ruth Kelly has told the House of Commons. The hard drive went missing in May, but 'only' includes name, address, phone number and email - no …
Imagine data leaks from the Govt are the size of tennis balls in a container ship. Annoying, yes - and potentially disasterous if there's enough of them and they're left unattended.
Then again, the private sector car sized holes all over the place are a *lot* more dangerous. No bank, insurance company, telecoms agency, debt collection agency,airline etc with databases inside and outside the UK\EU could *ever* honestly say they haven't mislaid such info - or at least broken DPA laws regarding e-borders.
How many of them would even *know* an errant contractor had done an "offline backup" and "forgot" to give it back.
Not that I've *ever* dones such a thing, or other enterprise DBA mates of mine....
Plain Dumb, Blinkered or Conspiracy?
Anyone else wondering why the most basic questions never seem to be asked by either the opposition or the media, like "wtf was the data doing there!?!". Credit to The Register and let's hope someone somewhere can bring it to the attention of the general public.
I'm from Iowa
Pearson has a big test processing operation here. Why, however, they would find it necessary to send UK driver's test results to Iowa is beyond me.
Why would the States be interested in our drivers ?
Just in case any of our plucky citizens try to drive to the States, of course.
So, New Labour banging on about creating British jobs for British people - and then, apparently, half of those jobs going to migrant workers.
Then jobs like sifting DSA records for which there is no good reason for them not to be contracted 'locally' going to the US.
This isn't an Anti-US/Anti migrant worker thing, it just made me snigger a bit over my morning cuppa...
Why send it to Iowa?
Because that's where Captain Kirk is from, and UK.gov's information policies are developed by people who think Star Trek was a touch pessimistic. It is instructive indeed that _even Star Trek_ has episodes about aliens hacking into their computers and filling their boots with important information.
Sorry to attempt to be reasonable here, but is it possible that Pearson simply transferred this data from their UK facility to their Iowa facility as a form of off-site backup? Not such an unusual scenario in my experience.
Outsourcing is the way forward
It allows you to make even bigger cockups, while pretending to save money.
EU Data Laws
Isn't there some restriction on processing of personal data outside of the EU? I'm too busy/idle to refresh my memory, but I'm sure someone can interject with their expertise?
well according the news last night, the minister responcible, Ms Kelly, has apologised
so that's alright then
that makes it all so much better
before i was really worried about my personal details being somewhere in the states but i feel so much more reassured and relieved now that she's aplogised and made it all better
i can sleep soundly in my bed tonight knowing that Ms Kelly feels sorry about it all
I believe the DPA says something along the lines that personal data may not be trasmitted outside the EU unless the recipient country has adopted adequate data security laws of its own, or the data subject has consented.
I'm not exactly sure how compliant the US is with EU data protection law these days, but something tells me that it's probably not enough for DPA purposes,
Re: EU Data Laws
There's supposed to be a "Safe Harbor" (sic) agreement with the US whereby US corporations promise-cross-their-hearts-and-hope-to-die to process exported EU data to EU data protection standards. Personally I suspect that, like all agreements made with the US, it's not worth the paper it's written on.
How about a campaign to make it illegal to export anyone's personal data from the EU without their express permission - and also make it illegal to require anyone to give such permission as a condition of access to goods or services? Will never happen of course as it'd kill offshoring stone dead.
 I'm not being mindlessly anti-American here - I'm even married to one.
New register channel
Given that every day seems to bring another confession from a govt. minister that they misplaced some of our data, can we have a new 'data-loss' channel on the register?
There are enough articles on this than almost any other subject at the moment!
Doesn't it smack somewhat of hypocrisy (let alone stupidity) for uk.gov to big up exporting our "ICT" services to the world, and then themselves consistently contract out all their data processing to US based contractors ?
Or is that just me ?
I mean honestly, is it so hard to find UK firms who can do this ?
Pearson...a great british company.
"Pearson VUE is the trading name of Pearson Driving Assessments Limited, a company registered in England and Wales with registration number 04904325, whose registered office is located at Hellaby Business Park, Hellaby Lane, Hellaby, Rotherham, South Yorkshire S66 8HN. VAT No GB 830 0666 55"
Although that's actually a LIE as Companies House lists their registered address as:
Which is the rather beautiful Shell Mex house (http://en.wikipedia.org/wiki/Shell_Mex_House) where 'most of its floors are occupied by companies of Pearson PLC'. The intricate web of shell companies, holding companies and trading names always makes things difficult to follow in modern business. Pearson have dabbled with many things in their time (they started as a construction company) including BSB, and are currently listed as 'media conglomerate' although printed media (books) is still their forte. They own Penguin books, the Financial Times, half of the Economist, a number of 'testing' companies and, perhaps most importantly, they own examining board 'London Qualifications Ltd' (formerly Edexcel) so between that and their publishing interests they are (or could be) almost in complete control of educating a large percentage of British children.
So why would they want data on a few million young British consumers? I couldn't possibly imagine.
@ The Other Steve
"I mean honestly, is it so hard to find UK firms who can do this ?"
What, massively screw up and fail to adequately secure people's personal data? Sure, we have plenty of firms that can do THAT. Maybe we could turn losing data into an export market. Thoughts?
@anon re: re: EU Data Laws
I guess like the Constitution and US domestic law, international agreements are all sacrasanct until someone plays the PATRIOT Act card and everything then seems to become null and void. And as we're foreigners that's probably enough in itself to invoke PATRIOT as that makes us potential terrorists.
wocka wocka WOCKA WOCKA.....
It should be kept in the uk
Im sorry but In my very humble opinion I feel that such things like this should have been kept in the UK, Its bad enough that government data is going missing on a very regular basis but when the data's going missing in other countries its just a slap in the face.
Theres growing trend towards out souring which does nothing but harm the UK, keep the UK jobs for UK citizens, and for god sake adopt sane and proven data security measures.
AFAIK, the DPA says that you can't send personal data to countries that don't look after it properly. By the word of British law, no personal data should be kept by HMG of Britain.
I'd trust porno.com with my credit card details before I'd trust the British Civil Service with them.
Who ever said...
...we have no manufacturing industry left?
We export millions of pounds worth of personal details every week!
Can I sue?
As this is a private company (registered in the UK), should they not be held accountable by the Data Protection Act? Will there be a test case?
it went missing in May, its now December why has it taken 7 months for us to find out?
I think if it wasn't for the recent publicised losses we wouldn't even have heard about this one
Warm fuzzy feeling....
I am one of those affected by this since, even though I am 35 I have taken my theory twice since 09/2004. My favourite comment was in the Guardian Unlimited report this morning;
"Whitehall officials argued that most of the data is available in telephone directories."
Yeah, that's why I am ex-directory and signed up to TPS and MPS... thanks guys!
Re: hang on
You probably have it right there. The loss was known to Stephen Ladyman, who was then a minister at the Department for Transport, last June, and he'd agreed a review with Pearson. Ruth Kelly however wasn't informed when she took over, and is said only to have heard about it via Gus O'Donnell's reviewe of procedures, which was set up as a consequence of the HMRC debacle. We're surely hearing a lot of stuff now simply because nobody will risk the consequences of keeping quiet about it and being found out.
Even more basic problem
The data structure is clearly poorly designed. The driver number is a guid so all that needs to be kept is guid and test info. Personal details should be held on a separate time limited basis for immediate communications only.
Data Protection 101 - if you don't need the info don't keep it then you can't lose it.
Once everyone's data is out in the wild and the fraud becomes too big to combat, they'll push for an ID database to prevent it.
Who's betting we see a lot more fake ID's and fraud in the next couple of years?
Whatever happens, i'm not registering. It really is that simple.
The genius way that the Driver number is generated is a risk in itself, armed with just that you can easily work out the driver's surname, initials and date of birth.
80 The Strand
...Is where Dorling Kindersley / Penguin (a Pearson group subsidiary) are now housed. Sadly, I got the boot (along with the rest of the multimedia division) just before they moved there. This icon almost looks like a dead penguin.
@ John Lettice
... explains why a few of my posts have vanished into the ether m8 - thanx.
not a big issue?
So what can be done with
A first and last name,
A house address
A phone number and an email address...
times 3 million.
I'm pretty sure that that amount of information is more then enough to start an op of some sort.
Maybe first start with a mail shot including a survey of what banking service people use, have a list of banks and such like (have it as a customer satisfaction survey, what bank, how do you find their customer service etc etc etc)
Now assuming a meager 10% return you now have above details + bank service name.
ooook ay - now we could use the list to harvest some more information - favorate animal, colour, mothers maiden name, favorate numbers, so on so forth. Before you know it you've got 750 thousand reasonably good profiles for extensive phishing raids not including the 300 thousand or so you have actual banking knowledge of (do they use online banking, do they use mobile banking, yadda yadda yadda, do they use phone banking.)
Hey you could also do some phone phishing once you've harvested some of the above details - "Hi is that Mr xyz, I'm calling from "insert your bank name", inorder to confirm my legitimacy I shall give you some of your security details, your mothers maiden name is "xyz", your favorate colour is "xyz" and your home address is "blah blah." Could you in turn confirm your account number and the security code on the back of your card?" Out of 100,000 maybe you get 1,000 results from the phone phishing, maybe more. Plus pick up some passwords on various harvests, you should be well away.
Course you can also sell all the mail addresses to spam houses at the same time.
Jeez there are alot of ways you could capitalise that kind of data.
I think losing that kind of data is pretty darn damming.
These are the same guys that botched the scoring for numerous high school standardized tests (used by colleges to grant admission to students). They totally misscored the tests and many, many students did not get their rightful college of choice or did not graduate. Their reason???? The "moisture" in the air caused the answer sheets to expand and not be properly graded.....
Seems like the moisture in their brains got sucked out!!
@the other Steve
Unfortunately there are no UK firms with anything like the capacity or capability to run an e-testing service on the scale of the Driving Theory Test, and frankly if there had been Pearson would have bought them by now. There are a number who have the expertise in testing and some who have the infrastructure and management capability, but none with both. The next biggest testing service that I'm aware of piggybacks on someone else's infrastructure and is far less technically sophisticated.
So the only alternative would have been to go back to yer Capita or EDS types and build a bespoke service at umpteen millions of ever-expanding pounds for something which arrives late and unusable [and leaks personal data everywhere]. On the whole, Pearson did a pretty good job of taking on the contract in under a year from the previous contractor, and have run it quite efficiently.
The data will be in Iowa because the UK testing business is pretty much just sales and stakeholder management. They are entirely reliant on their US psychometricians for expertise and the necessary statistical analyses which are used to validate the test. It's likely the personal data would be used to look for weaknesses in the test for particular candidate groups - age, ethnicity, postcode, etc.
.... clearly get in the way of a good rant. However, let's step back and take an objective view.
Loss of "personal data" which for the most part anyone could get from the Electoral Roll or, if you're feeling bone-idle, from BT's online Directory Enquiry service is hardly the security breach of the day. We're talking about name, address and phone number. Hmm..., I'm sure that's what I saw last time I flicked through my local phone book. Maybe there should be alarm expressed that BT are leaving people's "personal data" where anyone might find it. Quick, get the Information Commissioner on the phone right away!
And why this data is in the American Mid-West - well, maybe as a prudent contractor Pearson VUE / Pearson Driving Assessments are backing up their data off-site (as any basic BCP would recommend as an absolute minimum) and maybe that's where their worldwide data hub is located. But of course that would tend to pooh pooh your average conspiracy theory - and of course it's too obvious an answer.
And the smoke and mirrors of different company names... um, let me think about this particular conspiracy. Maybe the clue is in the name. Maybe the connection is "Pearson"... well, no sh*t Sherlock, did you work that one out all by yourself?
And A. Coward's "totally misscored the tests and many, many students did not get their rightful college of choice or did not graduate." is not entirely factual, is it. True, the comment appears to be based in fact but it's given to maybe just a smidgeon of hyperbole?
Re: The Facts
Here are some facts for you:
I took a driving theory test during the affected time frame. My details have therefore been lost.
Our phone line is not in my name and the line is ex-directory. Therefore my Name, address and phone number is not available on BT's website.
I am on the electoral register but opt out of being on the edited version supplied to marketing companies. Therefore my name and address cannot be found by just anyone using the electoral register.
My email address has never been anywhere near the electoral register or any of BT's databases.
A driving theory test pass is only valid for 2 years. I took my theory test over 2 years ago and have also passed the practical test. Therefore there is no longer any reason to keep any details of my theory test.
Backing up off site is recommended practice in case the entire site is hit by a disaster such as fire or flood. Off site need only be ~100 miles away. Any further is of negligible benefit. Therefore there was no reason to keep the data on another continent.
If you don't think you'd mind having such data lost then why not post your real name, address, e-mail address & phone number to this site? Or is Aard Vark your real name?
Why a HDD?
Just out of curiousity, maybe missing something obvious, why would they do a backup using a HDD? Why not use the wonders of modern technology and transfer it across the ether to a secure storage site?
And also, why are people blaming the government for this? Sure, they outsourced this but they haven't physically had anything to do with it this time. Seems a little odd to blame them for something they had no control over. Unless this is an extension of the butterfly effect...
@ Why a HDD
AC - are you a Goverment Minister?
"It wasn't me it was the contractor" is one of their standard get out of responsibility phrases.
Q: Why would the States be interested in our drivers ?
A: I , a native of the States, am particularly interested in 4 of your drivers. 1) Clarkson, 2) Hamster 3) Capt. Slow and 4) The Stig
And for the the love all that is holy: DO NOT MAKE AN AMERICAN VERSION OF TOP GEAR!!!
Hmmm...no car icon here so we give The Stig a go sign.
@ CM and Government ministers...
No no, just a normal guy. I don't deny that it is a stupid idea to outsource things (however necessary it can be sometimes), and in this case it wasn't necessary at all, but it doesn't detract from the fact that the government had nothing to do with this case. This is something that happened hundreds of miles away in the US, managed by a company who was given responsibility over the data - seems fairly evident therefore that they are accountable.
However, my point, which was missed, was why were the details sent on a HDD? Surely with the wonders of todays world it would be safer to massively encrypt the data and transfer it across the ether within thousands of seperate packets. Surely that is the way to transfer any sort of critical data that requires backing up to an off-site store rather than carrying it in bulk on something that may go missing.