http://milibanddumbass.blogspot.com/

I Keep saying this, once each government department has "lost" all the details of all of it's "Customers" then the privacy campaigners wont have a leg to stand on when ID cards are introduced!

Pass me the TinFoil!

Yes maybe if someone invented some sort of cable that at one end had a loop and the other end some sort of lock. Then the cable lock end could pass trough or around something, say the seat hinge or spare wheel, through the cable loop and connect to the laptop, thus stopping any smash and grabs.

I just can't think of why no one has thought of this simple idea before....

One for Vince Cable, perhaps: "How many sets of personal details does HMG currently hold that it knows are still secure?"...

Paris (looking upset) because it's unfair to suggest that even she's that clueless.

We as a society have become so apathetic towards this kind of thing that they simply don't fear us anymore. We are not the empowered and informed members of society we should be. We are the impotent and weak being flogged to death slowly while being forced to watch through a rose-tinted lense.

To paraphrase a very wise man "Go back to sleep, England. Here's 27 channels of Britney Spears being a drunken idiot. Go back to sleep, England."

That any of the lost data has found its way into the hands of the criminal fraternity.

(But they are working on it. )

Just out of interest, why are these people taking laptops full of private data home with them, not enough hours in the working day?

You can have all the security in the world to protect your millions of customers, password protected and encrypted. As soon as it leaves the premises in the hands of a junior office worker, all that security means nothing and the government have to rely on that employee not making copies, sharing it with others (for profit or just to impress his latest girlfriend), unlocking the PC and walking away etc. etc.

Taking a laptop out of the protected, CCTV'd, passcard entry, firewalled office is the same as not bothering with that security in the first place.

You'd never see a bank allowing a cashier to take home a bundle of notes to count at home, so why is this data leaving the premises.

Neil Briscoe said it very clearly. Centralised DBs are the way to go. not decentralised data!

Getting my coat and checking my wallet!

This is shocking given the requirements the MoD expects everyone else to meet. I used to work for an aerospace company that did work for the UK MoD (not BAE Systems!), mainly for the RAF, mainly on the transport aircraft, and getting access to classified data was a real pain, you had to sign the Official Secrets Act, undergo security checks, background check, criminal record check, references, etc.

Even once that was done and MoD was happy you weren't a spy or a thief the computers used to access the data had to be in a separate room with the windows 'frosted' so people couldn't look in and see what you were doing, were not allowed to have any connections to the company networks (or the internet) and the hard drive was encrypted and had to be in a removable caddy. When you finished working on the classified data, it was encrypted, you shut down the machine and removed the hard drive caddy. This was then locked away in a big f**king safe, just to make sure someone couldn't wander along and pick it up.

And now I get to hear the genius' at the MoD happily wander around with reams of personal data they don't really need completely unsecured. Alright, the measures above are pretty extreme but how can a Ministry that requires them be so cavalier with personal data?

Security Guard at MoD: Oi! That laptop sir, does it have any sensitive data on it? You know, blueprints for the latest Astute submarine, access codes to GCHQ, that sort of thing?

MoD Bod: Nah, just the bank account details for some blokes who considered joining the Royal Marines a couple of years ago...

Security Guard: Oh, no problem. Here, let me help you with the door.....

Over there, the CIA say security on SCADA networks is a possible issue and a roomfull of brainless Sun-reading MS-worshipping PC know-it-alls say it isn't.

Someone says (paraphrased) "an externally owned visiting laptop connected to the SCADA network to 'help out' is a classic attack vector".

Seems Ian here has a bit of sense too: "a user ... helpfully ... hooking their laptop to the raw internet via dialup". In addition to the DSL line, the laptop might also be using a 3G phone (possibly invisibly connected via Bluetooth). It might be a visiting laptop allowed on to the "corporate" LAN - could even be an employee's laptop, with inappropriate networking settings "accidentally" left on. Can't be a security issue there, surely, 'cos you can't see anything wrong? Not till it's too late, anyway.

This is not intended as a smack on the MoD, and it probably is a norm in the whole public sector in general (at least here in the UK).

The premise is that people entrusted with responsibilities probably are very low skilled and much in deniance of that but rank or authority means that what is done is done. In other words one may have authority to do so even though there is an obvious lack of skills to support the basis to grant one to do so.

In short: the public deserves better, should have better and lots of public money (in the UK) is probably squandered as these events are indicators of the skills levels and practices within the sector proper. The security issue really is , in my opinion, a manifestation of mistakes that probably extend far, far wider.

In short: I am surprised that anyone is surprised.

Interim conclusion:

It is a manifestation of the Policy-Practice divide. Ideally Policy should drive practice should drive policy should drive .... but in effect for many organizations it is far more expedient to allow policy makers to do what they have to do in order to attract funding or pull down funding streams. Once that funding is there then Practice part of the organization can do what it want s without consideration or support of the policy part. I call that the Policy-Practice divide and it is the nightmare scenario of a Policy-Practice synergy.

Personal conclusion:

Organizations that demonstrate Policy-Practice divide should be stripped of opportunity to call down or pull down public funds full stop.

"There are various ways to ensure laptops do not go astray when loaded up with sensitive information. The most basic is that such information should not be on any machine unless absolutely necessary. The second policy would be to take some action to ensure the laptop was kept physically safe - so leaving such a laptop in an empty car overnight is probably not a good idea.

Assuming one or both of these steps were followed, the MoD could then use various types of technology to ensure the data was safe if the worst did happen and the machine was stolen - it could password protect the machine and it could encrypt the data."

So you're saying that if /neither/ of those steps were followed, the MoD could *not* then use encryption or set a password? Damn, that's just when I would have thought it would matter the *most*.

Did these paragraphs get mangled in some kind of hideous subediting accident, or do you really mean that it's only possible to set a password and use encryption on a laptop if it doesn't have any sensitive information on it and if it's not being left in a car overnight? As far as I can see, those various measures are basically independent and orthogonal:

- you can encrypt your laptop regardless of whether there is any sensitive data on it that matters if it gets stolen or not

- you can encrypt your laptop regardless of whether or not you take good care of it or leave it in a car overnight

and likewise for setting a password. I can't even make sense of that as saying "There's no point encrypting and setting a password unless you've taken more basic measures first", since in the lack of those first two steps, using encryption would have saved the day.

A little clarification needed here, perhaps?

amanfromMars icon, because the claim seems pretty ga-ga to me.

Who leaves a bloody laptop sitting in a car overnight???

"Oh, sorry boss that new laptop you gave me with all those bank account details on it, well it got stolen last night. Yeah my car got broken into and i'd left it sitting on the front seat. Well i thought it would be safe seeing as its outside my house and all."

Is someone looking into this "junior officers" bank account. Notice any large unaccounted for transfers yet? And even if he is clean, anyone that stupid deserves to be taken out back and shot - rid the world of one more imbecile!

"With preparations like this, we should all be more than ready to hand over our personal data to the proposed national ID scheme - after all, the data can't be that personal if the government has already given it away."

Or we could just not give them any data whatsoever, and just say we already did and they must have lost it.

In truth the recent spate of accounts demonstrate tip of the iceberg phenomena.

The declared stuff is awful - we can only guess at the undeclared stuff? UfI? learndirect...

I know plenty of people in the Home Office - nope it not encrypted most of the time when they move data around, and neither do the other companies mentioned in the press over the last year.

How about WE, the people, start to prosecute THEM, the Government, for their incompetence. After all they actually work for us, not the other way around, which seems to have been completely forgotten.

I know what's happening to our CDs they are being used by George Bush and co to hide all their secrets.

Why else would so many CDs disappear without trace? Either that or there is a mountain of them secreted about the EU.

Yet more go astray. And that is only from mid December:

http://news.bbc.co.uk/1/hi/uk_politics/7204399.stm

teacake by name, teacake by nature? :)

"but the ICO is still negotiating exactly how this would work"

Government ends it's exemption, or rather cop-out, from the DPA and funds the ICO properly. Then ICO investigates these losses and prosecutes the government/body/minister responsible - someone (senior, not a junior scapegoat) goes to jail and the rest wake up to reality.

Of course the government will do neither of these actions - because, to paraphrase, it's got a lot to hide !

The repetitive data losses by UK guvmint is like an insane G&S operetta. At the top you have a bunch of utterly clueless pols who parrot whatever is the fashionable tagline of the minute, and who appear to occupy positions of authority because it's PC to put them there, not because they know what the hell the job entails.

At the bottom, you have underpaid, demoralized grunts -- as someone said in a comment on another story, "pay peanuts, get <something>".

In the middle you have all those lovely senior managers hired in from the business sector; in my opinion, that's where the real rot starts.

The business world has managed to widely propagate the meme "business is everything, and someone successful in business is blessed by God." 'Tain't so. Success in the business world is generally due to luck and possession of a certain low animal cunning and in no way implies intelligence or skill.

That meme has a variant: "run the public sector like a business." What nonsense! The public sector is not a business: it's "customers" are captive, and it has no competition, unless it's false competition fostered by the idiots described earlier. Everyone seems to have forgotten that the original of this tagline/meme was "run the public sector in a business-like way", which is a horse of an entirely different color.

What was asked for was often nothing more than keeping proper accounts for the individual departments so you could get some sense where the money was coming from and where it was going. But this need was often dealt with by setting up Crown corporations (quangos in UK-speak), contracting out, and assorted other mistaken actions.

What's to be done? Nothing. If you don't like it, emigrate. The stranglehold that business has on life is irrevocable. Me, I'm going to hang out in my bomb shelter the rest of the day.

See, in the commercial, free sector an organization is accountable and that accountability has consequence.

When annual or periodic reports are published the free sector pitches in to buy or sell shares and the "worth" of an organization and its governance tends to be (in broadest generalities) demonstrated in its share prices.

They go up (peer group supporting good and robust governance) or they go down (peer group supporting poor or shoddy governance). It may be different across the pond due to non-standard accountancy practices much frowned upon over recent years.

As far as the UK goes that does not happen with publicly funded bodies.

Should your local school be in best management it will secure funding for next year.

Should that same UK school be in poorest management it will also secure funding for next year.

So, in real terms: why bother?

The budget will be the same, employees will be the same and there is no real difference between squandering or good use of public funds to many an organization.