"Rest easy, citizens, the data was password protected!"
Oh good, no worries then.
The Home Office has lost the names, nationalities, passport numbers and dates of birth of 3,000 seasonal agricultural workers on two CDs in transit to the UK Borders Authority. The incident, which took place in March, was reported to the Information Commissioner's Office but has only now been publicly disclosed in the Home …
"Rest easy, citizens, the data was password protected!"
Oh good, no worries then.
all of the data transfers in our bank are set up and maintained by external IT contractors...I wonder!
Nope! You can't get away with blaming an external contractor for losing your data, you gave it to them without ensuring adequate safeguards were in place. Ergo your fault.
Your contractor giving it to the courier is exactly the same as you giving it to the contractor in the first place. You passed on the data to an insecure contractor, whether the insecurity was with the contactor or with a subcontractor doesn't actually matter. Otherwise you could just call the courier firm an external contractor and drop all the responsibility on them!
Your contractors have to field the responsibility for using that courier firm. In the same way, you have to field the responsibility for using an outside contractor that used the courier firm. No dodging it
"This is not a Home Office data loss," said a Home Office spokesperson. "Contrary to agreed procedures, an external contractor sent two discs containing details of foreign nationals to the UK Border Agency by normal post when these should have been sent special delivery."
Well, pardon me.
A few years ago, my wife sent some student notes for a training course by "special delivery" as we were told that was THE way to DEFINITELY GUARANTEE they got there the next day.
When they hadn't got there in 2 days, we went to the post office to investigate and were told by their PR person "as far as I know they could be in the Outer Hebrides by now" (good PR, that !).
Although the solution to this involved an extra cost to us personally of over £100, the compensation we got was £2.95, the cost of the "special delivery" posting.
In case you wondered.. the "Special Delivery" package never turned up.
So, WHY are the Home Orifice RECOMMENDING sending sensitive data by "Special Delivery" ?
The alien, 'cos I'm beginning to wonder if they're running (sorry, screwing) the country.
why do they not just pay an employees fuel bill to take these from one place to another.. then at lease they will know who has it etc..
So why are they reporting it then?
Data owned by the Home Office. Data lost. So it's a Home Office data loss, innit?
Paris - cos her mobile phone book wasn't lost either. It was published all over the Net.
"This is not a Home Office data loss," said a Home Office spokesperson. "Contrary to agreed procedures, an external contractor sent two discs[...]
Yes, yes it _is_ a Home Office data loss.
The Home Office were responsible for the data and are therefore culpable.
As already mentioned, password protection is no defence against someone with access to the (presumably) unencrypted data.
The Home Office cannot be trusted with our personal data. I'm struggling to think of a single entity which _can_.
I've just had to look into this service.
It looks great!
You have to encrypt your emails with pgpdesktop 9.8, and email them. If they're over 6.5Mb you have to send them to a gmx.com address (obviously the home office's mail server can't cope with mails more than 6.5mb)
Then some bloke from the encryption service will ring you up for a passphrase.
Hang on, this is pgp, why not use the encryption service's public key.... No that would be too complicated.
The central encryption service will the DECRYPT THE MESSAGE and forward it to the appropriate person, or reburn the cd and put it in the internal post, where it will get lost.
Honestly you can't make this stuff up!
Posting anonymously to slow the black choppers....
What amazes me is how often this happens, not because I think the Home Office are faultless, but because I can't remember the last time I had something get lost in the post.
"We have worked closely with the external contractor to ensure that all future transfers comply with agreed procedures."
How fucking closely do you have work in order to say "you're fired"!?
TrueCrypt the data, place the Truecrypt install and the now encrypted data on the CD. Send the CD by Special Delivery, then somehow tell the intended recipient the passcode. AES256 encryption is magic you know...
But no... Password protected.. But still, it's better than nothing! But only if you use a long enough password....
Agreed - Posted anonymous due to the Black Hawks..
Lost in the post? One CD maybe, but bad as the post office are, most stuff that goes out does seem to get to within a few doors of where it was supposed to go.
I strongly suspected with the last loss that it came about something like this...
Manager Did you post those CDs?
Junior Analyst: Of course! [sh*t I forgot]
Manager: They haven't arrived. What was the SD number? We'll find out where they are.
Junior Analyst: Ah, I er, sent them standard delivery. They must be lost in the post.
And with the fuss that's created, the junior wouldn't dare admit a week down the line that he forgot. Still shouldn't even be possible though.
Paris, because you can make up your own special delivery innuendo.
"and the contractor informed the individuals concerned."
So, the contractor has successfully contacted and informed the "3,000 seasonal agricultural workers" has it ?
(at least that's what I think it means)
Sounds pretty clever to me, especially since "seasonal agricultural workers" is often a synonym for "will work for half minimum wage, no questions asked, send wages to family in [insert country here]" !
Go icon, 'cos that's what the current government should do !
The real story here is that someone is handling thousands of migrant workers.
From a Certain Site:
Many economists also argue that unemployment itself is subject to hysteresis effects. Unemployment persistence is argued to arise from various factors that include demand deficiency and labour market institutions.
Behavioral economists attempt to measure the utility gain from obtaining an item, and the utility loss from losing the same item. With great regularity, the utility loss is greater than the utility gain, meaning that if a person goes through a complete cycle of gaining and losing, the person may be worse off than if he or she had never received the initial gain.
There is a massive danger to the lower etchelons in any industry when the upper layer takes short cuts that cut them out of the system.
Someone bringing in 3000 workers is upsetting the apple cart. It is beginning to sound to me like this home office feature the secret service employs, is designed to hide an unwarranted feature of the landscape.
Mine's the one with the P 45 in it.
The data is passed over to the home office either in trust, or under legal compulsion, for it's use. That the data was transcribed to a portable media and then lost in transit is the fault and responsibility of the Home office. To imply otherwise is a misrepresentation of the truth through the contemptible use of sophistry and should be condemned - but wont be - by the Minister in charge shortly before s/he resigns. The dismissal for incompetence of the relevant HO officials should then follow - but it wont - in short order, as a lesson to others.
When will companies and ministries be compelled to have "data insurance" policies? (Public, Professional and Employers liability requirements insurance is the model) Those that handle data most insecurely will then be readily identifiable and will pay the price.
Actually, the mail servers can't handle anything over 5mb, let alone 6.5mb.
Anon, because I know they are reading this...
Your Home Office is just once again doing the ol' "cover your ass" thing, denying culpability for the fuckups that happen on their watch. Seems to be a habit of NuLaughter never to admit making a mistake of any kind, be it in important matters of policy or minor things like loss of personal data through sheer stupidity.
As usual, no one is held accountable. The Home Office points at the contractor, the contractor points at the Post Office, and the Post Office just ignores the whining and complaining.
But, aha, there's a paradigm to help us determine just which donkey to pin the tail on. (I hope El Reg readers are all familiar with the childhood game "pin the tail on the donkey.") Said paradigm is "the buck stops here" aka "ministerial responsbility."
Where is "here"? It's the desk of the man (or woman) at the top; to wit, the infamously incompetent twitess Jacqui Smith. She's in charge of the Home Office, so she is ultimately responsible for Home Office blunders. Time to demand her resignation.
If the loons of NuLaughter want the benefits of being the government in power, they have to accept the brickbats that come with the benefits.
Sadly, NuLaughter seems determined not to reconsider in any respect their drive to the conversion of England into a Bolshie-Stasi-Nanny state.
As my title says, tiresome. We've seen this kind of fuckup too many times now for any intelligent person to give even a moment's attention to official protestations of no-responsibility.
And too bad your Tory party resolutely refuses to play the political card "We stand for restoration of individual liberties destroyed by Labour ideology. We stand for undoing the establishment of the nanny state. Vote for us."
It's heartbreaking to see the country that largely originated the concepts of personal liberty and parliamentary democracy changed into the nightmare it has become.
Dead vulture as a memorial for dead liberties.
I'd say you got special delivery. So special, in fact, that nobody could find the bloody thing afterwards. :)
"why do they not just pay an employees fuel bill to take these from one place to another.. then at lease they will know who has it etc.."
Until they leave it sitting on the front seat of the car while they pop into the pub for lunch. They want to know if they can expense the new window, and the lunch.
Is there anyone left that hasn't had their data given away ???
There should be a fixed fine set payable to the people involved non-taxed for each and every data loss.In this case twice because :
A: if thats the best way the Home office recommends gawd knows what else they suggest.
B:The contractor should have known as a data handler it was wrong and shouldn't have agreed to it.
The total disregard for security beggars belief some senior civil servants/ministers need a serious kick in their pension funds.
But how many times can one dept screw up ?? I mean I know its civil post, but even here in the US, after your 20th screw up your out. ( I'm joking because after the 3rd time data was lost would result heads rolling). I mean is it that the average person in the UK don't care ?? Please help me figure this out. I've read some many articles about UK gov agencies losing data so often, its almost not news worth any more. I don't understand why people are not line up out side their MP office demanding answers.
Any reason why the data couldn't be transmitted electronically?
A desktop machine could heavily encrypt data very easily, and the encrypted data could be sent by the internet. If companies or the government are wary of it, then have a PC dedicated to the encryption and sending, and receipt and decryption of data.
Sending data on a CD seems ridiculously out of date and insecure.
Look at this report, it says crime is down, confidence in the police is up, people feel safer, terrorism is tackled, borders are secure, alcohol related crime is down, crime is down in high crime areas, like East Glasgow no doubt.
So why does nobody vote Labour?
All these surveys say people are happy with Labour, yet the survey that matters, the vote, say otherwise.
"The total disregard for security beggars belief some senior civil servants/ministers need a serious kick in their pension funds."
They don't even need computers. Philby & Profumo?
Let me theorise a little....
This is part of a concerted effort to make data loss less and less newsworthy. After a few more lost CD's and mislaid, lost or stolen laptops it won't be news any more, we will all become desensitised to such things and we will barely raise a shrug. News agencies will eventually ignore the data loss stories and report on the latest winner of Big Brother, Pop Idol or some pointless reality show instead. The government wish us the public to be as complacent about data loss as they are about data security. And if they continue to lose data at this rate they will succeed. There is method to this madness.
No I don't believe the above theory at all. Well, I don't believe it being a concerted effort.
Just see http://www.theregister.co.uk/2008/08/10/invisibilty_will_soon_be_within_our_grasp/ for the clue.
The first thing I thought when I saw the headline was:
"Why don't they just report when they HAVEN'T lost loads of data?"
Seems it would reduce the number of headlines...
From the BBC
"In her questions Baroness Miller has asked about the issues surrounding Phorm and the technology it employs.
In one question she asked if the government has issued advice to net service firms about getting consent for web-watching ad systems or what needs to be done to let people know their web habits could be monitored.
In response the government said it was up to net firms to decide if a service they provide was within the law. "
... and if it isn't, the legal authorities will do sweet F.A.
Only 3000 records, which is quite small by data-loss standards. And they're foreigners, so we didn't care in the first place.
<quote>This is part of a concerted effort to make data loss less and less newsworthy. After a few more lost CD's and mislaid, lost or stolen laptops it won't be news any more, we will all become desensitised to such things and we will barely raise a shrug. News agencies will eventually ignore the data loss stories and report on the latest winner of Big Brother, Pop Idol or some pointless reality show instead. The government wish us the public to be as complacent about data loss as they are about data security. And if they continue to lose data at this rate they will succeed. There is method to this madness.
No I don't believe the above theory at all. Well, I don't believe it being a concerted effort.</quote>
Or the news will be buried after the latest war in the Caucasus, negotiations in Zimbabwe, belly-flop in Beijing or whatever.
Don't imagine any other administration would be any better, the system of government is broken from top to bottom.
Gossiping wannabee Dr/MD health centre receptionists (is there any other kind) should be heavily encrypted or securely deleted before use.
MY PC is password protected too, corrrr my security is as strong as the home office!! ... oh, that means my security is shit. Still at least I'm not as stupid as that lot, I LEARN from my mistakes and others mistakes unlike this repetitive lot. What muppet though oooh lets send it on CD, I know millions of peoples data keeps geting lost on posted CD's but hey lets do something different, send it on a CD AND password it! That'll make it arrive .... DUH! it wont get lost ... DUUH! and its passworded so it's even safer ... DUUUH!!! Why don't they give important jobs to babies, they'd do a damn sight better job!
Never put down to malice what can be adequately explained by incompetence.
'You can't make this stuff up' gets right to the heart of the issue. Once is happenstance twice is circumstance dozens is dickheadstance. Any data held on anybody might as well have an 'help yourself' sign on it. I now realise why bureaucrats got launched from top floor windows on regime change in the Balkans.
Well I'm making up for you, just complained for the Nth time this year to Royal Mail over lost post, unsigned for post, delayed post etc etc. So far this year 4 "recorded signed for" put through my door without any attempt to get a signature, 9 lost letters; 7 incoming, 2 outgoing and one disappeared 'special delivery'.
Not bad in 8 months.
Why are they sending data by disk anyway?
Private non internet based networks aren't hard to create, even a p2p with a 56k modem dialing a phone number would be cheaper than a contractor, probably cheaper than the fuel tbh.
"Contrary to agreed procedures, an external contractor sent two discs containing details of foreign nationals to the UK Border Agency by normal post when these should have been sent special delivery."
No, no no NO NO!!
The discs should never have been burned.
Have they learnt nothing?
I buy things from ebay. Sometimes DVD's and CD's, sometimes memory cards, sometimes a digital camera. I also sell things. I have been doing so for years and the stuff goes by post. I always arrives OK.
IF, thats a big IF, these CD's went missing in the post then they were stolen. Which means someone went to special effort. Which means that they may also have stolen the password.
The other thing that occures to me. Why put them on two CDs? Why not burn it onto a single DVD? If they can't manage DVD's then what's the likelyhood that they can password protection? If they can manage password protection then why not set up a secure VPN link or something?
This is just another example of why we need a National ID Database, it will be so much more secure than CDs. (I mean the gubbamint will say that)