For a clause in the contracts to include punitive damages should data loss occur. In fact, it shouldn't be on data loss, it should be if the data is allowed to leave the network of the minister's mate ^H^H^H independent consultant's network. This would cover USB fobs and laptops that leave the office.

I'm willing to bet that "processing purposes" means fannying about in Excel and the like. It's not as though there's a skills shortage for Excel fiddlers, so how is it that it's a case of "the transfer of further data to PA has been suspended pending an investigation", rather than "PA has been dropped (from a tall building) and will not work for the state until it proves it has got its arse in gear (or has separated it from its mouth)"???

I don't know why, but when people refer to what is most likely a USB flash drive as a "memory stick", for some reason I want to kill them. It saddens me that this ambiguous misuse has extended so far as to be used on El Reg of all places! Okay, maybe the Wikipedia-reading public requires a disambiguation at the top of the page (see: http://en.wikipedia.org/wiki/Memory_Stick) , but really, aren't you supposed to know better?

(Unless, of course, it really was a memory stick... but why would they do that?)

is not the loss of data but this statement from the BBC website:

http://news.bbc.co.uk/1/hi/uk_politics/7575989.stm

"The data on the stick also includes information from the Police National Computer of some 30,000 people with six or more convictions in the last year."

Have I read that right? 30,000 people have six or more convictions in the last year. How the hell does someone tot up six or more convictions in one year?

Mine is the one with its pocket being picked.

Can anyone think of a good reason why an entire database should be dumped on to a memory stick?

Have these people not heard of database servers - they're really cool they have security and can be backed up and everything!

If I were the IT manager for one of these outfits I would disable the USB ports on all machines I think.

are not fit to run a bath, never mind the remains of a great country.

This is just yet another example of utter incometance by this Government

"lost" laptops by the MOD, "lost" CD's of data by the NHS, HMRC, you-name-it department

This is unforgivable, not the fact its data from HMP, but that this type of thing happens so frequently.

Surely I have a case to go to European Courts and claim compensation for the Govt putting my personal data at risk ?

what is the difficulty here ? its OUR data and they are playing with it like its nothing.

No wonder there is so much ID theft.

Paris, because, she would never treat her "data" like a toy

We need the story updating! Where is the Home Office comment that if we all had biometrically secured ID Cards, this sort of data loss would be completely immaterial, and could be allowed to become commonplace without inconveniencing the government in the slightest?

We also need a "biometric ID solves everything" icon, so it will have to be helicopters instead.

That'll be a passworded Excel file then :-)

Is it just me or is this just common sense to protect this type of data. Policies, Standards, laws and contractual obligations don't even come into it. It's sensative data so protect it. FULL STOP FFS

It's the same as protecting stuff like the PIN number for your own bankcard. It is just SOOOOOOOOOO simple it's a joke when stuff like this happens again and again and again. A lot of people should be sacked for this kind of balls up.

On the bright side I wouldn't mind being a contractor charged with sorting it all out.....chi ching as the cash rolls in.

Paris as she certainly knows how to handle her sensative details ;-)

that Plod is 'investigating' this.

Strange. I don't recall Inspector Knacker being called in over any of the other cases.

Is this due to it being the apparent fault of a 'consultant' this time round?

Government contractor + data loss = no more contract.

Since I am wishing for the extremely unlikely ...

Government agency/ministry/department + data loss = sacked minister

Or for the completely fanciful;-

Data loss = disclosure (as legal requirement i.e. by Law).

When I worked for the Home Office we decided that the PA in PA Consulting stood for Piss Artist. They were a bunch of useless morons back in the 1990s and I see nothing has changed.

"In its capacity as one of the Home Office's favourite consultants, PA was the development partner for the ID card scheme"

Hmm, interesting. Wonder if the two are related?

Most likely someone's just pocketed the thing. They're easy to conceal. We have a ban on putting sensitive data on memory sticks for exactly that reason, encrypted or not.

But if someone in the PA office wanted to do their bit for Harry, England and St George by trying to undermine the Home Office's blue-eyed boy, this would be a pretty good trick to pull.

Should we take any joy in the notion that persons convicted of ID Theft have now had their own identities stolen? - ok, raises only a small titter...

As for the Excel spreadsheet, that seems a preposterous suggestion - I mean, 84K rows...

Obviously that means two spreadsheets...

Paris - cos she too has a record... I'd bang her up... more banality etc. etc....

.....another government initiative of reintegrating lags back into society,

This new "scheme" is called ID FRAUD.

I was always told that crime didn't pay.

Now, it doesn't have a choice, the first it'll know about it is when it gets declined and it realises it's overdraft limit is reached.

These are the people who constantly tell us they are able to defend our country against security threats.

please stop blaming the contractor,it is the Home Offices fault,,,,they obviously havent put any measures in place since the revelations about other massive losses.

IMO the only way to get public confidence back "IF they ever can" is to make it a criminal offence to lose data.It's a weekly occurrence in government now that a minister stands up ,says its not our fault (venus is out of alignment with saturn)or some such excuse and we will put in place stiffer measures (which hasnt happened in 2 years) in place.

There is absolutely No i repeat NO reason why this or any other data had to leave its place of residence.The contractor should do his work on site and obviously under supervision.......for this very reason !!!!!

Even Paris beefed up security after her data loss.

because?

Excellent timing by the contractors to lose this data just 4-6 weeks after 7 (yes 7) Data Handling Reviews by the Gov.

The Burton review (MOD)

The Coleman Report

Data Handling in Government (Scottish Gov)

Data Handling Procedures in Government: Final Report

The Walport Report

The IPCC Report (HMRC)

The Poynter Review (HMRC)

Nice to know that the Home Office and it's contractors haven't bother to read or adopt any of the recommendations within these.

I think that was the first genuinely funny reason for the Paris icon that I've ever seen on a Reg comment. Awesome.

So we've all had a jolly good steam out of the ears rant about this.

Back in the old days, users would be sitting in front of a terminal on a mainframe - the data was back in the computer room. Data loss was rare, because it was only physically available in the datacentre.

Today we have various security models, with data slooshing round inside various security domains. In many situations, there are lots of users within some pretty large area with perimeter security - and this is the only security level. In this case, it would appear that a standard PC was inside the security domain where the data was available in plaintext.

We come back to the basic shortfall: legitimate users shouldn't have access to the data, they should have a view of the data. If some Excel jockey wants to play with the prisoners' details, this should be done on a machine in the datacentre to which he has a view - there are now plenty of appropriate technologies.

As far as I'm concerned, the problem isn't that the data was put onto a USB stick, it is that the data *could* be put onto a USB stick.

Perhaps the threat of some jail time would make some of the suits pay attention to things like encryption and physical security.

It works with Health and Safety legislation and posting false company accounts is a criminal offence so why not negligent loss of private data?

94,000 files, probably a decent capacity memory stick then.

Probably full of porn by now as i expect anyone at this PA place could just steal the data without 'losing' a memory stick (sorry, USB flash drive).

Paris: Do i really have to explain.

It's clear that organisations who handle data about people need one policy change, straight up.

You do not put other people's personal data onto portable computers or storage devices. Period. No special cases, no approval processes; you just don't do it.

First offense is discplinary. Second is sacking. No, we don't care if you're the head of IT security. Sacking.

Bank workers don't take piles of cash home to count as part of their job, do they? The security-controlled data I work with doesn't move off its server: people know they can't have it on laptops, and they don't.

A couple of years ago a consultant working for Worcestershire lost a laptop containing that county's payroll database. Outside the county. The database was apparently encrypted...

The East of England Strategic Health Authority reported back in March of the loss of a UFD (I refuse to misappropriate the Sony device) containing the records of 35 patients, and printed details of a further 25 dumped in a bin.

Also in March, HSBC managed to lose a CD containing customers names, dates of birth and insurance details.

Back in October, Queen Mary's Hospital in Sidcup somehow lost 25 years worth of employee information stored on microfiche, together with the reader. Leeds Building Society also lost employee records when it relocated its HR department.

A survey by The British Chambers of Commerce covering e-crime and businesses in the UK found that 19 percent of the 3,900 businesses that responded had suffered data loss because of a virus and 8 percent reported having laptops stolen.

Which brings me onto another question. When organisations lose "encrypted" information, would they mind telling us how strong the cipher was? Theoretically you could claim a ROT-13 transformation is encryption, and the ciphers used by MS Office and previous versions of WinZip were notoriously easy to crack...

Fire, because you can be fairly certain data lost in the process can't be reused by people with malevolent intentions...

That's a good one!

... sorry, rocket science is too simple now.

Here are a number of measures which SHOULD be made compulsary wherever government held information is used.

- Put a robust RFID chip as an integral part of each official USB Flash drive.

- Put Shoplifter type security (or even make it prevent operation of the turnstyles) on all exits in secure facilities.

- Do not use generic RFID tags, track specific tags (to stop someone identifying a secure USB device as the holder walks around a shoping center).

- Have Official USB flash drives tracked, and holders made responsible for their loss.

- Do not allow official flash drives to be held for extended periods.

- Have a specific process to allow tracked USB flash drives to be removed from secure sites.

- Change the USB ID on the official drives so that they do NOT appear as a generic storage device, so it becomes more difficult to read on ordinary PCs.

- Put the required driver on all systems required to use the official stick, and have it use automatic strong encryption as the data is accessed.

- Don't allow the specific driver to be installed on non-official PCs.

- Regularly rotate the keys on the specific driver and flash drives (this can be done with the flash drives by making holders regularly check the drives in).

- Clean all data from checked in flash drives when they are checked in to prevent people from using them as a backup mechanism.

- Ban the use of personal USB flash drives (or the use of phones or watches, or whatever else provides this type of function) from secure sites as part of policy.

- Disable the USB storage device handling drivers in all systems that can access private data to prevent non-tracked USB flash drives being used (I know this is difficult, but it should not be impossible, even if it means you have to put PS/2 keyboard and mouse ports back into PCs).

- Enforce the already existing GSI Security requirements for all government held data.

I'm not saying that this will make our data totally secure, but it would be a step in the right direction. It would prevent casual examination of misplaced devices. It would not stop a concerted attempt to steal data, but what would.

Very little of this is particularly complex or expensive, as most of the barrier security and procedures already exist in secure government locations.

BTW. This counts as Prior Art in the unkilely event that I am the first person to put all of these ideas together.

I mean it's possible that they know they find out they lost data. Somebody can come in and say to their manager "Woops, I lost that pen drive you gave me, I think I left it on the bus..." But honestly, it would be so easy to take this data without anyone knowing that you wonder how anyone could get caught doing this deliberately. Or even how long the company took before they gave up looking and admitted it to the government. A pen drive could so easily be down the back of someone's sofa. The conclusion, I guess, is that it's actually quite possible someone wants it to be known that data has been leaked in which case we should be asking who benefits?

Paris, because she knows all about "accidentally" leaking private data.

Just as I was building up to demanding that this latest Home office debacle should lead to Jacqui Smith finally doing the honourable thing & resigning, I find it's actually Jack Straws dept.

Damn.

Unfortunatly, they are just too useful.

Where I am, they have recently effectivly banned their use, and have told everyone to use CD's to move data between discrete security zones, and to ensure that these disks are destroyed after use. Unfortunatly (or maybe by design) there are actually very few systems with CDRom drives, let alone writers, on the secure networks.

This makes it extremely difficult to get things like UNIX patches, new products or bespoke released code to the systems that need them.

In order to get access to a secure machine room to put a CD into a drive in a physical server, it is necessary to have a documented change scrutanised by a weekly security board. The whole process takes at least 3 days, depending on when you realise you need the material. Compare this to using flash memory device which allowed you to just copy, remove insert, and copy the material at will.

I trust you can see why government projects over-run, and are so expensive.