In a major coup in the government data loss stakes PA Consulting - which until Monday was one of the Home Office's favourite consulting outfits - has contrived to lose the entire prison population of England and Wales. Personal details of the 84,000 people behind bars, along with those of 10,000 prolific offenders, have vanished …
How hard can it be?
For a clause in the contracts to include punitive damages should data loss occur. In fact, it shouldn't be on data loss, it should be if the data is allowed to leave the network of the minister's mate ^H^H^H independent consultant's network. This would cover USB fobs and laptops that leave the office.
I'm willing to bet that "processing purposes" means fannying about in Excel and the like. It's not as though there's a skills shortage for Excel fiddlers, so how is it that it's a case of "the transfer of further data to PA has been suspended pending an investigation", rather than "PA has been dropped (from a tall building) and will not work for the state until it proves it has got its arse in gear (or has separated it from its mouth)"???
It's not a memory stick ffs!
I don't know why, but when people refer to what is most likely a USB flash drive as a "memory stick", for some reason I want to kill them. It saddens me that this ambiguous misuse has extended so far as to be used on El Reg of all places! Okay, maybe the Wikipedia-reading public requires a disambiguation at the top of the page (see: http://en.wikipedia.org/wiki/Memory_Stick) , but really, aren't you supposed to know better?
(Unless, of course, it really was a memory stick... but why would they do that?)
What worries me
is not the loss of data but this statement from the BBC website:
"The data on the stick also includes information from the Police National Computer of some 30,000 people with six or more convictions in the last year."
Have I read that right? 30,000 people have six or more convictions in the last year. How the hell does someone tot up six or more convictions in one year?
Mine is the one with its pocket being picked.
What were they doing?
Can anyone think of a good reason why an entire database should be dumped on to a memory stick?
Have these people not heard of database servers - they're really cool they have security and can be backed up and everything!
If I were the IT manager for one of these outfits I would disable the USB ports on all machines I think.
The UK Government and its contractors
are not fit to run a bath, never mind the remains of a great country.
Sheer Utter Incompetance
This is just yet another example of utter incometance by this Government
"lost" laptops by the MOD, "lost" CD's of data by the NHS, HMRC, you-name-it department
This is unforgivable, not the fact its data from HMP, but that this type of thing happens so frequently.
Surely I have a case to go to European Courts and claim compensation for the Govt putting my personal data at risk ?
what is the difficulty here ? its OUR data and they are playing with it like its nothing.
No wonder there is so much ID theft.
Paris, because, she would never treat her "data" like a toy
Update please ...
We need the story updating! Where is the Home Office comment that if we all had biometrically secured ID Cards, this sort of data loss would be completely immaterial, and could be allowed to become commonplace without inconveniencing the government in the slightest?
We also need a "biometric ID solves everything" icon, so it will have to be helicopters instead.
"a secure format"
That'll be a passworded Excel file then :-)
As an IT Contractor myself...
I'll start by pinning my colours to the mast by saying that I have never voted for labour and am unlikely to.
The media seem to having a field day with this news item and IMHO it is certainly a serious loss of data BUT should we be automatically blaiming the goverment?
In my opinion the resonsibility lies with both the consulting company and the individual concerned.
Even if the relevant gov dept passed the data on a key fob in unencrypted form I still believe that the recipient still has a respsonibility to look after the data in a responsible manner.
Paris, because she can see my usb stick any time
There are just so many things wrong with this that it's hard to know where to start.
ID Card development?
Downloaded "for processing purposes"?
PA Consulting sacked for breach of contract?
PA Consulting prosecuted for breach of RIPA or DPA?
I despair. I really do despair.
The time has come to consider that apparently losing personal data in this manner is a deliberate policy of the government...
They have made SO much noise about ID cards and the wonderful database that will support them that they cannot back down without a very good reason. But we cannot afford both ID cards and the Olympics - one has to go and it better be ID cards because nobody wants them and cancelling the Olympics would be a career limiting decision.
So, pretend that the government and all its friends in the IT business leak like sieves and there is suddenly a good reason to postpone or cancel ID cards which doesn't look like a policy U-turn...
Why oh why don't they get it
Is it just me or is this just common sense to protect this type of data. Policies, Standards, laws and contractual obligations don't even come into it. It's sensative data so protect it. FULL STOP FFS
It's the same as protecting stuff like the PIN number for your own bankcard. It is just SOOOOOOOOOO simple it's a joke when stuff like this happens again and again and again. A lot of people should be sacked for this kind of balls up.
On the bright side I wouldn't mind being a contractor charged with sorting it all out.....chi ching as the cash rolls in.
Paris as she certainly knows how to handle her sensative details ;-)
Well, that puts the ID Card project to bed then..
Out of interest, any signs of established and monitored ISO 27001 compliance?
If yes: how could this happen?
If no: why are they allowed this work?
In either case: how did they ever pass those NAO audits?
Watch for the Home Office to make some knee jerk extra law while the media topic is hot.....
You know, Jacqui will be out there doing the 'oh won't someone think of the children' act and proposing some quick fix she hasn't thought through. Government for the hysterical housewife BY the hysterical housewife. :)
I've heard it reported...
that Plod is 'investigating' this.
Strange. I don't recall Inspector Knacker being called in over any of the other cases.
Is this due to it being the apparent fault of a 'consultant' this time round?
These data losses are getting to be two a penny. What I find surprising is that there are only 84,000 inmates. I blame the police, they are not doing enough to get the rest of the population behind bars.
new rule required
Government contractor + data loss = no more contract.
Since I am wishing for the extremely unlikely ...
Government agency/ministry/department + data loss = sacked minister
Or for the completely fanciful;-
Data loss = disclosure (as legal requirement i.e. by Law).
Sensitive Personal Data
What's more, not just Personal Data but Sensitive Personal Data, within the definitions of the Data Protection Act.
And PA and stands for?
When I worked for the Home Office we decided that the PA in PA Consulting stood for Piss Artist. They were a bunch of useless morons back in the 1990s and I see nothing has changed.
Re: It's not a memory stick ffs!
It may well not be a memory stick. I would hazard a guess that it most certainly is not a memory stick. However, the Home Office says it is a memory stick, and I see no purpose to me arguing the toss with them about that. You go flame them if you like, but leave us out of it.
And thesed are the idiots they'll trust with a National ID card?!
This is the ultimate argument against ID cards; forget the issues about privacy and the ability of the state to snoop on you; how you'd have to trust every government from now on with that much data on you - forget all those issues: it comes down to basic competence.
These incompetence fecktards are just incapable of imposing information security.
Do yourself a favour and get over to www.no2id.net and sign up.
I really despair about such security failures. Even the most elementary precautions would help.
Everyone in the chain of command from the individual responsible to the top of the organisation should be penalised for failing to implement appropriate security procedures.
Today's conspiracy theory
"In its capacity as one of the Home Office's favourite consultants, PA was the development partner for the ID card scheme"
Hmm, interesting. Wonder if the two are related?
Most likely someone's just pocketed the thing. They're easy to conceal. We have a ban on putting sensitive data on memory sticks for exactly that reason, encrypted or not.
But if someone in the PA office wanted to do their bit for Harry, England and St George by trying to undermine the Home Office's blue-eyed boy, this would be a pretty good trick to pull.
ID Theft? Excel? Shurley shume mishtake?
Should we take any joy in the notion that persons convicted of ID Theft have now had their own identities stolen? - ok, raises only a small titter...
As for the Excel spreadsheet, that seems a preposterous suggestion - I mean, 84K rows...
Obviously that means two spreadsheets...
Paris - cos she too has a record... I'd bang her up... more banality etc. etc....
Re I've heard it reported...
Plod (iPlod?) were called in when HMRC lost the two Cds last year.
Nice one. classic.
.....another government initiative of reintegrating lags back into society,
This new "scheme" is called ID FRAUD.
I was always told that crime didn't pay.
Now, it doesn't have a choice, the first it'll know about it is when it gets declined and it realises it's overdraft limit is reached.
@ I've heard it reported...
I seem to remember by law govt. departments can't (won't) be held accountable for their misguided mislaying of memory sticks. Culpable contractors and consultants on the other hand will be.
It'll all blow over, then a few months down the line the consultancy will be straight back in Mandelson style.
I hope their public liability insurance is up to date.
Typical home office.
These are the people who constantly tell us they are able to defend our country against security threats.
please stop blaming the contractor,it is the Home Offices fault,,,,they obviously havent put any measures in place since the revelations about other massive losses.
IMO the only way to get public confidence back "IF they ever can" is to make it a criminal offence to lose data.It's a weekly occurrence in government now that a minister stands up ,says its not our fault (venus is out of alignment with saturn)or some such excuse and we will put in place stiffer measures (which hasnt happened in 2 years) in place.
There is absolutely No i repeat NO reason why this or any other data had to leave its place of residence.The contractor should do his work on site and obviously under supervision.......for this very reason !!!!!
Even Paris beefed up security after her data loss.
And they are not using encrypted USB Flash drives
Excellent timing by the contractors to lose this data just 4-6 weeks after 7 (yes 7) Data Handling Reviews by the Gov.
The Burton review (MOD)
The Coleman Report
Data Handling in Government (Scottish Gov)
Data Handling Procedures in Government: Final Report
The Walport Report
The IPCC Report (HMRC)
The Poynter Review (HMRC)
Nice to know that the Home Office and it's contractors haven't bother to read or adopt any of the recommendations within these.
I think that was the first genuinely funny reason for the Paris icon that I've ever seen on a Reg comment. Awesome.
The police are doing their jobs, Curfews not counted
"What I find surprising is that there are only 84,000 inmates. I blame the police, they are not doing enough to get the rest of the population behind bars."
Nah the police are doing a fine job, they got a whole town to imprison itself for nightly lock down, none of that lot are counted:
No messing there, they got a new power to issue anti-social behaviour orders without judicial checks, and suddenly they have the power of 'voluntary' curfew..... sure it's 'voluntary' but if you don't 'volunteer' we'll use one of our police state powers against you citizen.
Curfew in Britain, I never ever thought I'd see curfews in Britain in peace time.
"How the hell does someone tot up six or more convictions in one year?"
Arrest burglar. Burglars home has much loot in it. Burglar "asks" for 74 other offences to be taken into consideration.
LOL. You couldn't make this stuff up. "Trust us with your data, we know what we are doing". "If you've done nothing wrong you have nothing to fear".
So we've all had a jolly good steam out of the ears rant about this.
Back in the old days, users would be sitting in front of a terminal on a mainframe - the data was back in the computer room. Data loss was rare, because it was only physically available in the datacentre.
Today we have various security models, with data slooshing round inside various security domains. In many situations, there are lots of users within some pretty large area with perimeter security - and this is the only security level. In this case, it would appear that a standard PC was inside the security domain where the data was available in plaintext.
We come back to the basic shortfall: legitimate users shouldn't have access to the data, they should have a view of the data. If some Excel jockey wants to play with the prisoners' details, this should be done on a machine in the datacentre to which he has a view - there are now plenty of appropriate technologies.
As far as I'm concerned, the problem isn't that the data was put onto a USB stick, it is that the data *could* be put onto a USB stick.
re: As an IT Contractor myself...
But this is how the governments of the west manage to do things they aren't allowed to do.
E.g. can't spy on your citizens? Pay a company to do it.
In this case, the government can screw up in any way they need to and just say "we are instituting new measures so this won't happen again" and hope like heck people have forgotten when it happens again. Better is to outsource it to a business: you can then blame them for your incompetence.
lets blame brown
I know theres an argument that the PM isn't directly responsible for this but in a way he is and it's great fun to see him squirm. Brown you big fumbling plonka, look what you've done now!!
It's about time these sorts of errors were criminally accountable
Perhaps the threat of some jail time would make some of the suits pay attention to things like encryption and physical security.
It works with Health and Safety legislation and posting false company accounts is a criminal offence so why not negligent loss of private data?
"How the hell does someone tot up six or more convictions in one year?"
Simple - Own a car.
94,000 files, probably a decent capacity memory stick then.
Probably full of porn by now as i expect anyone at this PA place could just steal the data without 'losing' a memory stick (sorry, USB flash drive).
Paris: Do i really have to explain.
All these portable devices...
It's clear that organisations who handle data about people need one policy change, straight up.
You do not put other people's personal data onto portable computers or storage devices. Period. No special cases, no approval processes; you just don't do it.
First offense is discplinary. Second is sacking. No, we don't care if you're the head of IT security. Sacking.
Bank workers don't take piles of cash home to count as part of their job, do they? The security-controlled data I work with doesn't move off its server: people know they can't have it on laptops, and they don't.
I have to say even though the data was lost by a consultant firm it is still the responsibility of those that gave the firm the data.
I'm sure MinJust knew this kind of thing was a common practice but ignored it out of convenience.
It's like knowing your bucket is leaky, giving the leaky bucket to a guy, telling them to get you water, and then cutting his head off for bringing back an empty bucket.
It's not just central government...everyone's losing data!
A couple of years ago a consultant working for Worcestershire lost a laptop containing that county's payroll database. Outside the county. The database was apparently encrypted...
The East of England Strategic Health Authority reported back in March of the loss of a UFD (I refuse to misappropriate the Sony device) containing the records of 35 patients, and printed details of a further 25 dumped in a bin.
Also in March, HSBC managed to lose a CD containing customers names, dates of birth and insurance details.
Back in October, Queen Mary's Hospital in Sidcup somehow lost 25 years worth of employee information stored on microfiche, together with the reader. Leeds Building Society also lost employee records when it relocated its HR department.
A survey by The British Chambers of Commerce covering e-crime and businesses in the UK found that 19 percent of the 3,900 businesses that responded had suffered data loss because of a virus and 8 percent reported having laptops stolen.
Which brings me onto another question. When organisations lose "encrypted" information, would they mind telling us how strong the cipher was? Theoretically you could claim a ROT-13 transformation is encryption, and the ciphers used by MS Office and previous versions of WinZip were notoriously easy to crack...
Fire, because you can be fairly certain data lost in the process can't be reused by people with malevolent intentions...
Wow, I'm impressed!
Your guys may just be as incompetent as ours on this side of the pond. And that takes some high ranking, tenacious idiocy; by no means a small feat. I'm impressed.
That's a good one!
Securing data is not genetic engineering...
... sorry, rocket science is too simple now.
Here are a number of measures which SHOULD be made compulsary wherever government held information is used.
- Put a robust RFID chip as an integral part of each official USB Flash drive.
- Put Shoplifter type security (or even make it prevent operation of the turnstyles) on all exits in secure facilities.
- Do not use generic RFID tags, track specific tags (to stop someone identifying a secure USB device as the holder walks around a shoping center).
- Have Official USB flash drives tracked, and holders made responsible for their loss.
- Do not allow official flash drives to be held for extended periods.
- Have a specific process to allow tracked USB flash drives to be removed from secure sites.
- Change the USB ID on the official drives so that they do NOT appear as a generic storage device, so it becomes more difficult to read on ordinary PCs.
- Put the required driver on all systems required to use the official stick, and have it use automatic strong encryption as the data is accessed.
- Don't allow the specific driver to be installed on non-official PCs.
- Regularly rotate the keys on the specific driver and flash drives (this can be done with the flash drives by making holders regularly check the drives in).
- Clean all data from checked in flash drives when they are checked in to prevent people from using them as a backup mechanism.
- Ban the use of personal USB flash drives (or the use of phones or watches, or whatever else provides this type of function) from secure sites as part of policy.
- Disable the USB storage device handling drivers in all systems that can access private data to prevent non-tracked USB flash drives being used (I know this is difficult, but it should not be impossible, even if it means you have to put PS/2 keyboard and mouse ports back into PCs).
- Enforce the already existing GSI Security requirements for all government held data.
I'm not saying that this will make our data totally secure, but it would be a step in the right direction. It would prevent casual examination of misplaced devices. It would not stop a concerted attempt to steal data, but what would.
Very little of this is particularly complex or expensive, as most of the barrier security and procedures already exist in secure government locations.
BTW. This counts as Prior Art in the unkilely event that I am the first person to put all of these ideas together.
How do they know that they lost it?
I mean it's possible that they know they find out they lost data. Somebody can come in and say to their manager "Woops, I lost that pen drive you gave me, I think I left it on the bus..." But honestly, it would be so easy to take this data without anyone knowing that you wonder how anyone could get caught doing this deliberately. Or even how long the company took before they gave up looking and admitted it to the government. A pen drive could so easily be down the back of someone's sofa. The conclusion, I guess, is that it's actually quite possible someone wants it to be known that data has been leaked in which case we should be asking who benefits?
Paris, because she knows all about "accidentally" leaking private data.
Just as I was building up to demanding that this latest Home office debacle should lead to Jacqui Smith finally doing the honourable thing & resigning, I find it's actually Jack Straws dept.
USB memory devices
Unfortunatly, they are just too useful.
Where I am, they have recently effectivly banned their use, and have told everyone to use CD's to move data between discrete security zones, and to ensure that these disks are destroyed after use. Unfortunatly (or maybe by design) there are actually very few systems with CDRom drives, let alone writers, on the secure networks.
This makes it extremely difficult to get things like UNIX patches, new products or bespoke released code to the systems that need them.
In order to get access to a secure machine room to put a CD into a drive in a physical server, it is necessary to have a documented change scrutanised by a weekly security board. The whole process takes at least 3 days, depending on when you realise you need the material. Compare this to using flash memory device which allowed you to just copy, remove insert, and copy the material at will.
I trust you can see why government projects over-run, and are so expensive.
Here we go again
This time, it might just benefit us all if someone did publish the data on the net.
...but unfortunately its the same fools who want national ID cards, well hopefully thats dead & buried now