The latest unfortunate UK government data leak - the escape of details of an estimated 5,000 prison officer and admin staff after private contractor EDS mislaid a sensitive portable hard drive - has sparked a strike threat by prison workers. As with last year's infamous child benefit data loss, the government department involved …
Working for a school...
I'm very concerned about the whereabouts of personal information held by the Govt on myself.
Day after day, I wonder why more people arent Ex-Pats.
and achive what exactly?
Is this Unions, just proving they are still relevant?
"It is a breach that we believe could ultimately cost the taxpayer millions and millions of pounds, because, if the information lost is personal and sensitive, it may well mean staff having to move prisons, move homes and relocate their families."
Um, no, EDS should pay.
Setting a cracking example.
Nationwide was fined a cool million for losing a laptop with customer data on it and not making every effort to protect that data. Since then the majority of financial institutions have employed full disk encryption (although not the one that has the outsourced contract from the old government paymaster general - yes, Xafinity, you know who I am talking about). Since the government has been responsible for the majority of data loss in the last year and not one single action has been taken I would be interested to know if companies who are not governed by the FSA are bothering to encrypt their data. I would imagine that unless there are demands from shareholders they will all follow the same example set by the government and be very lax with their customer data.
I am glad that the prison service are looking at positive action to raise awareness about this issue and I hope it's another nail in Nu Lab's coffin but it's still too late for all the child benefit claimants, standard life pension holders, service personnel, dependants of service personnel and everyone else whose data has been thrown out with the trash.
Recently Prisoners data was lost, so only fair that the jailers data is now lost.
Totally irrelevant, I know, but....
....what's so special about July, and why was the data held on a portable/external disk? Are prison officers (and admin staff) only allowed to join/leave the service in July? I've heard of batch processing, but this takes the biscuit!
disks? disks? wut?
I don't understand.
Why do they keep moving things around on disk?
If you have a huge amount of information, you send it over the internet, and it probably still doesn't take as long as a courier job. If they are not doing that, why do they need more than dial up at thier office?
oh wait! they need thier facebook (i.e. I publish my details publicly, why are these people complaining when I lose theirs).
If a system for intuitively sending data securely between departments does not work, perhaps the next pork barrel the government roles out should be that. At least it will be useful. Plus maybe a few pounds to go glue up the USB ports on all the computers.
"financial institutions have employed full disk encryption"
Er, maybe. RBS archived their credit card application forms (on paper?) to Graphic Data Ltd, who then stored them on computer, UNENCRYPTED. Around a million forms then ended up on eBay when the server was sold; you'll have read about it. The result is that those details are now circulating, credit cards have been compromised, offences of fraud and negligence have been committed, not to mention appalling customer service (RBS knew whose records were involved but didn't inform them or put an extra watch for "unusual" activities on their accounts, eg change of address, big spend, etc).
Is anybody paying for this incompetence and criminality? Yes, RBS customers are paying for it, even if they aren't directly involved, their money will be used to compensate those whose accounts have been compromised.
Is anybody going to being held personally responsible? Of course not, white collar crime doesn't matter, no one loses out do they?????? This kind of crime isn't even a police matter these days, it's between the banks/creditcard companies and their customers (what is the role of the industry trade association in matters like this?).
Lock em ALL up (starting with the RBS directors) till *one* of them admits responsibility. That might motivate them (and others) to start taking security more seriously; nothing seems to have really worked so far (INCLUDING the fine for Nationwide).
ID: Database backup provided
Will the ID card be offered with a full database backup to all applicant?
It would offer some advantage: The database will be in the wild within a few months anyway, we are all convinced by the government efficiency at distributing confidential information (except the draft of sexed up Iraq war meeting, and Phorm legality advise of course).
At least providing everyone a backup will mean the government (and/or its suppliers, outsourcers, and other leeches) would be easily able to recover it in case of disaster (as it seems that disaster recovery plans are less advanced than... data security).
Paris: I suspect she outsourced her VHS archiving to EDS.
I've not heard a good reason yet why data is being stored on removable media (or on laptops). If people want to work on test data there's no reason why that data cannot be stored on a test version of the database and the database accessed remotely, via VPN I would think - and the data anonymised if appropriate.
The data would then have the same security as the database that holds the real data (and the VPN, of course).
This seems a lot better to me than carting the data about the place on 500Gb removable disks or other items easily left lying about or lost.
If someone could think of a reason why this might not be possible, I'd be glad to hear it. I've had a reasonably good think, and I can't come up with anything.
Can't see it achieveing a lot...
...but all the same something has to be seen to be done. Bring this into sharper focus, we just seem to acceptance incompetance as a fact of life these days. So I'm behind it, if it raises awareness of the problem.
We only have one recourse to penalise the current government, but at the end of the day an election will only remove the leaders, the incompetent middle managers and staff are still in their cosy little jobs still messing things up. The rest of us would have been sacked if we took company data home and lost it!
As I and others have said before, in this wired world, with VPNs and secure keyfobs, why the hell do you need to take data home? Secure PC, with single locked down network VPN connection config. No surfing, no personal stuff, just attached back to base with the secure RSA token and login details. It's some sad sap middle manager wants to look important on the 5:45pm Reading express. No don't look important you look like what you are, a sad f**ker with no life, who's company/organisation is taking the mickey out of you and your time!
Yet another loss...
that will be sure to have some cretin from the Home Office making a press release stating that "this is why we need biometric ID cards".
What will they do when our biometrics are lost and cloned: issue us with new fingerprints and retinas? These clowns and their subcontractors have amply demonstrated that they are incompetent when it comes to looking after our details.
Perhaps if ministers and contractors were to lose their jobs or contracts they would be more careful with our data.
With a normal home internet connection (say 8MBit down, 512kbit up?), 1TB of data would take
*puts glasses on*
*gets out slide rule*
512,000 bits per second can be uploaded by the host machine (assuming it was going from this hypothetical home connection)
8,000,000,000,000 / 512,000 = 15625000 seconds = ~4340 hours = ~ 180 days
So that's ~6 months. Or a couple of weeks if it was being received by this hypothetical connection and sent by one at least as fast. By couriered hard drive that could be send across the UK in a few hours.
Now I know (or rather, I would hope) that their services would be faster than a normal home connection. But it'd have to be hundreds of times faster to match a decent private courier service (assuming it was being uploaded from the hypothetical connection).
No idea how much information was actually sent, so the 1TB might not be at all accurate. But you'd really want to speed this up so that it could be transferred in the 16 hours that people are out-of-office.
Google "Sneakernet" for a quick introduction to this idea.
Also, strike sorta sounds good. A 5 minute strike for each record lost (for the five minutes it'd have taken to apply some sort of encryption or other decent security system). That's a whole _2 week_ strike!
re: disks? disks? wut?
There's an old saying (unfortunately originating from Leftpondia):
Never underestimate the bandwidth of a station wagon full of tapes.
Paris, 'cos I'm sure she knows her way round the back of a station wagon...
"a historical loss which I do not believe will ultimately compromise the safety and security of those who work for us"
Ah, the old 'historical loss' excuse. I look forward to seeing that rolled out if/when everyone else in the Home Office's employ loses their personal details...
> EDS should pay.
Yep, but EDS are more slippery than a bucket of eels. Good luck getting your lawyers to get one up theirs.
Isn't that a nice image: throw all the lawyers into a big hole and pour eels on them. Probably find the eels would hate it.
Long lived encription
How long is this data relevant ?
If we are talking years then encription is no good.
If I had this infimation I would sit on it and keep an eye on the internet waiting for an exploit that broke the encription and bingo a gold mine of info.
Remember encription is constantly under atack so dont rely on it if the data has a shelf life of years.
Howether some protection is better than none.
I look falward to the day when all our data is freely avalible on the internet and we can go back to being people not data sets.
Mines the one with all my details in the pocket.
Isn't it interesting to see how people's attitudes suddenly change when it's THEIR data that has been lost.
Just pass a law banning all portable media...
After all it's a process problem, and they're (t)errorists
@AC "2 _Week_ Strike!"
You WANT all the Prisons in the country to be unguarded for 2 WEEKS?!
I wish somebody would just do the decent thing and make encryption for personal data mandatory when outside of a secure location. That's all it would need. Servers locked in a data centre? No problem, leave them alone. They do get broken into, but it takes some significant doing.
But when a laptop is left on a bloody train full of personal details, or a DVD is mailed out Second Class, that's when this needs to be done.
Is it REALLY so hard? REALLY?
Please note EDS is now called: EDS an HP company.
No seriously, we all got an email about it and everything :)
The Muppet Show (again)
".....Hanson told BBC Radio 5 that this was "a historical loss which I do not believe will ultimately compromise the safety and security of those who work for us"....."
Translation:- "We haven't got a clue where it is, but we're certain that wherever that somewhere is, it's perfectly safe".
Real meaning:- "We haven't got a clue".
All else is superfluous.
@AC on an RBS rant
Noone encrypts data that is stored in datacentres, the _SERVER_ that was _STOLEN_ with RBS and AMEX data on it was just that, a server, it also belonged to another company who were contracted by RBS and AMEX. I find it very hard to imagine a situation whereby AMEX and RBS don't have watertight contracts in place that specifically state what happens if data is lost by an external company and exactly what they should do to keep it secure.
There is no suggestion from anyone that any of the information is available to anyone except its owners and the bloke who purchased the server from ebay.
No fraud is currently understood to have taken place.
There is no need to put an extra watch for unusual activity on bank accounts because unusual activity is watched for anyway.
"Is anybody paying for this incompetence and criminality?" Well, Graphic Data will be paying in that they aren't going to be getting any more work from anyone are they?
"Is anybody going to being held personally responsible?" I'd imagine that the person who stole the server from Graphic Data will have a fair bit to answer for when the Police catch up with him.
Why does the government get so much stick when it seems to be the butter fingered private sector that is losing much of this data? Those child benefit records were entrusted to a courier company, the prisoner details in the hands of a consultant (I trust them even more now) and this latest loss, the Electronic Disaster Service (maintaining their reputation as disorganised geeks) lose personnel records and wait a year to 'fess up.
It seems that most of the government's data worries will go away if they stop contracting out work to the private sector.
Historical loss ...
... Nobody is at risk, everyone listed here has mysteriously died over the past few months.
I wouldn't worry too much...
That 500Gb drive has probably been formatted by now and its currently hosting a light-fingered employees MP3 collection, so everyone is safe...
@AC13:16 re RBS (do you work for/with them?)
"I find it very hard to imagine a situation whereby AMEX and RBS don't have watertight contracts in place that specifically state what happens if data is lost by an external company and exactly what they should do to keep it secure."
You don't have to imagine, it's just happened. You don't need contracts, contracts are for the timewasters we call lawyers. This is about (in)competence. Who cares if the server in this picture was stolen, the data was INSECURE before it was stolen, (eg) totally vulnerable to an insider job. The thief just got lucky (or so you'd have us believe), and now it's widely reported, others may have a go at similar places too.
"There is no suggestion from anyone that any of the information is available to anyone except its owners and the bloke who purchased the server from ebay."
Yeah right. I know first hand of someone whose credit card was compromised right up to the limit (several thousands) by the RBS incident (and that is the only possible source of the compromise). He is not the only victim. His first notice of it was an email from a well-known etailer (NOT from RBS/the credit card company) noting unusual activity on his account, who also hinted that lots of other folks were seeing unusual activity.
This one will hopefully run and run, and although I do feel sorry for the folks affected, those in charge deserve everything that ought to be coming their way.
Becouse it's the government that should dictate the security requirments and ensure they are taken care of.
It is their responsibility. If a private company doesn't follow these requirments then the governments investigators and auditors should find out and stop it long before any data gets lost.
However what the government does is go "so you'll do all this secure stuff right?" *nudge, nudge, wink, wink* and the contractor goes "sure" *flicks nose, wink* and nobody talks of it again until someone fnids out somethings "gone missing" and that infomation finaly sometime later gets leaked.
Parkinson's Law and the rising tide
Parkinson's Law said that you rise to the level of your incompetence, hence most managers are incompetent to handle the work their position entails.
But what Parkinson didn't foresee was the effect of technological change. People not yet at their level of incompetence in the classical Parkinsonian sense have been overwhelmed by this rising tide. Thus, in addition to the normal Parkinsonian incompetents, you have a secondary class of incompetents, generally at lower levels in the management hierarchy.
I saw a small example of this when working: a woman whose background was "office supervisor" and who had risen very close to her level of incompetence via normal promotions. The legal underpinnings of her public sector job became more complex: they demanded the calculation of an average and as she had at best a not-very-good high school education, she was now at sea, unable to perform that simplest of statistical calculations.
She hadn't changed but her job had; instead of being just below her level of incompetence, she was now well beyond it.
I can't help but suspect that this is what's happening in UK government: functionaries whose performance just 15 years ago (pre-web days) was fully competent have become utterly incompetent. You say "full disk encryption" and they drool in bepuzzlement. Indeed, this seems to have happened to politicians as a class: they are now responsible for issues they haven't a clue about except what they read in the Daily Mail. The situation is exacerbated by NuLabour's dismissal of experience, education, etc as "elitist nonsense, my opinion is as good as that of someone who's studied these problems for decades."
Could not have happened to nicer fellas
Does the UK still sentence people for being bankrupt?
Be wonderful if it did. Then, after financial ruin and other hijinks for the screws, they'd have a shot at being clapped up alongside some of the folks they normally get to take the piss out of.
Borstal Boy comes back around.
Also, has anyone noticed that the environmental pieces are often run with no opportunity to comment? Today's 'anti science greenies,' for instance, which serves largely to shill yet another political site that Orlowski favors, has no comments field.
Also, I note with interest that the Register managed not to hear the good news announced this weekend: for the first time in memory, the norther passage 'round the pole is navigable just now. Seems 'twas only a month or six weeks ago the Reg was clapping itself on the back and claiming that 2008 wasn't on track to match 2007 for Arctic ice reduction. 2007 would then be a one-off, so the bizarre Inhofe echo chamber hereabouts was saying.
Just to correct Anonymous_Coward - according to all the news stories, EDS reported the missing drive at the time of discovery. It's the Prison Service who have failed to inform Jack Straw that it was missing.
The party line for today is.....
David Hanson, a minister from the Justice Department, commented "I do not believe this data loss will ultimately compromise the safety and security of those who work for us"
From the Data Protection Minister, Michael Wills, we have " I do not believe the information is in public circulation."
Translated into plain old Anglo Saxon English this means "We haven't got a fucking clue how this happened or where the data is, but trust us because we are true believers. Data integrity can be secured by faith alone."
Sleep safe in your beds tonight.
"a historical loss" ... should read, "an hysterical cockup"
Which lost do they mean?
Not going in to details but based on my what I know about EDS & some of the tech's that work there chances are the drive was "lost" (as in the four finger discount version of lost), wiped & stuck in someones home PC. Now I know thats no justification for EDS (as the company) "losing" the data as well as the drive. -Why was the data not encypted (or at the very least in a password protected ZIP file) & why was there no other copies of these files?
Maybe all presonel data should be downgrade-ed on to paper then locked in a big metal underground bunker somewere so it cant get lost...... although theres the problem of hiding the key to the door...... erm......
- Updated Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning