PA Consulting has blamed its loss of the personal details of the entire UK prison population on a rogue employee in an apparent plea not to be kicked off any more big government contracts. Jacqui Smith, in a decidedly un-wacky mood, gave the firm's £1.5m JTrack offender data deal the chop yesterday saying there had been a "clear …
It's just a shame...
...other data loses are not handled in the same way. Since when was a Civil Servant kicked out over anything like this?
If one firm suffers for even just one loss, then maybe some others might sit up and take notice as well.
EDS, we are all looking at you.
soon run out of contractors
While I'm generally in favour of the occasional ritual disemboweling of incompetent subcontractors (it does help to focus the mind, and serves as an example to the rest), if the govt takes this stance with every transgressor, they'll soon run out of IT subcontractors.
It seems to me that they're all pretty much as useless as each other, when it comes to keeping secure data, secure. So far the only thing that differentiates them is blind luck and the ability to either shift blame, or cover up the whole mess.
What I'd suggest is that instead of taking away their contracts, the government locks up a few directors (since these are the people who's job it is to carry the can). for periods, depending on the seriousness of the loss. Maybe the time in chokey should be linked to the time it would take these individuals to re-type the lost data?
single human, pull the other one
It's called a systematic failure where I come from.
Highly sensitive info on a PC with a USB port and individuals with the power to stream it all off. Rogues 1 Systems 0
Aaah, Jacqui Smith
What a truely vile woman.
Process != safeguard.
What I read was that the consultants were in breach of agreed processes, so presumably those processes precluded letting employees of the "rogue" variety get their mitts on the data. Any written process is liable to breach, so if you're liable *for* the breach, it makes sense to take measures *beyond* the written into the physical to ensure you don't become a liability.
And it's pretty funny that they have "...a £19m contract advising the government on the ID cards scheme...." funny in a morbid kind of a way. Just think what another £19m could do somewhere actually *useful*.
It's a no brainer
It's the companies fault. FULL STOP
They should have had measures in place to prevent this type of thing happening. It's widely available and, for what these guys are doing, reasonably priced.
There is no excuse available to get the contract back. They knew the data they were handling. They knew the measures which should have been in place. They should have followed them.
STOP these types of data losses now. It's easy.
Perhaps they have an edge...
If they have to sack people willy nilly as a result of losing such a big contract, the next data-stick they might lose could be the archive of 3 years' restricted and secret (apparently there was some, and DV-cleared consultants) correspondence with the Home Office over the ID scheme.
In the good old days, you didn't trust people and procedures to keep data secure. That was thought to be like crossing your fingers and hoping, as one day, someone would 'forget'.
If you had sensitive data, like in the military or civil service, you didn't ask people not to use USB drives or removable disks - you rendered those entry points physically unusable - often by the simple expedient of filling them up with superglue. And no-one ever, ever, was allowed to attach a laptop to the network which held the sensitive data.
This was just the ordinary stuff. If you had anything REALLY secret, it was kept in a locked room with armed guards.
If the Home Office and PA can't do their jobs with that level of security, at least, they should not EVER be allowed to handle sensitive data again. PA seems to be saying that processes failed - well, duh! Make sure they can't fail, at least not easily, or they will. I am surprised, in a way, that they don't understand this, but I guess you don't actually have to know much about IT to be a consultant.
Or a politician.
@It's just a shame...
I know it's common sense, but when the data protection rules in govt are deemed secure so are in passworded files, and the govt tries to stem unemployment by making them all civil servants you tend to find stupid things happen. losing a civil servant simple hides the blame from the real moron at the top who's too big a muppet to deal with the main issue, that their organisation sucks.
I'm guessing that PA Consulting doesn't have highly placed lobbyists in place to deflect blame like EDS and other contractors who screwed up have done.
Be nice if the government was as strict with its own departments as it is with sub-contractors.
Apologise to the home office eh chaps? How about apologising to the taxpayer and electorate given its us you're ultimatley screwing, not our servants in the Home Office!
Wonders never cease...
Amazed they enable USB ports by default. We don't even have access to the cd writers on our machines (and this is just a bunch lyers, sorry, lawyers).
You screw up, you face the music. Only worry is the contract will go to someone even cheaper...
We deeply regret this human failure and apologise unreservedly to the Home Office.
Sounds like they're accepting liability for the breach. That won't help them in court should any of this lost data be used to commit a crime against those people whose details were stored on the card.
And before anyone says that people taking justice into their own hands and beating the living shite out of a con is a good thing: a: vigilantism never is, b: once someone has served their sentence the law says they have paid their debt to society, c: the card also held details of people on drug treatment programmes and some reports said it also had information about informants.
Who hired the guy who screwed up?
Fire the guy who lost the data. Then fire the interview board, and his line manager.
That should do it.
two really obvious things
(1) This is a golden opportunity to slip out of these contracts; especially if they aren't going well and someone at the top knows about it.
(2) If this happened on Jackqui's remit, why isn't there a resignation on the table and she's doing the expected ritual seppeku?
@It's just a shame...
Occasionally, the public sector *does* actually hold people accountable:
Mine's the one that looks the same as yours, but came from a charity shop
Official Secrets Act?
Question: At what point does the official secrets act come into play? One assumes that sensitive data processed in-house by the Home Office is thoroughy covered by this, but is it (and can it be made to be) applicable to out-sourced work ?
But for the data to be useful, SOMEONE's got to have the key, and you can't control the human brain.
"Quis custodiet ipsos custodes?" Particularly when you're in DTA mode?
Voltaire had it right
when he wrote Candide: Dans ce pays-ci, il est bon de tuer de temps en temps un amiral pour encourager les autres.
(In this country, it is wise to kill an admiral from time to time, to encourage the others).
If PA suffer seriously, then maybe everyone will sort themselves out.
Including the civil service. Nah. Who am I kidding? Never happen.
Jacqui Smith doing the right thing?
Hopefully her encore will be to resign!
Must Start Some Where
Screw ups like this do happen - people are involved so there's no getting around it. However, these screw ups are happening far, far to regularly, therefore, someone must be made an example of.
Without punitive recourse on the part of the Govt there is no reason for anyone to try and do better: PA Should Lose Remaining Contracts.
I truly hate it for them, I really do, but it's got to start somewhere.
It is comforting to know that the country is safe in the hands of people such as the Home Secretary. I for one have every confidence that the ID cards system is safe with her. If you do have something to hide then it might not be a worry if they've lost it. Depends I suppose.
One individual ? Systemic ? Endemic ?
If it is one individual he's been pretty busy this year.
Money is not the problem
I had a friend who worked for PA for a while. He was chatting with the CEO about the problems of finding good graduates. The CEO said "Money is not the problem". So my friend put this slogan in big letters across the screen on his ratty motorcycle and then parked it in the company car park. He left soon after.
Paris. Because money is not the problem for her either.
There's nothing wrong with using a USB key to transfer data between appropriately secured machines.
If you lock down the USB ports, people will find a way to send data over the network, or wirelessly, which could be much less secure.
The utter PA'tardedness of it is (a) not deleting the data after the transfer (b) losing the USB key, then (c) owning up to it.
Process et al
Umm, you may be royally barking up the wrong tree here.
This was AFAIK indeed human failure, and that's something you *always* have to plan for. Let's follow the assumption that "no process" existed and go to a place where wall to wall processes and rules mean that it's amazing that breathing is still unregulated: GCHQ.
Does anyone happen to remember the Kofi Annan spy scandal? Was that a process failure? No, that was a failure to deal with the humans in the chain, nothing more.
Back to the punishment. Will that have any REAL effect? Well, no. Consider:
- the overwhelming majority of failures are at the Gov/military end, not contractors. The occasional blip comes from contractors which are then enthusiastically used (like PA) to distract the press.
- you can impose conditions on contractors, but if Jacqui Smith is trying to prove that she is cracking down on the problem (by scapegoating this consultancy) she has failed miserably.
Granted, to notch down the lot that has been very supportive of the efforts to inflict ID Cards on the population is welcome, but to just nuke them out of work is IMHO really trying to deflect the attention from a VERY basic problem:
At the "Joe Bloggs" level, UK government does simply not have an encryption standard. Ergo, there cannot be a process to secure data. Ergo there is no way to beat someone up about failures, so instead they're moved out of the way (the last one so "punished" ended up with a promotion to Cabinet Office, if I recall correctly - anything to get the press off the scent). Until that very basic problem is fixed there will be further entertainment, and a general search for contractors to blame.
As for PA Consulting, sure, fine the bejeebes out of them. But being an idiot about punishment simply means that the replacement will double their prices to manage the business risk (which ye olde taxpayer will have to cough up), despite the fact that they will be able to blame failure on their predecessors.
Back to the main assertion: Truecrypt or PGP anyone? Also, don't be afraid of/snobbish about AES, the "A" is only a rebranding. It's actually of Belgian origin :-).
Admins know all this, trouble is that in the contracting world nowadays you can't even get a replacement mouse without 3 months of meetings consisting of nothing but middle managers who barely know what a mouse is.
People with actual computer knowledge have no power, its all in the hands of incompetent gobshites who do nothing but look out for their own back and avoid rocking the boat.
Even if the "disable USB ports" policy made it through the initial 2 months of meetings, it would inevitably be derailed by some coked-up little prick who pipes up "well, what on earth do we do if we need to get info into the computers?", and there not being anyone technical at that meeting to inform the pricks.
Good sense averted.
USB is the modern floppy--only larger in capacity and easier to lose track. That's why a basic measure of a locked-down computer is to seal or remove the USB ports, making them impossible to use. Then you can get to work on securing the other avenues of egress such as through the network (which would be done by locking down the network privileges to all but the techies--who would NOT have access to the computer's data--JUST the networking systems).
Unfortunately, the one avenue that can't be dealt with anytime soon is the human brain. It can itself store information if trained properly and cannot be dealt with in any reasonable manner.
There's also the matter of conspiracies--getting *all* the proper people in the right places to knock out any safeguard imaginable.
Labour's lust for PR
This is another example of Labour being wanting so badly to be seen to do something they've made the whole thing worse.
They fired ETS without any contingency plan and only realised when they all came back from summer holidays and noticed that no-one was there to plan next year's SATS. So now they're even further up shit creek than they would have been sticking with ETS and trying to apply the lessons learned from this year's fiasco (iIf you thought this year's SATs were bad, wait til you see what happens next time). Now they're going to be in a similar situation with PA.
If this sticks, which I'm not sure I believe it will, and UK Gov really pull the plug on PA then there will be massive slippage in whatever PA were doing(over and above whatever mess the projects were already in due to missed client-side dependencies) and they'll have to pay someone else to re-do the work or write it off. So what looks like bad luck for PA, actually is even worse for us poor tax-paying types. It is however great news for PA's lawyers and their competitors.
Ah well. What can you do?
PA Consulting were sub-contracted...
I thought that if a Contractor awarded a job to a Sub Contractor, that the Contactor was still ultimately responsible for any cock-ups made by the Sub Contractor?
Unexploited market niche?
I know you can get USB gadgets to do just about anything. But I haven't yet seen one where you plug it in and it basically fsck's the USB socket - permanently. Even better fun if it also emits sparks and loud crackling sounds.
That'd be a good way of securing all your machines.
Maybe you could have one for optical drives too - maybe like a CD-sized angle grinder disc cum circular saw blade. Or I guess it could just spray super-glue around inside the drive.
I'm not sure what the demand would be for these, but it'd sure be fun coming up with a few prototypes.
The Blame Game
There is no law about moving data files around.
If he was in breach of contract, then fine, but you have to enforce the contract, with procedure.
Clearly it is not the placing of the data files onto a usb device that was problem. The problem was that is was even possible to do that in the first place.
Jacqui Smith should do the right thing, and resign, the country would be a lot better off without her mucking things up.
@The Blame game
> There is no law about moving data files around
There most definitely is: copyright law, official secrets, a person's right to privacy (ECHR) and even as you say yourself: contract law. I'd say that the problem was exactly the placing of data on a portable (and therefore lose-able) device.
The Blame Game
This is the company's fault as it should have been made clear to all employees that use of USB sticks to transport data was a sackable offence - the employee was probably told to read some web page and never did - seems thats the way a lot of organisations work -. In one company I worked in we insisted that the only USB sticks used were encrypted and included a fingerprint scanner. But yes the best way is to lock down the usb ports and most companies should be doing this as well as using encryption on all PC and laptop drives, but I've not come across one that does both yet. So data will continue to be lost. Can't wait for the next one.
The time has come the walrus said --
Cos people are too dumb --
To encrypt the whole human world
As a rule of thumb (drives).
There was a young man from Japan,
Whose rhymes never would scan,
When asked why,
He could only reply
It's because I try and get as many words into the last line as I possibly can.
auto hype-removal bot
Dear client, we don't understand the first thing about the task you contracted us to perform, we lied to you, we effectively stole from you and we put the financial security of your employees in danger when we lost your private data by deliberately breaking the data protection act. can we have our gravy train back please?
And here I am
about to have disk encryption software installed on my work laptop so any USB keys and CD's I write are automagically encrypted as is the data on my HD (not that I have sensitive data on the HD - I'm not stupid)
This stuff isn't difficult, seriously.
42 Server and Protect Gravy Trains..... AIManKind Imperative eXXXXeQTive Live Mission*
"Dear client, we don't understand the first thing about the task you contracted us to perform, we lied to you, we effectively stole from you and we put the financial security of your employees in danger when we lost your private data by deliberately breaking the data protection act. can we have our gravy train back please?" ..... By Anonymous Coward
Posted Friday 12th September 2008 10:00 GMT
Ah Biffo ...... http://www.cartoonstock.com/vintage/vintage_cartoons.asp
*For Future Immaculate Store Source with Enriched and Enriching DNA Proliferations.... Possible Beings with AI Virtualised IDEntities ........ Wraiths in MaJIC Cloaks ..... Mr Bigs in the Hoods.
@ AC re. Labour's lust for PR
ETS weren't sacked, the said they were no longer willing to do the contract and withdrew.
Spookily enough this week their directors were up in front of a select committee pointing out that the Govt. kept changing the spec, deadlines and all sorts of stuff.
Sounds familiar, can't writea decent spec for your project - blame the contractor who bid to do it on the understanding that you a) have a fair idea what you want to acheive and b) aren't likely to change your mind every 2 minutes
Human Failure, Indeed
Why, yes, it would be human failure, wouldn't it?
Let's begin with "Human Resources," shall we?
Human resources manages resources that happen to be human. Some several years ago, I worked in Personnel. We didn't have resources. We had people.
Nowadays, we have companies (which aren't human) staffed at the top by "owners" and "directors" and "shareholders" (which also aren't human), hiring resources, some of which are human.
Humans are finicky components. They're supposed to be plug-compatible replacements for one another. If you hire a human engineer, he can be used to replace any other human engineer of the same (or sufficiently similar) specification. Accounting humans can replace other accounting humans. Sales droids -- err, humans -- can be used to replace either sales or marketing humans.
Humans are received, fully programmed, from the Human Preparation Mills (see also "university"), and are supposed to be ready to use, subject only to a brief "initialization" or "orientation" period.
Unhappily, the technology of Human Programming being what it is, these resources are prone to various kinds of failure.
One of the more common failures is a "goals and desires" bug. This bug has supposedly been removed at various stages during the development process of Human Programming, but it continues to crop up unexpectedly (as bugs are wont to do).
In more primitive organizational technologies, e.g. those using people instead of "resource, human" for tasks requiring intelligence, things like goals, desires, feelings, and a quirk often referred to as "life," were expected and simply accounted for in the system design.
With the advent of the more advanced system of "resources" we were to have been relieved of the vagaries of such quirks, having only to deal with the functional interface.
Clearly, there's more work to be done.
I rather suspect that part of the problem here is that the people running the company are, themselves, somewhat human, and this condition has directly contributed to the errors in resource selection, resulting in the employment of a faulty human.
I'd start there. Removal of humans from management and executive positions is the only thing that will solve this chronic problem. Then we can set about seeing to the elimination of these "life-related" quirks from the human drone -- err, resource -- populations.
Re ..Human Failure, Indeed
I second that Magnificent Rant, ArfinGreebly. That was a Deed Well Done. And so Seconded is ITs Power Squared and More than just Simply dDoubled with Proxy Virtual Support ....Beta for Real.
And I'll just Leave that Hanging on the Vine to make the Finest for Wine.
The rogue employee should not be fired
He should be added to the prison population whose details he 'lost'.
- Just TWO climate committee MPs contradict IPCC: The two with SCIENCE degrees
- 14 antivirus apps found to have security problems
- Feature Scotland's BIG question: Will independence cost me my broadband?
- Apple winks at parents: C'mon, get your kid a tweaked Macbook Pro
- FTC to mobile carriers: If you could stop text scammers being jerks that'd be just great