back to article Lost laptop exposes thousands of pension records

A lost laptop containing the personal data of 109,000 Pensions Trust members has sparked the latest in a growing list of information security breach alerts. The missing machine was stolen from the offices of NorthgateArinso, suppliers of the Pensions Trust's computerised pensions administration system, where it was being used " …

COMMENTS

This topic is closed for new posts.
Silver badge
Thumb Up

Great sub title

"Quest to free all world's imprisoned data continues"

Funny until you realise it may be true...

0
0
Unhappy

Duh!

My wife's details are on that laptop.

I'd love to know why they needed to use live data for testing & training purposes...

0
0
Thumb Down

Used for development, training and testing?

I hope they included those uses in the data protection information that was given to the real users when all the data was captured.. we wouldn't want any further DPA violations would we?

0
0
Alert

Three words...

TRUECRYPT

TRUECRYPT

TRUECRYPT

Sheesh. I can't believe that these people *still* don't know the basics of securing sensitive data. I'm just glad I don't have any insurance, pension, bank accounts, or presence with the government. Hmm, where's my tinfoil hat?

0
0

Guess the password.

"Data on the drive ........ was password protected"

Lets's try and guess what that might be.

pens1on

passw0rd

northgate1

0
0
Black Helicopters

data privacy rules for numpties

1. encrypt your hard drives, esp. on laptops - password protecting Excel files does not count.

2. transfer data on line (if you have to), not on a disk with the password on a Post-It attached to it.

3. Reduce the number of records / fields if you have to hand it out for testing or statistical analysis.

4. Anonymize records if you have to hand it out for testing or statistical analysis.

There, that would have stopped 90% of the embarrassing datalosses .

That leaves deliberate leaks and data theft.

If you're an MP wanting to cover up expenses claims, you're F**ked.

0
0
Thumb Down

Ever heard of testing using sanitised data?

Testing using live data?? - "it was was being used as a database for development, training and performance testing".

Idiots.

0
0
Bronze badge

Funny

In spain, it is explicitly unlawful to use confidential data in test, development, etc. And it also a nobrainer.

0
0
Silver badge
Thumb Down

You couldn't make it up

Cost of disk encryption software: <£50 (<<£50 in bulk)

Value of not having your name splashed all over the press as the biggest bunch of incompetent wasters since the last lot: priceless.

0
0
Anonymous Coward

Pedans pedantis

If the laptop was _stolen_, could the data be described as _lost_?

(It's been a tiring day...)

0
0
Stop

Yeah, it's best not to test on live data ...

... that way there is the maximum probability of everything going wrong when the application/web-site/whatever goes live. Please let them test on live data at least a couple of days before going live.

The other thing: why are we hearing about this kind of thing so much? Are they softening us up, getting us used to the idea of all our personal information being known by everyone, so that we learn to accept having no privacy? I can't think of any other explanation of all these announcements. Surely in decades past this kind of thing would have been hushed up?

0
0
Unhappy

Breach of DPA?

Surely if the information's that sensitive, for a vendor to be able to pore through it at their leisure is a blatant and inexcusable breach of DPA!?!

Someone had better get their faced nailed to the wall for this, but they won't

0
0

Bastards

Having missed by only a couple of days having my details revealed in the Great Child Benefit Data Giveaway, the Pensions Trust have finally managed to do it.

Knowing the ICO can and will do nothing more than shake their heads and say "Tut, tut, tut", is there any basis for private legal action against these muppets, or does one have to prove monetary loss?

0
0
Unhappy

Can we have an answer

to the data protection act question? Can someone in Government also explain why we should trust them to run an ID card system with this track record

0
0

to @Aitor

"In spain, it is explicitly unlawful to use confidential data in test, development, etc. And it also a nobrainer"

sorry, but that's pretty silly law

we use in special cases live production data for QA, it is in very controlled environment (special QA environment for live data) and has full production policies and controls. Sometimes it is almost impossible to use dummy or obfuscated data if you want to do really good overall QA and/or there is data backfill being done.

it's not about not using live data in development, it's how it's controlled. Clearly they did not have good policy in place.

0
0

Ha ha ha!

And STILL they want to foist ID Cards on us!

0
0
Alert

Good timing....

I just got back from London having had a few pints with some of the lads from the old firm, and they mentioned they're already preparing for the forced ID card deployment. "Clean" (spotless CRB check) people are being spoken to about getting jobs with the contractors.

The data alone is valuable, and that'll go walkabout pretty quick, but having someone on the inside savvy enough to manipulate it or install some MITM trickery and it's a "digital fucking diamond mine" as one of them put it.

0
0
Thumb Down

Why are they running a test system on a laptop?

Not to mention a laptop with confidential data on it.

0
0

Database?

"Data on the drive was not encrypted but it was password protected"

It's not a *database* it's Access

(it is isn't it?)

AndyD 8-)#

0
0

Database?

well MS Access is Database. You might have strong objections against MS Access (I do as well), but it is still a relational database

if it was MS Access 2007, then it could be encrypted using decent ACCDE format (please note word decent, I did not use word good).

0
0
Stop

Not a care about the laptop. All we care about is the data

The comments on here are interesting as they show that all anyone really cares about is the data on the device, not the device itself.

The data in this case isn't protected by encryption, just a password. But knowing the data is on the device, would it make any difference to the peoples perceptions that their private data is on that device?

Surely knowing the data has been removed from the device would be a lot better? Utilising the internet or mobile phone networks you can receive this reassurance through a tool like BackStopp. The data is removed and a report is made available detailing the removal of such data. What price would the company in question pay for that functionality now?

0
0
This topic is closed for new posts.

Forums