Barnet Council has lost records of 9,000 school children after a laptop and unencrypted USB stick were stolen. Nick Walkley, chief executive of Barnet Council, has written to parents to apologise but said the risks associated with the data breach were minimal. Information held included children's names, educational attainment, …
shit a brick
"the loss happened when a member of staff copied the unencrypted data onto CD Roms and USB sticks."
Hello Face, my name is Palm.
"The laptop, CDs and USB sticks were then stolen during a burglary at the staff member's home."
Oh so they're allowed to take confidential information home with them? Nice to know security is locked up tight then, eh?
"That person has been suspended for breaking council rules by saving the data onto memory sticks."
Suspended from a hangman's noose I hope. Fucking idiot.
the sound of my head hitting the desk in dismay.
what an utter chozzler.
I'd like to know why s/he saw fit to copy the data onto USB sticks AND CDs.
Presumably either would be capacious enough to store the whole database (if what they say about how much data they store is true). Seems to me that s/he must've been stockpiling multiple copies on multiple types of media. God knows why, I wouldn't be a bit surprised if some of them were subsequently wrapped in tinfoil or dipped in holy water. I'd keep a close eye on that person that's for sure. Might wanna check out his/her home too, they'd probably find s/he keeps a goldfish in the toilet and craps in the bath. Not right in the head.
'risks associated with the data breach were minimal'
In my day, free school dinner entitlement was enough to warrant 10 years of verbal abuse from peers.
Is it still like that?
I wouldn't worry about 10 years of abuse, you won't survive longer than 5 eating the free school meals.
Re: verbal abuse from peers
Why? In my day we were very understanding. However, if your generation thought verbal abuse was the correct way to treat someone who's father had died then it might explain the tone of a lot of comments.
"The council said it has now disabled external storage devices to stop staff making unauthorised copies of data and is setting up an independent review of what went wrong."
Y'know, that has a bit of a familiar ring to it.... Sure I've heard it before somewhere.
Maybe, just maybe, an education department (I assume that's the council dept dealing with this, as it relates to school records) should have (forgive me) paid attention in class and learned from all the lessons where this subject has been covered in the past, often in excruciating detail.
Back of the class and a dunce's hat for Barnet Council.
This is why...
...they (the state) cannot be trusted. If they can't do something as simple as ensure a few names are held in an encrypted format; how the HELL can we trust them with the ID database etc?
Personal information should be stored encrypted AT ALL TIMES.
Anything else is negligent.
did you read the story past the headline?
Did you come here via a link from the Daily Mail by any chance?
"Personal information should be stored encrypted AT ALL TIMES."
Wow are you seriously suggesting that those with access to the data should be trained to read encrypted data directly? Maybe we could get some of those operators from the Matrix working at the councils?
If you allow people to access data they have to be able to decrypt it, if they can decrypt it they can save the decrypted form. Sure you can make it more difficult by using bespoke hardware (or disabling the output devices etc) but security by obscurification is not the answer, people simply don't understand the implications of taking the work home to finish off (I will put good money that this council does not have a secure method of doing so in place!), and education is difficult to achieve to make them (us) understand this without everyone becoming paranoid.
Re: did you read the story past the headline?
>if they can decrypt it they can save the decrypted form
Who'd have thunk it, but the issue is saving it to external devices and there are ways of ensuring that if anything is saved to removeable media it is automatically encrypted.
Wouldn't that be covered by "I will put good money that this council does not have a secure method of doing so in place!"?
Implementing an access control system to manage the risks of data loss is what is required. I have worked in too many places where they simply ban behaviour retrospectively based on past failure and by making work more difficult for people they actually open up more and more obscure holes. Same as health and safety in this way IMHO.
A fundamental change of attitude is required in valuing data, which is the actual problem here, if data was considered an asset by everyone in the hierarchy, not just the database maintainer etc then this wouldn't be a problem as people would not just walk off with a USB stick full of data?
Unfortunately chief among those who do not value their data are the public who readily give it up in exchange for 'freebies' then bitch about it later.
Barnet were proposing to style their council services on EasyJet, where you'll just get the basic services, and pay extra for anything else.
Presumably securing your personal data is an extra...
re: Should've known
"style ... council"
Lets hope the Vatican isn't behind the theft.
;/Mines the one with the Bible, holy water and sweets in the pocket.
OK, rinse keyboard
There were some people talking about punishment at school. I'm sure physical punishment is no longer allowed at school other than pupil to pupil (when the teacher isn't watching), but AFAIK there's no longer a law against spanking an adult.
The only problem is that it may actually encourage them. Maybe not, then.
So the council
'is setting up an independent review of what went wrong.' is it? And how much of my council tax money will that cost?
Let me give you a hint guys:
'Although the database of kids from year 11 in 2007, 2008 and 2009 was encrypted, the loss happened when a member of staff copied the unencrypted data onto CD Roms and USB sticks.'
No wonder my f**king council tax bill goes up every year. Every time anyone in the council does something retarded (which lets face it is fairly often) they have an independent review to work out JUST HOW RETARDED... at my f**king expense.
Any child can immediately see what caused the problem. They have already admitted they know what went wrong by suspending the user concerned and saying they will disable external storage.
Stop wasting my bloody money on asking questions you already know the answers to!
The whole reason for the 'independant review' or 'internal investigation' (yes, that always gets a chuckle) is to show how hard done by and contrite the poor council is and to justify the scapegoating of some idiot who happened to be stupid enough to get caught taking the data home.
You're quite right though, it's blatantly sodding obvious why councils and government shouldn't be trusted with anything more than pocket change and an abacus.
Give it a month or three for the members of the gravy train to agree on how they should say 'lessons have been learned' 'new procedures are in place' and nominate the the hand wringing, onion bag carrying council executive who is to stand up in front of a small crowd, who will hopefully have forgotten what it was all about anyway, to utter the magic incantation, 'mediatus opportunitus, forgivus oursinsus'
Cynical and untrusting? Me? Noooooo...
Some British authority/institution/society/something else losing confidential data...
Same old same old then, eh?
bloody twats, this time my own council...
Business as usual in Barnet
No big surprise - they are good at losing things.
The man who sent ratepayers money to Iceland is standing for Parliament.
It's just like in the commercial world - fuck it up properly and you get promoted.
And the current Mayor is the same person who appointed a dodgy person to help run the Fire Brigade in London.
The council employee should get promoted for continuing the 'Don't do as I do, do as I say' policy.
"No big surprise - they are good at losing things."
"Losers" in both sense of the word then..
Bad hair day?
You know, terrible Barnet.
The flak jacket please.
Horse Bolt Door
The words Horse & Bolt & Door come to mind. So the council have pretty much admitted that they didn't have a security policy in place to ensure that USB sticks and CD couldn't be used.
Knowing how councils work, whats to say that some jumped manager or councillor with a huge ego and ideas above their station manages to persude some lowly IT staff member to re-enable it "because they need it to work" who then loses the data because such people usually don't have any common sense let alone intelligence.
The only way to prevent this from happening is
to start sacking people. And I don't mean the poor sap that will end up carrying the can I mean the person's whose job it was to secure this information.
If they thought they might loose their jobs over a security breach they might take it a little more seriously.
And when I say sack I don't mean suspend on full pay either. Sacked for gross negligence. No pay off No reference. That will help the deficit abit.
As someone else mentioned, Barnet is going down the EasyJet route (though it's far more like RyanAir). This means that they have already been 'letting people go' for some time. It wouldn't be surprising if the bod who took the data home needed to work on it out of hours due to a severe lack of work colleagues.
As the trend for the upcoming General Election is to dispose of more local authority staff under the guise of more local autonomy we should expect more and more of this happening.
Barnet is subbing out anything it can - it barely has any of its own buildings left.
They don't seem to have much IT staff either, thier local services maps can only be viewed with an IE plug-in and the website is hard to negotiate but they rely more and more on it to deliver information. You'd think they didn't want local residients to find out what was going on.
How dumb/mad/stupid does this sound.
Sure, it *probably* was some random burglary and the burglar fenced it ASAP for some drugs (70% of all UK prison inmates are for drugs offenses. Play the odds). *Unless* freddo the peado has been looking to do some shopping.
Why does the phrase "Familiarity breeds contempt" keep coming to mind.
'we will disable external storage'
Sounds like one of those helpful IT bods .
IT->'You can't have external storage' ,
worker->' but I have to work at home in order to get some reports done and external storage is they way I can do that' ,
IT->'Not my job to help you do something, just make sure theres nothing bad for the councils PR'.
Of course, thats assuming the worker wasn't just reading these documents for a laugh. Before we had computers and stuff, I suppose paperwork never got stolen because it was just so heavy?
Disabling external storage?
Can someone explain just how that's going to help? Maybe if they disable all external access ...
council IT workers
Because blanket retroactive security policy is cheaper than anyone with a brain thinking about why the person was working at home and if it is necessary providing a secure solution for them in the first place!
Personally the statement "Sorry I can't do that from the client site because your IT policy does not allow me to securely connect to that data" comes in useful quite handy at changing the IT policy and saves the possibility of data loss quite frequently.
When your security
relies on a thief formatting the laptop he stole then you know your in trouble.
Who the bloody hell steals CD's (burnt CD's at that) when they rob a house???
Laptop... yep - thats worth a few quid.
USB stick... yep - always comes in handy and fits in the pocket nicely.
Burnt CD's... what the hell? They're not worth anything... unless of course they had written in black marker "confidential information in unencrypted format of peoples personal data, perfect for selling online"... hmmm....
who steals CDs?
It was probably in the laptop CD drive at the time.
Re: did you read the story past the headline?
"Wow are you seriously suggesting that those with access to the data should be trained to read encrypted data directly?"
Not only that, any letters will have to printed with the personal details encrypted. We all know that names and addresses should be kept away from the prying eyes of the Post Office.
what about everyone else ?
The public sector HAS to disclose losses like this, don't kid yourself that this is simply a public sector issue, private sector companies no doubt lose all sorts of shit e.g. leave your bank details out in the rubbish etc, I was sent my neighbour's complete credit history by Experian FFS !
But they don't need to admit it ! , hence it must only be those paraiah's the public sector/state/govt who lose our data
technical security measure are fine, but then that's IT ruining everyone's fun,
security policies are fine, but human beings can't help being arseholes !
So we'll do what government does best, don't deal with the miscreant, just make policy which affects the folk who have a clue.
Not good enough
In these types of cases, the person responsible and their immediate manager need to be fired.
Simply, the only thing that is going to change this is accountability.
The bottom line is...
...no matter what steps you put in place, someone with access to this data can get it outside the organisation and lose it (copying details own into a notepad that they then leave on a bus being the most time-consuming and low-tech method).
All the people in charge have to do is make it difficult. This one simple thing, and they can't even do that...
What do we expect?
Local government as we know it today was largely set up in the 19th century to allow local people to control essential services, such as street lights, roads and basic education. Today it's a multi-billion pound industry - the largest in the country. Management is shared - with varying degrees of inequality - between unelected empire-building CEOs who ensure that 50% of our taxes go on armies of non-essential personnel, and elected councillors, half of whom scarcely know what day it is. More serious decisions are made in the local Lodge than ever in council chambers, and IMHO 50p out of every £1 of council tax is wasted.
The system is out of control, and most councils spend much of their time telling US what to do, not the other way around. And much of what they want us to do is either none of their business or turns out to be what we thought we were already paying THEM to do. Years ago, when I paid 'rates' my payment was low enough that I had to ask my wife what is was - and given the range of services I didn't begrudge it. These days, my council tax is my single biggest monthly bill - and I get shockingly poor value for it. Essential services that used to be a street away are now 40 miles distant, and the only detectable product of many departments are handy leaflets and a range of excuses.
Given that councils are these days effectively allowed to write their own rules as they go along, is it any wonder that their approach to IT is so slapdash? Most council staff I know (and I know a few given my local council is the area's biggest employer) know little about computers beyond basic use of appropriate software - and care even less. I hear horror stories all the time about how insecure their systems are, and how slapdash their security. I once gained access to an entire local library network with the password ... wait for it ... "books".
Despite all this, these days I'm less worried about IT fubars than that we have to trust such people to educate our children and maintain caring and other critically essential services.
As always, actions speak louder than words
"We(I) apologize" is not enough. Without action to remediate the resultant problems and to forestall repeats an apology is just empty words.
In this case, the following actions seem appropriate:
1. If the malefactor acted contrary to well-publicized, established policies, fire her(him).
2. If such policies exist but were not communicated to staff, fire whoever is responsible for the failure to do so.
3. If no such policies exist, fire those having ultimate authority over IT policies.
4. Under all circumstances, give the council head at least six months suspension without pay. His is the desk the buck stops on, so let it actually stop there.
5. If it is demonstrated that an unqualified person was hired to oversee IT security, decimation of HR would seem to be in order as well.
Maybe I've got the details wrong, but the general principle of insisting that overpaid managerstake responsibility when things go south would seem to be the Correct Approach.
But I suspect that this incident is due to a less obvious, far more pervasive problem: there are too many IT shops for the number of _qualified_ people to oversee. Hence, a lot of IT operations are overseen by unqualified incompetents. What's the answer to this? I'm really not sure, but hiring only those with MCSE certification is definitely not the way to go.
Maybe it's time for the minister in charge of local government to summon all council heads to London and give them a good dressing down, telling them that they _are_ responsible and that if anything goes wrong in the future, they _will_ lose their position and benefits and they _will_ be blacklisted from any further employment in governmental management, including quangos of all types. Draconian, perhaps, but it's time the overpaid drones in charge be held accountable for what they are in charge of.
Knowing Labour, however, I have no expectation of such a hard-nosed approach being taken.
In France, Mayors ARE responsible...
...and if people are killed in an avalanche/tunnel fire that their 'commune' should have warned about/dealt with then they DO go to prison. I bet that responsibility sharpens their concentration...
Blue Sky Synergies
Heads need to roll from the top. This isn't the fault of IT.
It's a data protection issue that legal, HR and leadership should be involved in, not just dumped on the IT bods to implement, which the leadership team then find an inconvenience, so demand a "work around".
My local council wants to take pictures of the tenants of council housing. It says the images will be stored *safely* and they will have strict controls on who can access them.
Judging by this story I wouldn't trust *any* council with a paper bag containing nothing but hot air!
someone copied the unencrypted data
took the copies home
Why? - compulsive honesty?? - or did someone (presumably senior) KNOW the data had been taken home and/ or copied?
Yep, that sounds likely.
DIG DEEPER - or do I mean higher?