Oops
At work we have automatic notification if an email is sent to an external address - do the police need a consultant?
Police face accusations of incompetence after accidentally emailing a file detailing the results of thousands of criminal records checks to a Register journalist. The author of the email at Gwent Police is now facing a gross misconduct investigation and potential sacking over the incident, which came to light this week. The …
It'd bloody well help increase my bank account if I were to get a wee consultancy gig moding cop systems. And a _second_ gig _unmoding_ them later on after the mods irritated the hell out of a few coppers for a few months. And a third gig putting the mods back on after the _next_ time something of this kind happens. And another gig removing them again once the noise level drops back down to normal background level... Job security in these troubled times, mate...
Oh. You meant that it's not helpful to John Public... Carry on, then.
The police are absolutely right this does undermine my confidence in them. Well done El Reg for taking the decision to publish this, we as the public have a right to know when the police act incompetently and stuff like this should never be covered up.
Did they explain why they felt the need to export such sensitive data into a spreadsheet and email it to multiple recipients? What need was there for 5+ people to have a copy of the requests in this format and is this compatible for the purposes the data was collected for?
Sadly, this does not undermine my confidence in police competence. It just reinforces my present (very low) opinion.
As someone else mentions below, there is a very good chance that this not an export from their database storage system - it *is* their "database" storage system.
To congratulate you on some nice and responsible journalism. A very embarrassing incident for the police, but you have pointed out the circumstances fairly and made it clear what they have done and the current impartiality constraints they are operating under. (Its called Purdah).
Well done.
Yes indeed, congrats to the Reg for the very responsible journalism. It's comforting to know that when your journalists end up being given confidential information by mistake the first thing you'll do is take a sneaky peak at it.
And then a much longer look to enable you to pull together some figures about peoples' jobs, statuses etc.
And then write a story revealing a load of that information, albeit not personally identifiable.
But as long as you deleted it several days later it's all good.
I say it is a fault of the system.
If the system had called for the data to be encrypted before it was transmitted, this wouldn't have been a problem.*
How the hell can they think that emailing sensitive information, "in the clear", is ok!!!
Obviously as long as they didn't include the password in the email!
"Gwent Police asked The Register to consider not publishing a story about its serious data breach saying it would undermine public confidence in the force, but we declined."
Should have said, "Gwent Police asked The Register to consider not publishing a story about its serious data breach saying it would CORRECTLY undermine public confidence in the force, but we declined."
... to not pubish until the enquiry had concluded - as long as this was quick (i.e. not more than 3 months).
Worrying that this could happen in all forces as there are no central standards for encryption of such data.
They should keep this information on a secure server - and send the link by email. If you don't have the credentials, the mis-communicated email would be of no use.
Ye gods - thank goodness it was sent to someone who knew what to do about it, and I salute your stance - hopefully it will get some proper data handling in place.
We can' t have police forces (or indeed anyone else) expecting silence as a way of covering up mistakes.
I'm starting to like the conservatives more open approach, it will hopefully make things like this more transparant.
Right - i'm off to see it's appeared on wikileaks...
ttfn
It sounds as though once the original error had been made everyone responded appropriately and no-one uttered the dreaded phrase 'lessons will be learned'. The only way to make such mistakes impossible to make is to make the system unusable for it's intended purpose so all long as people 'fess up' and the people who made the mistake are the ones that are punished in some form then there is hope.
OK, not that much hope
But at least they are trying
This is a combination of too much information being held (the stupidly OTT CRB process) and poor information handling procedures. Even IT professionals can cc the wrong person; when you have this kind of information held on a desktop PC that also holds random email addresses, it's an accident waiting to happen.
The solution? Maybe a dedicated system (or just a dedicated PC) for CRB processing. Then, if someone does send out this kind of info, they have clearly circumvented security procedures, and not just made a typo.
Maybe, if they hadn't been warned.
Maybe, if they had done things properly
Maybe, if their IT systems hadn't cost the earth.
then *maybe* I might have some sympathy.
As someone who has worked in IT for 20 years, I can tell you that 20 years ago, I would have been factoring into the system measures to prevent this sort of breach happening then.
IMHO this is gross incompetence from the start. Not that it would have made any difference, but the spreadsheet wasn't even encrypted FFS.
This post has been deleted by its author
Sweet merciful crap.
Under which provision of the DPA is it acceptable to dump incredibly sensitive information like that into a plain-ol' Excel spreedsheet and fling it across the Intertubes in plaintext by SMTP? Accidental cc-ing of the Reg or not - data like that should simply never find itself being transmitted from point to point using that sort of method. I think it's fair to assume that the coppers here email critical data around like this in plain text all the time though. Utter ineptitude.
"Investigators are blaming human error for the data breach, rather than the system design."
If it's human error, the erring human concerned is the one who implemented the database in such a way that exports like this are even possible.
What conceivable reason is there for anyone needing all 10,006 names? For any sort of management or analytical purpose, the names could be replaced with anonymous codes.
The really sad thing is that how to do this properly IS well understood. I recall reading about how the (1990?) census data was stored, and how queries were processed such that only sufficiently-anonymous extracts were available. (For example, it would give precise answers to questions about large areas, but once the areas were small enough that individuals could be identified it would introduce random perturbations.) How is it that in the last 20 years, things have got worse rather than better? My guess is that the people in charge weigh up the risk of a breach ("could never happen to us") against the inconvenience of properly protecting the data, and make the wrong choice. In fact, is it a case of "VIP Passenger Syndrome"? Were the 5 recipients of this email senior, i.e. more senior than the IT person who might have considered it a bad idea?
Not just Novell either.
Anyone in business these days knows the value of having a name that shares the first name and first few characters of the surname of that of someone seriously important. You can build a career out of being seen as someone who really knows what's going on, when actually all you're doing is reading all the high-level stuff that's being sent to you inadvertently.
Autocomplete in a widely used MS email product FWIW.
Ah. I understand the "Coward" bit of remaining anonymous now.
I suspect that this is _exactly_ the case. Odds are that their entire 'database' is merely a Very Large Excel Spreadsheet. Many years ago I spent literal months building a 'database' in Excel which was a bunch of linked spreadsheets, some of which were originally Lotus 1-2-3 or Borland Quattro spreadsheets translated to Excel format. (And those who recognise the names, yes, it was that long ago.) I was under the direct orders of the MD to do this, despite recommending that perhaps a real database system would have been preferable. A real database system would have 'cost too much'.
They acted appropriately ?
They threatened to fire the minion that had been told to email the data.
Not the bosses who picked the system without thinking of the problems, or who allowed data like this to be emailed around in clear, or didn't look at backup plans like detecting outside email addresses, or having a separate secure system for this type of mail.
It was PC idiot wot did it, so fire him.
"Investigators are blaming human error for the data breach, rather than the system design".
But the human beings who operate the system are part of it. If a human operator makes an error of judgment, that is every bit as much a failure of the overall system as a hard disk crash or a programming oversight. The alternative - to exclude the human element from the system - is absurd, as virtually all systems include human elements who can easily make them fail.
Of course the people who are responsible for the system (and who earn really, really big bucks on account of that awesome responsibility) like to think that they can blame anything that goes wrong on the pondlife* who do the actual work. But it ain't so - they, the big cheeses, are equally responsible for hiring and firing the pondlife, and for motivating it, giving it adequate rest breaks, and generally making sure it performs up to specification like every other system component. Gee, if they are really concerned about its performance, they might even go so far as to try talking to pondlife occasionally. You can learn a surprising amount of useful stuff that way.
*Disclaimer: don't get overwrought about my use of this simple vivid term. I am pondlife myself, and very proud of it.
I would have hoped that an organisation responsible for a great deal of sensitive information, some of which could put peoples lives at risk, had some kind of DLP system deployed on their email system. It’s quite simple to check outgoing email for tag like 'NOT FOR EXTERNAL DISTRIBUTION’, and hold it for authorisation before sending to external addresses. Such measures are becoming increasingly common in business where fines, loss of business and reputation are at stake.
just put a block on any outgoing unencrypted documents/ spreadsheets/ databases, even PDFs attachments on emails...?
Having the right type of service and filters can very easily stop this. People make mistakes, very stupid ones but still mistakes. A simple setup to stop outgoing unencrypted documents/ spreadsheets/ databases would stop this and sender can be notified. Whoever did the initial system design, didn't do a very good job of it (or perhaps it was the lack of financing!)
Why the hell would anyone export over 10k records anyway? If you need a secure method, surely you would have a more secured centralised SQL server for the police force to access confidential data from?
"If you need a secure method, surely you would have a more secured centralised SQL server for the police force to access confidential data from?" -
you don't mean like a "database"?! I have reservations about the amount of information the state maybe keeping on me in various databases, but i always assumed (somewhere in the back of my mind) that they were actual *databases*, only accessible by certain people that had been vetted and trained to use them. Not some poxy spreadsheet that gets cc'd to all and sundry.
damage confidence in the police?! - damage confidence in the whole damned system more like...
Once again, the "Ooh, I'll e-mail you the data as an Excel file!" workflow of the Wintards bites someone in the behind. Either some time previously or at some point in the future, when a migration away from the usual mish-mash of Excel plus "bespoke" (in other words, "shitty ad-hoc") macros is suggested, everyone will have been (or will be) up in arms about the replacement not being as shiny: "Where'd that lovely dog/paperclip/ribbon go? I want my Brand M!" <stamps foot>, followed by later whining about needing training for the next iteration of Windows/Office.
And it'll be back to banging the rocks together and umpteen copies of confidential spreadsheets littering the "network shares" and various hard disks, to be seen in an eBay auction near you.
...should be re-assured that I, for one, have greater confidence in them today than I had yesterday. Why? Well...
Yesterday, I took it as read that such incidents occur but nothing will actually change until someone *really* screws up. Today I read that someone has screwed up and the senior decision makers are red-faced. Therefore, it is likely that sensitive data is safer today than it was yesterday.
«Today I read that someone has screwed up and the senior decision makers are red-faced. Therefore, it is likely that sensitive data is safer today than it was yesterday.»
Wrong assumptions lead to wrong deductions.
1) You assume that they care and thus are going to do something about it. WRONG. They ignored the issue before ("won't happen to us") and they will most likely continue ignoring it ("can't happen twice")
2) You assume that they have the technical ability and the cash to plug the hole. WRONG. This kind of incident prove that the system is fundamentally flawed. Even if they did actually want to fix the system It would take a complete audit and redesign. Which they probably don't know how to do, and they couldn't afford to anyway.
Only thing that will happen will be a couple memos reminding everyone to check their emails' recipients list twice, and that's it.
Alas, this is just another example of a condition known as "Spreadsheet Bindness" where all critical thinking ceases as soon as data is entered or imported into a spreadsheet. Spreadsheets are an amalgam of data and application logic and presentation, yet data integrity, security, consistency and versioning is ignored; complex application programming is undertaken with no design, and put into production without any structured testing.
So we end up with financial and personal information being managed by the emailing of spreadsheets: these are deemed to be authoritative data by the recipient with no consideration of their provenance, and disseminated with no consideration of basic data management.