It’s scarcely unusual. You’re preparing an email, you start typing an email address, autocomplete fills one in from you, and then you may or may not notice as the email speeds off that it’s going to someone entirely different from the intended recipient. If the email includes personal details of 10,000 people and the person you’ …
I don't hold out a lot of hope for government, police or even security organisations taking appropriate care of personal data. I've just completed an on-line process for registering with a government service which holds personal data about me. The account details, including my password in plain text were automailed back to me at the end of the application process.
Gets my vote El Reg
Yes, a good analysis of a disaster waiting to happen at some systematic level probably because there were no other (workable?) ways to share information.
And yes, you are quite right in observing that sending unencrypted stuff by email is really another way to compromise data. Were the file encrypted it would still be a bit daft and tempting providence to send it by email.
Perhaps it were exported or copied and pasted (?) from a source file and that also suggests that control parameters are not working as they should.
We Have the Technique/ology
The US NSA has been doing this for decades. The amount of information they process dwarfs anything a civilian organization could ever hope to deal with, yet it never leaks.
The only thing that leaks from the NSA, are rather small (although often destructive) bits of information from time to time. Usually followed by a quick and usually productive (though sometimes quite tardy) investigation and conviction.
This isn't difficult
Seriously - you have a central database on a server somewhere and give anyone who needs access to it a remote logon via a secure link (VPN etc.) This way you have a fighting chance of controlling who gets access to the data due to individual logons. No data needs copying or posting anywhere then. OK, there'd be a training overhead but there SHOULD be one in any case.
We use this method at the company i currently work for, OK it's not a government sized database (it's not small though) but the concept is easily scalable.
What goes in comes out
1. Government needs a reliable system for distributing confidential info (which they don't have)
2. At this rate the bad guys will know more about us than we do ourselves resulting in ever more tedious security checks at every turn. Indeed they should stop collecting this stuff until they can actually look after it properly.
It won't result in tedious checks, it'll result in a lack of confidence in the checks and data held by government.
When peole refuse to be a part of the broken system (investing in safety deposit boxes for cash instead of bank accounts for electronic money etc) the system will change, because those who monetise it will become bankrupt or face significant changes.
"We're not suggesting the private sector's data handling will be any worse than the public sector's (au contraire…),"
Au contraire or not, the fact is if a public sector entity outsources data-handling to a private sector entitiy, then the attack vector/leak vector/fuckup vector surface immediately more than doubles - now you have two entities that "need" access to the data instead of one and also a communications channel to lock down. That together with any possible mismatch in protocols between the players leads to a "when" rather than "if" scenario for leaked data.
I've long been of the opinion that personal data should be considered private property and licenced on an individual basis for organizations to use with an expiry date mandated by law, renewable by explicit consent. Kinda like copyright, but rather acting in the interests of individuals rather than against them. Further, any and all organizations - private or public - that require to use this kind of information would themselves need to be licenced on a term basis subject to complying with certain data-protection criteria. No licence, no data - tough luck.
If it seems convoluted and difficult to implement, compare it to the problem of trying to keep a reign on ever-expanding and more-or-less inconsistent datasets bouncing back and forth between an ever-growing number of keepers.
You Mean Like an SLA?
I would LOVE to bind my software vendor to a EULA like they do for me. They would be the ones responsible for it, as their software would often be the collection point for the data.
I'd love to tag my data (I sort of do this now, with Spamex), and find out which rat leaked it.
Copyright, since 1710 when the first UK law regarding it was approved, has always been about the rights of the consumer. "Copy" "right" i.e. the rights of the consumer for the copy of the work whiich thety own. It's only recently that big media has forced a model of recycling old media and major political lobbying into the mix to turn the situation on its head, and turn copyright law into mandated artificial scarcity and outright abuse of all entertainment media.
Still, we're off-topic.
Agree with the property/lease idea. The basic tenet is that people must have full control over their personal information, and the infrastructure to make that happen must be a fully integrated service the government offers its citizens.
That means mutual authorization/authentication/et cetera, keep a log of who wanted to know what, provide for some sort of ``document pouch'' that can contain all sorts of different ``folders'' for different purposes (credit history, criminal records, medical records, any other purpose you could think up) with consent based access and, in certain cases overriding-concern keys so that, eg. emergency medical personel have access to the medical details.
Everything encrypted and all that too, of course. Such a system must also provide for artist aliases except perhaps for persons that have abused them previously. When the government stops trying to control the populace by sticking everybody in neat boxes of their bizarre and disconnected designs and instead starts thinking in terms of facilitating infrastructure for its citizens that only cares about the things that actually matter to its people, empowering things can happen.
It also means very careful consideration and then reduction to the bare minimum of who needs to know what, when. To help that along and amaze even further how little information you really need as long as it is the right bit of information, consider "zero knowledge proofs". Using that I could, say, prove I'm old enough to do something that requires a certain age (like, oh, buy alcohol or learn how to drive) without divulging as much as the year of my birth, nevermind name and all the rest as is the case now.
The math and the technology to do all that we already have. Visionaries in the right places to give us these wonders we have not and we are not likely to ever get with the current governmental system, nevermind the current incumbent party and their attitudes and issues. Carry on government.
An old problem
I suspect that a large part of the problem with IT data security is with ad hoc analysis - slices of more data than is necessary to do the analysis being manipulated on local files and then being emailed for review, emailed back with changes etc etc ad nauseam.
It would be interesting to know in these cases whether the tools and training to do it any other way have ever been provided. Some initiatives in that direction might eventually work wonders. Such as storing files on the network (with appropriate permissions, natch) and not taking this kind of work home with you on your laptop.
Most breaches have seemed to be of the "I didn't know any other way to get my job done" variety.
The HMRC one was more a case of "the outsourcing contract would have made it phenomenally expensive to anonymise the data like the NAO asked so we didn't bother"...
Good call el reg
A well thought out report. Hats off to the Reg for handling the breach in a constructive and responsible manner. If it was one of the shitrag tabloids they would have shunned their obligations to get a story out of it.
A possible direction for the solution
It may be possible to have access to the data by VPN into a server and each group (consisting of usernames) has an allocated access control list. They can only access it via VPN on a secure web browser and they must login via the web browser to view a restricted version of the list.
This is how I would implement it. This way, it will be difficult to have the data going on walkabouts and will restrict the information to what is really needed.
If anyone looks up you records in Estonia, a record is kept. You can go on-line and use your ID card to check who has looked at your records, when and where.
@We Have the Technique/ology
Preventing secret info getting out of a secret organisation is trivial.
The problem is preventing it leaking when the police, social services, the LEA, the school, 87 different levels of government all have to share data on people - but because of 'security' they can't be connected together.
The obvious and easiest solution of course is to criminise accidentally receiving confidential data - then there wont be any more leaks, or at least none will be reported - which is the same thing.
El Reg as a police state tool?
I've always wondered why that whenever firefox works at loading the reg pages that I want to see nir.theregister.com pops up in the status bar; is this, possibly, a silent assault on our freedoms?
What, government can't have an oops once in awhile?
We here in the US have had quite a few ooops, Iraq, Afghanistan, allowing the government to take over 1/6th of the economy.
What's a little privacy invasion im sure the UK gov meant well.
Problem is when the public sector has an oops moment someone usually "unless it's wall street or a bank" gets canned or the company goes tits-up all together. In US government you get promoted for screwing up.
Failing upwards, it's the government employee way.
Where's Sean Penn when you need him to tell El Reg to publish only favorable government related articles.
Kind of scary. I get emails from a guy with the same name as me, he's an American. I get the emails rather regularly from various people. I've conversed with a few people trying to get in touch with him. The emails have painted a picture of this guy in my mind, and google filled in the rest. It's funny because he seems to lead a life totally unlike my own. But sometimes I get his newsletters too. American political stuff. I know it's him because they match his state. So as a result, my Google Mail ads are all US political stuff. I dare say I've also received legal documents on occasion, that I can only guess are meant for him.
Sure would suck to have the same name as a terrorist, hey?
We're from the Government....
Perhaps they should be using
BitTorrent to distribute the private data.
Public vs Private
"We're not suggesting the private sector's data handling will be any worse than the public sector's (au contraire…),"
This is one of those things that could be true but we have no way of knowing. Government agencies are required to report data breaches and *tend* to do so no matter how damaging. Private sector organisations are under no compulsion and can, in theory if not in practice, go to any lengths to cover up the news they have fsked up.
Added into the mix - nearly all public sector organisations outsource handling this data to private organisations yet the fuck ups still happen its just the public organisation that bears the blame and shame. (not always a bad thing).
Every day we surrender large amounts of our personal data to businesses and government departments in the crazy idea they will look after it properly. They have no real reason to do so and even the ICO's 500k fine is little more than a paper tiger.
If you give your hairdresser your name/address/phone number and they allow this to fall into the public domain can you take action? Would the ICO bankrupt them? Un-bloody-likely. What about Tescos who keep sending clubcard statements to my house about a complete stranger? Even the estate agent who manages the rental has sent me personal documents relating to other people "by accident."
The main difference is the scale. Few businesses hold the sheer volume of data that the Government do, so a breach is going to be deemed less newsworthy, but if your record is one of them it doesnt matter if 1 or 1million are lost.
It'll keep happening
until the managers and senior managers responsible for the departments where the leak(s) occur are held personally responsible for the leak.
Don't just 'move them sideways', jail them. These departments are THEIR responsibility and that's why they get the huge pay packets. Now make their responsibility mean something.
Without a real and USED procedure / process for the allocation of managerial blame nothing is going to change.
Re: THEIR responsibility
... but I thought the whole point of government was to distribute responsibility to the point that NO ONE can be blamed?
To err is human,
To really %u*& things up yo need a computer.
So far as outsourcing goes, well depends who you use really, at really it comes down to, if you pay peanuts and employ monkeys, then you deserve what you get. Some of us outsourcers know a thing or two about implementing tight IT security, however we don't do it for free. Security device manufacturers charge a massive premium for devices, which we have to pass on to clients.
Virtually all government contracts ask for comprehensive security measures, but when it comes to paying for them, it's another matter. Treasury likes to buy on price, so when up against the budget outsourcing shops, go in with tight security, and you loose.
Where security really is a key decider, even the budget boys have to come to a limited number of companies that know how to do security it do it well.
Oh, and there are separate eMail systems for classified material, just that often people are too lazy to use them, don't have time, or consider the risk of interception to be low. Organizational dynamics play a part as well, it's very easy to criticise from the outside, but quite often it's not the source that's at fault, but the levels above, who want information, but don't want to be bothered with the security.
Up next - autocomplete list poisoning attacks.
There is NO reason for this spreadsheet to exist.
If someone is privileged enough that they are allowed to see data like this then the system the police use should be set up to allow them access -- e.g. VPNing in with tied down credentials to view only the database snapshots they are allowed to see. Otherwise, any personally identifiable information should not be held outside the database -- for testing purposes and the like fake data should be used.
This comes down to:
If you can't keep data safe, then you shouldn't keep it at all.
If you can't share data safely then it should not be shared until you can.
For data such as this to be leaked because someone said "Well, sine we have no other way we'll just send the data out on a spreadsheet" is just plain wrong. Police management should go to jail for this -- this is criminal negligence along the same lines of "well,. I was pissed but I couldn't afford a taxi so I drove home".
happened to me too!
in an earlier life whilst online-dating a German girl (who was happily married - but that's another story) I sometimes whiled away the evening chatting to Silke and her Swiss friend Margeriet .
next thing I knew, I'd been added to Margeriet's mailing list for her work (Millip Phorris?) - and started receiving pages of planned political lobbying activity and detailed campaign details about how to bypass this, circumvent the other. like an idiot , instead of selling this to "The Scum", I politely informed the lady and forgot all details. /names have been changed to protect the innocent/.
False senses of security
I do wonder if many people are aware of security issues associated with emails both internal and external to the organisation?
How many people in your (general term really) organisation have access to email servers and what level of access do they have?
Same with data management whether the details is highly or loosely confidential, what audit trail is maintained?
I knew one organisation that used a systematic approach along lines of standard admin logins with password constructed X...X10 where the number is double digit year and X...X did not vary.
Of course sys admins could say: I didn't disclose the user/pw but merely said it has changed twice since so-and-so had privileges removed.
How many CEOs or senior officers have had their emails read by sys admins or engineers with nothing else better to do?
If they took us seriously...
... then requests for our private personal data would not be dealt with casually by someone creating a report and then emailing it without even checking the TO: line before pressing SEND.
Instead, there would be a procedure (as detailed by other comments in this thread) which would log every single request for private data, double check every aspect of it, and make it hard enough to get that there would have to be a bloody good reason. Imagine, just f'rinstance, it were Gordon Brown's data instead of your and mine...
Automated Features For The Technically Challenged...
To many of us in the IT field, these are not features. They are bugs. ;(
Sigh. . . . . End-Users!! AAAAArg!
Abuse and PR?
Found myself on a list of people overseeing a new Abuse (as in physical abuse) campaign... was kinda shocked to see the kinds of language being used in trying to write the campaign.
Thankfully I asked just once to be removed and they did so. Can't imagine how a PR agency and .gov accounts got my email address.
Aren't there systems that handle this?
Doesn't Lotus Notes provide the necessary management for this type of data where instead of supplying the data you provide a template and any necessary token tights, and the users rights within the system determines the data the tokens will provide for viewing? That way the data isn't shown to anyone that isn't authorized to view it. I was thinking that was the software a company I used to work for shared inventory, sales and technical information with its distributors.
There is a system. Kind of.
If you've ever had to email a police officer you will notice that their address will be something along the lines of:
The 'pnn' indicates that this address is part of a secure email network. It has different identifiers in different organisations (gsi, gcsx etc) but I believe it's all part of the GovConnect program. One big secure email network that public authorities can have that ensures that this type of stuff doesn't go walkabout.
Unfortunately, it's only secure if both sender and recipient are on the network (something that even the police forget sometimes) and it doesn't mitigate against stupidity (blatantly). Surely it's possible to restrict the information that can be sent to a non-secure email? The removal of autocomplete is a good step but some flag along the lines of:
'You're about to send this (huge amount of highly confidential) information to a non-secure email address. Are you sure?'
...wouldn't go amiss. Or am i asking too much?
Why should there be any need to attach anything to an email within a security-type organisation?
Source files or extracts from them could be server based with links that require login and credentials.
The importance of one. There should only ever be one source document, no copies allowed, only accessible by audit observable means.