A local authority has lost an unencrypted memory stick with details of children's and young people's mental and physical health as well as their ethnicity, privacy watchdog the Information Commissioner's Office (ICO) has said. The details, said to be of 'a handful' of children, would be available to anyone finding the memory …
No, I don't want to hear "tightening" of security, as if this was the first time this happened, and lessons are to be learned.
Screw that, this kind of thing has happened over and over. Jesus christ. Truecrypt would solve this. Hardware encrypted USB sticks would solve this. Also, stop losing your stuff.
not sure why I have to specify a title for a reply...
Threatening some IT execs with jail if their organisations don't buck their ideas up would help, too
If only they were using this
What about the health info for the encrypted children?
did they lose that lot too?
You beat me to it!
Memo to all staff: losing unencrypted data is now a 'Gross Misconduct offence'.
FFS, How hard is it?
I'm building a new banking system right now and I'm considered paranoid by some of the other people in the team because I encrypt everything in case it's lost - to the point where I've decomissioned my old encrypted usb stick because I discovered the software based ones have been proven to be trivial to crack.
Some of them even use Macbook Pro's, which don't have any kind of encryption. I had to look up how to set up his screensaver to be password protected.
Why is it people only think it's a problem once it's already happened?
Just because you are paranoid doesnt mean they arent out to get you.
Yes it might be viewed as paranoid to encrypt everything but for a trivial amount of effort you are preventing a MAJOR problem if the data were to be compromised.
Well done Sir Runcible Spoon. - you may know eat some slices of quince.
No encryption on MacBook Pro?
All Macs running Mac OS X have had FileVault as standard for the last few years. Granted, it's not 'one-click simple' but it's pretty damn close.
As for 'I had to look up how to set his screensaver to be password-protected', again a really easy tick in the Security Preference panel, or did you not consider looking there?
Somebody needs some training and a clue, and it's not just your staff!
FFS, how hard is it?
You've made a couple of incorrect assumptions there me old cowardly chum.
1. I've never used a Mac - the chap in question obviously does - my point was that he didn't even lock his screen when afk and logged in to routers in enable mode - so anyone could come along, type reboot and fuck up a lot of work that other people are doing.
2. They aren't my staff - I'm just a contractor working with other people.
3. why the fuck would I want training on Mac OS X? It isn't like I'm running a printing firm or something.
...the weakest link in the chain is the fleshy thing betwixt the keyboard and the chair.
Until there is criminal proceedings for data loss, data security will continue to be something that organisations only pay minimal lip service to.
SACK them! with NO golden handshake.
They have been told enough times already.
Another limp wristed whitewash does NOT send the correct message to the thousands of public service employees who are still failing to safe guard other peoples data.
no golden handshake?
How about a golden shower?
Wont someone think of the children!
God i hate this "Oh it has to do with children it's so much more important then normal" thing going around at the moment. They lost data, it doesnt matter if it was children, adults or dogs for all i care. Its shows a lack of training and understanding of security principles for which they should be punished.
To quote Bill Hicks:
"So the moment they're over a certain age, they're off your f*cking love list?"
Trust is an expensive word
When implementing these policies there must be no wiggle room. People will always use the simplest method, particularly if they've been doing it since day dot. If staff have to use encrypted devices then systems must be put in place to prevent non-encrypted devices from working.
Pathetic response from the ICO
Idiot me once - retrain.
Idiot me twice - the boot and legal prosecution.
"The incident is the second to be reported..."
And if you do it again, we'll speak to you even more sternly!
Bloody Truecrypt Fanbois....
Why do people bang on about Truecrypt whenever the issue of portable media encryption comes up?
Truecrypt is pretty much useless for portable media encryption in any kind of managed environment with "real" users - unless the USB keys never leave your site (in which case, why allow them at all?) For an indication of how useless it is read "http://www.truecrypt.org/docs/?s=non-admin-users" where they even insist it is safer to work on sensitive data as an administrator than as an unprivileged user(!)
Sure, people like the readers of this site will be able to deal with the complexities and security issues but you are dealing with people here who don't understand or care about security. They just want to finish the spreadsheet so they can go back to watching Eastenders or Big Brother or whatever brain rot fills their life.
Far easier and cheaper in the long run to go with one of the hardware encrypting solutions - Sandisk or Ironkey maybe, combined with a USB port filtering and control implementation. All the time the anoraks keep banging on about about the "free" and "easy" Truecrypt, real admins will have a harder time getting budget for proper, industrial grade solutions.
Wow. like 1 post here mentions truecrypt (as well as other solutions, including hardware) and we get a rant about "fanbois." Does someone need to up their meds?
I work on a large facility where truecrypt was the best (cost effective, secure) solution. It wont fit every situation, but for the needs here it was perfect. Moving data between airgapped networks, but keeping the drives on-site for their lifespan cant be that uncommon.
Would I use it elsewhere? Probably not.
Likewise, when you need to purchase 1500 USB drives, Ironkey becomes a bit of a business cost....
Stuck at zeo error
Surely the best and simplest method is glue in the USB ports. No tricky software to configure, no vast expense of licenses and support contracts - just a box of Uhu. Other glues are available.
Why? Well why does the slacker who last said stick feel the need to walk around with 5 year old data in their purse/pocket/lunchbox. The answer is they don't. Legislation and rules or even laws can't stop people behaving like idiots or doing stupid things, so forget them and avoid all possibility in the first place.
Where is the fine?
So much for the ICO getting tougher.
However, if the council were to be fined, who would actually suffer? Would the loss of income result in reduced public services or increased council tax?
At the end of the day, the current system allows them to avoid anything except a bit of bad publicity.
My solution: fine the leader of the council personally unless s/he can show an unbroken trail where they instructed (and provided the resources) their subordinates on how to handle the data properly. If they have that, work down the chain until you hit the person with no documented evidence and hang an "up to £500k" fine on them.
Next, we need to work out how to force commercial organisations to report each and every data loss so we can get an idea of just how bad they are..........
Cryptography doesn't solve problems.
I didn't realise losing unencrypted data was still newsworthy.
What is news, is lost encrypted data, secured by a weak password.
Cryptography doesn't solve problems.
Quoth the codger: "Another limp wristed whitewash does NOT send the correct message to the thousands of public service employees who are still failing to safe guard other peoples data."
Oh, shit, not that crap again! Howsabout let's stop "sending messages" and use the language to state unambiguously the objective?
Whatever the means used to communicate it, it's clear is that "the correct message" isn't getting through to the working level. I wouldn't be surprised if it gets lost in a cloud of bureaucratic instructions that working level employees simply don't have time to deal with. Where I used to work, they had a policy and procedures manual a good 4" thick, but only managers had a copy and the grunts had no idea what it contained. Bury an important objective in a tome like that, and no one is going to even notice.
Time, perhaps. to revert to sending each employee (including dimwit managerial types) a personally addressed letter from the Big Boss stating in as few words as possible what's required. Send it by Royal Mail to their home addresses, too, so it's clear it's not just more bafflegab from HR.
Which leads me to wonder if maybe it's HR departments and their bureaucratic ways that are the real stumbling block. Oh, yippee, a chance to screw over the useless twits in HR!
now up on eBay
On data stick. All you paedos start bidding.
Why use sticks at all?
Why are councils using USB sticks anyway? If they're working on council computers they should be on the council network so no need to sneakernet data . If it's to take data home then they shouldn't be. Simple as.
Sack anyone found using a USB stick. And I'm pretty sure there's software out there to disable USB ports for all but keyboards and mice.
Paris, 'cos she hasn't disabled any of her ports.