Feeds

back to article DOH! Housing contractor loses unencrypted stick down the pub

A contractor who lost an unencrypted memory stick with confidential data during a visit down the pub has landed two London housing bodies in trouble with data privacy watchdogs. The memory stick contained details of over 20,000 tenants of Lewisham Homes and 6,200 tenants of Wandle Housing Association. More seriously, 800 of the …

COMMENTS

This topic is closed for new posts.
WTF?

contractor?

I'm having trouble imagining what job this contractor was doing that would require putting the names address and bank account details of 26,000 people on a stick.

10
0
Anonymous Coward

There's no such job

As usual it was more convenient for the contractor to drop the whole database on the stick than it was to just get the details s/he needed. Just like it was more convenient to use an unencrypted stick than an encrypted one. And it was more convenient to keep the stick in a pocket than securely locked in a car or the office.

The trouble is that most people know what they should be doing, but let their personal convenience override that. People are lazy.

6
0
FAIL

sigh...

stupid is as stupid does...

An e-petition to bring back the stocks for people like this?

Not forgetting the management team that allowed it to happen of course

4
0
Mushroom

who was the contractor

Its all very well naming and shaming the housing authorities but which numbnuts contractor lost the stick in the pub.

Regardless of the policy of the housing association (or lack of) how dumb is the contractor for not encrypting it him or herself?

3
2
Unhappy

Encrypting it himself

People can't be bothered to create certificates to sign (and later encrypt) e-mail, even when generally trusted CAs give them out for free (startssl and comodo).

most people working in IT can't be bothered to encrypt company data on their laptops and you are surprised that a typical suit couldn't be bothered?! Are you sure you're not a slider or some such?

(also i know that trusted CA =/= trustworthy CA, it's still better than sending sensitive data in clear)

0
0
Anonymous Coward

Double Standards?

Is this another example of the ICOs double standards. They are only too happy to name and shame and even fine public bodies, but scared witless of doing anything to private companies.

There is absolutely no reason why a private company should have data protection standard which are lower than those for a public body, but the ICO seem to believe that there is.

2
0
Silver badge

Call me Mr. Naive, but...

I know we have all this stuff about data protection and so on, but what is so secret about bank account details? Every time I pay by cheque I give a piece of paper to someone, who I probably don't know, which contains my name, bank a/c no and sort code, and a copy of my signature. Quite possibly if I have posted this information the covering letter includes my address.

Similarly all my invoices contain details of my company bank a/c.

All the recipient can do with this info is to pay money *into* my a/c - and I have no problem with them doing that.

0
0

not quite

I think Jeremy Clarkson made a foolish attempt to say the same thing and published his bank details. He was later left £500 short after funds were donated to a charity for his foolishness.

http://news.bbc.co.uk/1/hi/7174760.stm

4
0
Stop

Are you confident enough to test your theory here?

If you believe the info can only be used to pay money 'into' your account, then post your bank details on this forum - no risk right? I mean - it't not like that information is enough to complete a direct debit or standing order or anything - which to my recollection take money OUT of your account.

I refer you to the title of your own comment.

1
0

how do they know...

Can they be sure it went from pub floor to police without anyone taking a copy first?

4
0
Silver badge
Unhappy

Fortunately it's impossible to know whether anybody copied the contents*

Thus it becomes clear - if an eeevil person ever finds data that they want to steal, they should simply copy it and then hand it in to the police.

The ICO, the data holder and everyone else will then believe that no data was stolen at all and they can go ahead with their evil plans with no risk of discovery.

Because data can't be copied, right? Copying 26,000 electronic records from a USB stick would take several days to copy, like photocopying 26,000 paper records.

And again - who is the contractor? Why is the directly responsible company allowed secrecy, while the merely indirectly responsible organisations are not?

*There's an 'un' missing somewhere. Ten points to whoever spots it.

0
0
Bronze badge
Meh

As someone once said...

"The thought that you could work for the best part of a year on something and it could end up just on a stick in some guy's office. It just feels like a fucking waste of time."

0
0

Was it...

Stewart Lee?

0
0
FAIL

Safely?

"Fortunately no harm was done because the lost stick was safely found and handed in to the police."

I wouldn't consider anything handed in to the police as "safe" what with their reputation these days...

3
0
Stop

Police

I still trust them more than Russian mafia, thankyouverymuch.

1
0
Anonymous Coward

Wrong

"Saving personal information onto an unencrypted memory stick is as risky as taking hard copy papers out of the office."

That's wrong, it's worst. Paper copies of 26 000 odd records takes a whole lot of physical room, making it very unlikely the idiot would have taken it into the pub in his pocket, where this is probably what this idiot did with the flash drive.

Also, making photocopies of 26 000 paper records is very time consuming and likely to leave evidence. Copying a flash drive takes at most 2 minutes and can be done without anyone noticing it.

5
0
FAIL

USB ports shuld be closed

This is the problem in M$ leaving USB ports open when machines / software are sold. If the the port are switch off at POS then a Sysops would have to switch them on.

0
1
WTF?

RE: USB ports should be closed

So where do I plug my keyboard and mouse into?

4
0
Thumb Up

If you're going to take that approach...

...then surely the problem is that power sockets are left "live". If users needed to contact an Sysop-approved electrician to have a socket connected to the power supply, we wouldn't have half the IT problems we do today.

0
0
Pint

Re: USB ports shuld be closed

When we buy machines they are have empty disks. We load an image in it. Then hook it up to the domain, and from there it gets its policy as to what to do with inserted media. And you can differentiate between mice/keyboards and storage devices. You can do that in Windows just as well as you would on any *nix flavour.

And yes, we get on average one person per day asking us to enable USB ports for storage devices. And we say 'no'. Most of the time in this line of business you'll find that most of these common problems have been solved already technically, even by MS. Although the settings are not always in clear view. Sometimes you have to search a little, but what's more difficult is keep telling the users 'no'.

Most of these problems aren't technical problems. They have to do with users demanding the same kind of functionality from their workstation as they have at home, and that includes demanding laptops, USB storage, local admin rights, world writeable shares, flash plugins and certainly no screen lock or strong passwords.

/enough about work

1
0

RE here do I plug my keyboard and mouse into?

well we just disable the mass storage drivers , so mouse, keyboard , printers , and 99p dancing dog toys still work

0
0
Stop

RE USB Ports closed

Exactly. If you can't connect a keyboard then you can't log in and start copying data. Standard IT security approach - I remember I guy saying that he seriously belived that the more difficult it was to use a computer, the more secure it was..

0
0
Devil

RE USB Ports closed → #

http://www.theregister.co.uk/Design/graphics/icons/comment/devil_32.png

This is the attitude of too many info security types: prevent the user from doing his/her job and the security problem goes away! They never seem to realize that this only forces users to bypass their protocols.

Tell them how to do the job while keeping data secure; don't just tell them what they can't do!

0
0
Devil

RE USB Ports closed

This is the attitude of too many info security types: prevent the user from doing his/her job and the security problem goes away! They never seem to realize that this only forces users to bypass their protocols.

Tell them how to do the job while keeping data secure; don't just tell them what they can't do!

0
0
FAIL

my thoughts

"Fortunately no harm was done because the lost stick was safely found and handed in to the police."

And this can be *guaranteed* how ?

A canny wrong'un would copy the data. Lie low, and pop up in a years time, when everyone has forgotten, and start to go through the list.

btw - you think that's bad, check out this

http://www.guardian.co.uk/government-computing-network/2011/jul/28/manchester-police-memory-stick-burglary

strangely not reported in El Reg.

0
0
Bronze badge

memory stick?

It's fine - if it was a Memory Stick (TM), then no-one would be able to read it anyway...

1
0
Paris Hilton

Where's the NoTW connection?

just asking

1
0
FAIL

Re: "their contractor's (likely drunken) lapse"

Was he drunk when he copied the details to an unencrypted memory stick and took it out of the office?

This wasn't a "lapse", this was a grade-A fuck-up.

2
0
Facepalm

Doh! It is not about encryption

As a long suffering Lewisham Homes tenant I am grateful to mark63 for spotting the real issue here, which is more than the Information Commissioner managed.

The Data Protection Act undertaking given by Lewisham Homes, http://j.mp/ng55kW , states inter alia: "Enquiries revealed that the USB stick was the property of a contract worker who had carried out a project for the data controller. He had copied the data to this device due to problems encountered backing up work on the data controller’s network. In addition, the Commissioner was told that there was no effective measure in place to prevent the use of personal or unencrypted USB devices on the data controller’s systems, and there was no provision for training contract workers in the data controller’s policies on data protection." but fails miserably to address the question of whether he should have had that much access in the first place.

0
0

Problem is

Most people who use computers don't know how they work. So even though this guy has copied lots of sensitive files to an unencrypted USB stick and admitted losing it, there are plenty of others who would think that by deleting the files then that would be OK.

0
0
Silver badge

Why?????

Why on earth should they even have a copy of a database on an USB stick. We live in the age of the Internet. They could just as well ssh into a computer with that database on it. Then you'd also always have access to the current version of the data.

0
0
This topic is closed for new posts.