back to article Nicked unencrypted PC with 6,000 bank details lands council fat fine

The Information Commissioner’s Office has fined Glasgow City Council £150,000 for losing two unencrypted laptops, one with the personal details of more than 20,000 people - just two years after a similar blunder. More than 6,000 bank account details were held on one of the stolen computers. “To find out that these poor …

COMMENTS

This topic is closed for new posts.

Page:

What a terrible punishment, getting someone else to pay the fine.

10
0
Silver badge

@Rufus

My thoughts exactly.

Perhaps if each member of the council had to personally pay the fine it might have an effect.

5
0
Unhappy

Double whammy

So Glasgow tax payers are told to bend over and take an ICO £150K shafting and whilst they are bent over, open their mouths and take a bank account fraud shafting as well. Lucky devils.

10
0

Who pays then?

It's a council, funded by and for local residents (tax payers).

So thats £150,000 less to spend on services. Or £150,000 more to take from tax payers.

I doubt it's likely to come out of the pocket of whom ever left it unlocked, or unencrypted, or someone in management who made the decisions.

9
0
FAIL

and that we carried out significant remedial action

by purchasing a further 74 laptops to replace those missing'

5
0

Yet nobody will be fired..

The problem with these fines is that organisations pay up and there's no long term change in attitude, sure they'll do something in the short term as people try to cover their own backs but there's no fundamental shift in attitudes to IT and information security as the same managers, who usually have it as a very low priority remain in post.

The head of their IT department should be sacked for poor IT strategy and management, the manager of the offices where the laptops were stolen due to the poor physical security (regardless of encryption) should also find their job on the line. The role, of their IT security staff should also be checked to see if it's advisory (as many are) and whether those staff need extra backing from the senior management team - which is lacking in most organisations.

Until people know that their jobs are genuinely at risk for this sort of breach they'll never put the necessary importance on IT/info security.

13
0
Silver badge

Re: Yet nobody will be fired..

Not so sure about assuming poor physical security at the office. The whole point of a laptop is the worker takes it home or into the field. I expect that's the point at which it was stolen. One case in my support history was a user who had the laptop stored in a bag so it wasn't clearly visible while the user stopped to visit an embassy. Car was broken into and the bag was stolen. At the time I think the user also thought his tax return forms were also stolen, which is pretty much your identity here in the US.

But on the encryption issue, yeah, there's a real problem there.

0
0
Anonymous Coward

Re: Yet nobody will be fired..

Actually the original two laptops were stolen on council premises during a refurbishment.

0
0
Gold badge
Unhappy

Re: Yet nobody will be fired..

" I expect that's the point at which it was stolen. One case in my support history was a user who had the laptop stored in a bag so it wasn't clearly visible while the user stopped to visit an embassy. "

So 74 cars and houses broken into?

And they can't get encryption software working because?....

0
0
Silver badge

What does the ICO do with the money?

Any gov. department that says, 'you must do x' should first ensure there is a Govt. wide deal in place for procuring x at the best price with economies of scale. So, not just, 'you must use encryption' but 'you must use one of the encryption products available through the framework'.

1
0

Re: What does the ICO do with the money?

Agreed although those frameworks have to be kept up to date, which many aren't otherwise you end up having to take an out of date product at an inflated price. Frameworks aren't the answer and certainly aren't an excuse especially when they could have used free products to encrypt these laptops.

0
0
Silver badge

Re: What does the ICO do with the money?

The ICO does not mandate encryption. The ICO does not mandate anything.

The ICO simply states "you have a duty to keep of information from being disclosed to people who don't have a right to it".

Encryption is only a means to an end. Perhaps locking the laptops in a drawer is sufficient (clearly not if you put the key in the next drawer). Perhaps the data should never have been on a laptop in the first place.

Your point about procurement is an interesting one, since the govt has a very good deal with Microsoft, and Windows now includes encryption, so it's largely a free option (bit of back end PKI required). So there really is no excuse for any govt department to have laptops that don't have the most basic of protection (aside from many are still on XP).

4
0
Silver badge

Re: What does the ICO do with the money?

Yes, it's all very well saying 'comply' but it should be made easy to comply. ICO has form for manadnting compliance without considering the real-world consequences

0
1
Bronze badge
Windows

RDP? Re: What does the ICO do with the money?

"Perhaps the data should never have been on a laptop in the first place."

I'm an end user and have little knowledge of network costs &c.

My employers allow me to use an RDP session to log into my Windows desktop, from where I can access the rather minimal amount of data about students that I need to keep useful records of progress &c. We have to type passwords in each time we access the RDP desktop. I therefore use my own laptop, at home, in a room with walls and a door (and not in the middle of a Starbucks, for instance, and there has been staff training on data protection) to do bits of admin. If my laptop gets nicked, the neds would not be able to access the remote desktop session at all. The laptop has no personal information about students on it, just teaching materials that I write in my own time.

Is this a way forward? Laptops in 'offices known to be insecure' run a session back to a central server? As the server takes the load, money could be saved on hardware refreshes?

The tramp: I'm on a reduced income but pay full council tax and have to use Windows at work

5
0
Bronze badge

Re: RDP? What does the ICO do with the money?

keithpeter has hit the nail firmly and squarely on the head.

There is no reason for data to ever be on a workstation. Everyone else seems to live in a world where Citrix doesn't exist. Give the users a published desktop if the individual app doesn't play nicely as a published application. Then they can access it in the office or at home, and no need for expencive laptops or workstations - a Wyse device or similar thin client device is all that is needed at the user's end, and servers capable of hosting the sessions are getting cheaper all the time. To save on licences, server 2012's terminal server solution is nearly as good as Citrix's own offering.

5
0
Anonymous Coward

Re: What does the ICO do with the money?

@Frankee Llonnygog

re: "Yes, it's all very well saying 'comply' but it should be made easy to comply. ICO has form for mandating compliance..."

Why?!? It's not the ICO's responsibility to tell the councils how to do their job - the ICO is only there to state the requirement and ensure it's being met.

Councils should be designing processes to meet those requirements. Not just expecting someone else to come up with solutions for them. Why is that so different from how they meet their other obligations - or are they just spoon fed and never have to think for themselves?

0
0
Silver badge

Re: RDP? What does the ICO do with the money?

And everyone else seems to think the Internet is literally everywhere. What if you need to meet a deadline but you're going to be "out of the loop" for a while? What if your Internet access is notoriously unreliable or hard to secure (you're using a WiFi setup that's not yours)? Then there's the matter of drive-by (hidden in a popular site) rootkit (hidden from detection) malware that can still nick the RDP details.

0
0
Silver badge
Go

Bonus's all round at Glasgow City Council this year then?

Senior Managers and Executives will have targets to meet to be eligible for bonus. If they meet the targets, then award the bonus. Then directly reduce the bonus by the amount of any fines incurred in the Councils name since they have responsibility.

9
0
FAIL

If the report is correct

and the staff requested encryption and this was denied then whoever denied it should be fired and the ICO fine should be taken from the pension pot, only when the individuals who fail in this appalling manner are held to account will others take notice.

Until the fines are met by the people responsible and not the tax payer they will have no effect.

It smacks of a criminal level of negligence but stuff all will happen to the muppets responsible.

9
0
Bronze badge

Re: If the report is correct

I don't think the encryption request was denied, so much as just ignored.

Not that that makes it ok, but there is a different level of stupidity involved in forgetting/not getting round to taking action to encrypt the data and actively refusing to do so.

1
0
Silver badge

Re: I don't think the encryption request was denied,

Article says pretty clearly it wasn't installed because it either didn't work or they couldn't figure out how to install it so it would work. While it is normally true that incompetence suffices and is preferable to malice, in this instance I think we need to deny them the incompetence option. They've become too competent at taking incompetence as the easy way out.

Crimeney! This sort of crap pisses me off and I'm not even a loyal subject of Her Majesty.

0
0
Silver badge

I did not cost the council one penny

It cost the TAX PAYER £150,000.

Who was responsible? Did they follow procedure? No? Fire them.

Was there no procedure? Who should have written it? Fire them.

They were blocked from writing it? Who did that? Fire them.

They were blocked from implementation? Who did that? Fire them.

Repeat until you reach the top.

Unless we start sacking the idiots in the civil service, we will keep getting crap like this. In the private sector this would almost certainly be grounds for summary dismissal. Of course, this is Glesga council with a vainglorious history of incompetence, corruption and utter disregard for the will of the Glaswegian people (which is pretty typical for Labour). I give you the previous (and planned) destruction of George Square as but one example.

More importantly....I wonder how I find out if I am affected?

45
1
Coat

Re: I did not cost the council one penny

>>More importantly....I wonder how I find out if I am affected?<<

I would say Much More Importantly.

I'm betting that if you submit an FOI request, you'll be told that they "cannot supply that information due to the Data Protection Law".

Or am I just being my usual cynical self?

2
0

Re: I did not cost the council one penny

You would use the Data Protection Act to find out specific information about yourself - it is called a subject access request.

The Freedom Of Information Act is for more general, non-personal requests unless it is of an environmental nature in which case it is much the same process as FOI but under the guidance of the Environmental Information Regulations

3
0

Re: I did not cost the council one penny

I agree with regards to sacking those responsible - the problem is that councils and the public sector never do.

However your point about the private sector is a little odd, we'd never have known about this loss if it was in the private sector, the chances of them self reporting to the ICO are incredibly small and of course you couldn't use an FOI to investigate it.

2
1

Re: I did not cost the council one penny

This probably was not due to incompetent IT staff. Council’s and public bodies have an obligation to follow the GSX code of connection for access to the Public Services Intranet. One of the stipulations is that they must encrypt all mobile devices and removable storage. However there is a mindset that goes “no one else (other Councils) pay any attention to this so we won’t either”. Until the ICO and Cabinet Office start to conduct unannounced ITC audits individual Councils are going to continue to disregard or interpret the rules and regulations as they see fit.

2
0
Anonymous Coward

Re: I did not cost the council one penny

"In the private sector this would almost certainly be grounds for summary dismissal."

Er - not necessarily... depends how much the disclosure of such issues could affect the share price.

AC for reasons that should be obvious

2
1
Bronze badge

Re: I did not cost the council one penny

Everyone comments about how much it costs the tax payer, and they're right but its not going to make a difference that sort of culture seems endemic in councils.

I've worked in a few and it always seems to me that a large percentage of the wastage money wise with a council is because its not earned just given so no one is as accountable. If you went to your boss in a private company and had to explain how you were pissing money up the wall because of x,y,z and that you wasn't doing anything about it, how long do you reckon you'd last?

Yet I have worked for council departments who don't even bother finding out the x,y,z let alone try and fix it or have to explain it.

Working for the council really made me resent paying my council tax - not because I don't think we should contribute to society I do, but because if I do I don't want it being sodding wasted by idiots.*

*Apparently commenting this to your boss whilst working for the council shows a bad attitude.

4
1

Re: I did not cost the council one penny

“Unless we start sacking the idiots in the civil service, we will keep getting crap like this. In the private sector this would almost certainly be grounds for summary dismissal.”

I hear this kind of thing a lot, and yet I’m not convinced that the private sector is all that much more efficient or less error-prone than the public sector, based on my experience working with both. Companies certainly have an easier time concealing their fuckups than public-sector entities, and you could argue that they tend to fuck up in different ways; amazing feats of bureaucratic inertia and buck-passing are more common in the public sector, while ridiculous misadventures caused by dumbfounding levels of exec-grade arrogance and narcissism happen more often in the private.

Both sectors come out with these kinds of staggering ineptitude often enough that I can no longer take this whole ‘private sector lean and efficient; public sector bloated and incompetent’ mythos very seriously. And while some people in the corporate world may be more likely to face the consequences of their mistakes – lower-paid people, mostly – the upper echelons often seem bafflingly immune to the faintest hint of accountability. Just look at the leaders of so many of our glorious financial institutions, or the seemingly ineradicable Ballmer, or any number of serial failures who nevertheless sail blithely into a succession of heavily-remunerated leadership roles, leaving a trail of destruction behind them.

3
0
Silver badge

Re: More importantly....I wonder how I find out if I am affected?

You can't because they don't even know what information may have been compromised.

So, if you've had any dealings with them, assume your information has been compromised and act accordingly.

1
0
Silver badge

Re: the upper echelons often seem bafflingly immune

While that is true to some extent, at least some of the people in the lower echelons are accountable. You don't even get that in government. These days, to the extent you do, it is because they've contracted the job to someone so the contractor can be disposable. I'd also note that all of the examples you site have significant interfaces with the government in one way or another. Even Ballmer who owes his fortune to government backed copyright monopoly combined with government enforced "terms and conditions" contracts.

I'd also say that even in the private companies I've worked in that are tightly associated with government (living inside the abysmal swamp makes it nearly impossible not to do so), while the higher ups who frell it up might not get the public treatment, they do seem to eventually disappear. Not necessarily in a manner traceable to the injury, but they disappear none the less.

0
0

Re: the upper echelons often seem bafflingly immune

“at least some of the people in the lower echelons are accountable”

Often they’re just taking the fall for mistakes that are really the fault of someone higher up, though.

“I'd also note that all of the examples you site have significant interfaces with the government in one way or another.”

Up to a point. The misdeeds that led to the financial crisis really weren’t the government’s fault. The government could have done more to stop the madness, but it certainly wasn’t forcing banks to go on insane lending binges in various bubbly property markets or to make enormous gambles on highly-leveraged pools of credit derivatives.

It sometimes feels like once you’ve made it to C-level you’re almost guaranteed perpetual lucrative employment, no matter how much you screw up (short of actual imprisonment). It’s like football managers; there are so few that are known quantities (and so perceived as less of a gamble by risk-averse boards) that a month after steering Club X into relegation and bankruptcy you’ll be sitting at a press conference with your new employer talking about how you’re looking forward to working with players and staff to restore Club Y to the prominence its proud heritage deserves.

1
0

Re: I did not cost the council one penny

Let's hope the voters in Glasgow hold their councillors to account.

It is the councillors who hold their civil servants to account, unlimately being able to get rid of the CEO through a vote of no confidence if he/she hasn't satisfied them that suitable action has been taken.

If nothing happens, and the councillors are still seated this time next year, then blame the voter :)

Probably the IT is outsourced. The ITcompany gave a quote for encryption, which was sniffed at by the council as costing too much so declined. The council will argue that Central Givernment cuts meant they didn't have the resources to pay for betetr security. Blame will be passed around and diluted between the workers. Only the voters hold the true power to get something done about it.

0
0
Anonymous Coward

Re: I did not cost the council one penny

You tell'em pal, you tell them.

0
0

Re: I did not cost the council one penny @ the Big Yin

Who was responsible? Did they follow procedure? No? Fire and fine them.

Was there no procedure? Who should have written it? Fire and fine them.

They were blocked from writing it? Who did that? Fire and fine them.

They were blocked from implementation? Who did that? Fire and fine them.

(And possibly imprison too.)

There, fixed that for you!

0
0
Silver badge
WTF?

The council issued unencrypted laptops to staff when it had problems with its encryption software

Well that was daft.

What the council should have done was train their employees properly. (If they still can't use encryption tools after that, then the council needs to fire their incompetent staff).

It's just encryption, it's not rocket science.

2
0
Silver badge

Re: The council issued unencrypted laptops to staff when it had problems with its encryption

To be fair it doesnt say it was the staff who had problems - just that there were problems. Could just as easily be bad install/config or bad policies/governance.

1
0
Bronze badge

Re: The council issued unencrypted laptops to staff when it had problems with its encryption sof..

I doubt it was related to training etc. Full disk encryption is essentially transparent to the end user, the only differences a user see's is likely to be an extra icon in the notification area, and depending on the vendor of the software, sometimes additional log in prompt during initial boot.

I would suspect that it was probably more to do with a bad install image, or some clash between existing applications or something else in their SOE build. (Assuming they have a proper Standard Operating Environment of course!).

But saying that, irrespective of issues, they still shouldn't have sent out unencrypted laptops to anyone accessing sensitive data.

Install some desktop in a secure area, if you want to work on banks details, you need to come into the office and use the PCs in the secure room for the day, not your laptop.

Then once the issues are resolved, roll out full disk encryption. Also update your domain login process to make sure each device accessing the network has encryption enabled, if not, deny access and tell them to phone the help desk.

1
0
Silver badge

Re: To be fair

In fact, given that it sounds like none of the laptops were encrypted, I expect it was a problem with the installation, not that Jane Smithe couldn't login to her encrypted laptop and therefore got a verbal waiver for having the software installed.

0
0
Anonymous Coward

Re: The council issued unencrypted laptops to staff when it had problems with its encryption sof..

My guess would be they were using McAfee and were running into issues with the hidden partition on vendor equipment. At the very least it was the encryption software and the hidden partition. We ran into that problem once for a couple of weeks during a planned version upgrade. Some systems would install fine, encrypt fine, and upon reboot after the encryption was complete, they blue screened. During the problem period we used the old version of the software. Eventually we figured out you needed to blow away everything on the drive and put the bog standard image on it. But if you let the tech off the hook, he won't keep looking for a solution to the problem.

0
0
Anonymous Coward

Why on a laptop

Can someone please explain to me why they had 20,143 individual information as well as at least 6,000 bank account details on a laptop in the first place?

9
0
Silver badge
Thumb Down

Re: Why on a laptop

Exactly.

All sensible businesses keep sensitive data on secure servers. The more clued-up ones disable any workstation features that would allow data to be exported. The last place I worked had an instant-dismissal rule for taking data - including source code - off site. If you need to send something to another office, you have a WAN, or at least a VPN, to do it on. If you need to work on something at home you use remote access.

But the public sector seems to be stuck in the age of sneakernet. Massive files of sensitive data on laptops, CDs in the post, flash drives down the pub, and so on. Why?

6
0
Anonymous Coward

Re: Why on a laptop

+1

We have a secure room in our office specifically for this type of activity.

Want to work on this sensitive data? Then you'll have to use one of the secured, locked down (i.e no USB, no CD etc.) desktop PCs that's in the secure (pass card entry) room in the middle of the building. Thats the room without windows, where you have to leave your bags and your phone with security if it has a camera. etc.

1
0
Anonymous Coward

Re: Why on a laptop

For the same reason I once worked in a location where even larger volumes of PII was stored on unencrypted drives: someone told them because of their special relationship with the government, they didn't have to.

Despite the alleged security on the room it would have actually been fairly easy for someone to bust through the wall (frame and drywall) connect an external USB drive, and copy the data. Yes, it would have been bloody obvious the next day, but still you would have walked away with millions of medical records including social security numbers.

I understand they have improved security since then, but since I no longer work there I can't vouch for how safe the records actually are. Their biggest defense was, and I expect remains: most people have no idea exactly what information is in that particular room. And of those who do, their livelihood depends on most people not know that.

0
0
Anonymous Coward

Re: Why on a laptop

Because external USB drives are a cheaper solution than a proper backup unit and they needed to make contract budget. Besides, the data has to be converted on that computer over there, which isn't permitted to touch the isolated network* on which the data is processed, and it's easier to transfer the data using the USB disk.

*Dweeb telling me this didn't think about the fact that I knew he had a way of remotely monitoring the jobs on the "isolated network" which tells you just how "isolated" it really was.

Honest. That was a real answer I got once. But I R only the held desk doobie and don't know anything real about computers.

0
0
Mushroom

The ICO hasn't a fucking clue

How the hell does fining a public body AGAIN prevent a re-occurrence of data loss?

Change the law. State that if an employee loses a device with unencrypted & sensitive data on it then they and their manager go to prison for a minimum of 3 months and are liable for any losses incurred by those whose details were part of the data.

This will force change as employees will refuse to have any data that isn't secure and will make damn sure they keep it safe.

3
1
Silver badge
FAIL

Re: The ICO hasn't a fucking clue

Its hardly the fault of the ICO if those in power have a vested interest in not giving it the teeth it needs.

Financial remedies are about all it has - even that was fought tooth and nail.

1
0

Re: The ICO hasn't a fucking clue

Says someone without a clue.... the ICO has asked for powers to use custodial sentances but successive governments have refused to put them in place.

2
0
Anonymous Coward

Re: The ICO hasn't a fucking clue

"State that if an employee loses a device with unencrypted & sensitive data on it then they and their manager go to prison for a minimum of 3 months and are liable for any losses incurred by those whose details were part of the data."

Back to paper, locked filing cabinets and biros then. No-one would want to risk anything else.

Nostalgia, fond memories, and nice long lunch breaks, but forget any form of reporting or process check. It is also easy to 'loose' paper if you know what I mean, so forget accountability.

0
0
Bronze badge

Fines should come out of the council management remuneration pool...

It's the only way to make it fair/accountable.

I bit of Googling reveals Glasgow has the highest number of employees with +100K packages in the UK.

So there's plenty of money in that pot to pay for these time of **** ups.

6
0

Page:

This topic is closed for new posts.

Forums