probably was noticed
Bet some poor IT bod has wondered,
why isnt encryption turned on ? that would be much better
better leave it though as it will end up screwing everything up and loose my job. because nobody bothers to tell me anything
The UK's Ministry of Justice has been fined £180,000 following the latest in a series of failures involving how prisons handle private information. The penalty (PDF) follows the loss of a back-up hard drive at HMP Erlestoke prison in Wiltshire back in May 2013. The *unencrypted* hard drive contained sensitive and confidential …
No, he went to his superiors and they told him they'd decided to turn it off because if anyone forgot the password they'd permanently lose access to the data. And it would be far too insecure to write it down. So best use none and realize that anyone would assume the drive was encrypted...and that the government wouldn't, if it were lost, be quick to trumpet that it was unencrypted...
$180,000 is 0.002% of the MoJ budget - that'll larn 'em. Does this involve changing the 6th significant figure in two adjacent columns on some financial controllers spreadsheet?
No doubt 'lessons have been learnt' - the main lesson being that Data Protection breaches, no matter how egregious, have no significant consequences for anyone.
The beauty of these governent schemes is that no-one is accountable - even the few civil servants that care are not accountable. Everything is comittees subcomittes and always approved from above. I would not be surprised if there are techies out there wearing their "i told you so" tee shirts but activating encryption was simply not "in scope" for just delivering machines as cheap as possible...
@Lusty
Which is why public servants should be fined, fired, and banned from any role at any level of public service including any consultancy or body shop. I can choose not to buy from Amazon, but my local council have me over a barrell, so the penalty must reflect that.
If nobody can be identified as being responsible for the failure, then it is the civil servant in charge of the department or service. They'll soon delegate the authority in a verifiable manner.
The fines, to be levied against the individual, should start at one days pay per record exposed for minor breaches such as welfare records or order history, rising to one weeks pay per record for stuff like criminal records, and onto one months pay per record lost/leaked for anything confidential like financial or medical records.
The fines would be transferrable back to the one up delegator of the authority if it could be shown in writing that issues were escalated due to lack of authority and not addressed.
Implement that, and the data held by the public sector will magically become secure. Don't implement it, and nothing will change.
when one government department fines another. Provides work for civil servants in both departments. Sir Humphrey would be delighted.
The Monetary Penalty Notice pdf says "The data controller has sufficient financial resources to pay a monetary penalty up to the maximum without it causing undue financial hardship".
What is "financial hardship" for a government ministry? Not enough in the tin for rich tea biscuits with the coffee at meetings?
@Ross K
You sure a public servant did that? In many government organisations (can't speak for this one - anyone else know?), the policy is in-house, the implementation is private sector contractors.
It would seem strange for an organisation to buy kit that expressly catered for past misdemeanours if the policy wasn't there to turn it on. Still, easy target eh?
You sure a public servant did that? In many government organisations (can't speak for this one - anyone else know?), the policy is in-house, the implementation is private sector contractors.
Spoken like a true public servant - you put the blame on somebody else and the problem goes away...
If you search past articles on this site you'll see a fine array of government entities losing "customer" data which should have been under tight control (my personal favourite was the council employee data dumped in a rubbish bin in a Tesco car park). It's obvious that fines are no deterrent.
I wonder would security be improved if the persons responsible for protecting data were given custodial sentences every time their department messed up.
read it again - I didn't put the blame on anyone, merely made a comment about your public servant statement and asked whether you knew who in fact didn't implement the security. I did some consulting work for them a good few years ago when they were part of the Home Office but can't remember how their IT services were run.
But I'm sure you're right, it's only ever public servants who cock things up isn't it?
Personally, I'd like to see jail time for the persons responsible for this sort of thing regardless of whether they are gov or private contractor - you don't give up your responsibility because you work for someone else and you're not absolved from responsibility because you employ someone to do this stuff for you.
Andrew Jones, you have a point in this day and age but:
"Never underestimate the bandwidth of a van full of tapes"
On the other hand only a total eejit would leave the van door unlocked.
As per previous posters I pity the poor IT soul who has doubtless got blamed for what was a poorly managed implementation.
I suspect they have heard of a VPN.
But I suspect that would require new hardware, and therefore a tender process, many months or work, a ridiculous set of requirements and so on. It'll eventually go to some group like Crapita, for millions.
When a local IT firm would quite competently have done this for a small amount of money.
...but that's just not how Public Sector works.
I recently had experience of this - customer has connectivity with us, is public sector. Has bandwidth limited account. Reaches limit (first time ever). Calls up, is told they can either pay £X for top-ups of said bandwidth on a one off basis, or it would be cheaper to switch to a better tariff on a new contract term. £Y would be the cost over 2 years, which is less than £X is.
The latter scenario couldn't be done as it would require paperwork, contracts etc, but the former was absolutely fine as it can be expensed back through the system. That it costs more is irrelevant, it's actually the procedures that prevent the value for money. The very same ones that are supposed to improve value for money.
I see this every month...
"Reduces their operating budget I'm guessing?"
Has anyone considered the leaks might happen for just that purpose?
Any budget surplus left over after the fiscal year is 'lost', and may lead to a budget cut the following year.
So... "We're having trouble getting this years budget spent!"
"Here, leave this laptop in your car and park it in front the Sleazy Pub with the windows down. There's enough sensitive data on it that the fines should cover the surplus!"
"Genius! No wonder you're the boss!"
They have to do something to show they care. Short of actually punishing anyone, or making the MoJ compensate the victims, which they don't have the powers to do.
Maybe they should be able to block any honours for MoJ senior civil servants for the next couple of years. Much more effective.
It wan't "the prison service" that lacked the necessary attentiveness. It was some one or few individuals within that service who didn't, yet were responsible for just such matters.
It might very well be that some upper level management wonk had cancelled the position(s) supposed to handle those responsibilities. But always there is individual failure to do the job correctly that lies behind organizational failures.
If the hard drive was lost how do they know that encryption wasn't turned on? You obviously can't rely on the users as it appears that they haven't got a clue.
Widening this out why wait till something is lost before a fine is issued. If someone breaks the speed limit they can be fined without ever having caused an accident. I'd suggest random checks of similar facilities and if they are found to be using processes that could trivially lead to the loss of data through the loss of a physical asset then they should be fined, without waiting for that loss.
And yes fines are pointless within the Government, the service owner (a person) should be the one to bear the cost with the chance that ultimately they could loose their job. At the very least they should be named so there is no chance I'd have to work with them.
It's a little unfair on the minister for the affected department to foot the bill - particularly with many senior departmental civil servants making more than the ministers these days.
As there is a general lack of responsibility, I would propose a Gladiator-style battle between the responsible committee with the members battling it out to pay nothing (lose first round, pay £8k, 2nd round £4k, semi's £2k, losing finalist £1k). Create a TV show with whatever commentators/presenters are available with all profit going to improve security practices in said department.
I don't believe this will address the underlying security culture in many of these environments, but it would make better TV than "Britains Got Dancing on Ice" or what ever the tripe is called...
> I would propose a Gladiator-style battle
No way should Cowell be allowed to make money off the public for this!
Fining the Minister is fine - he sets the policy, he is supposed to be accountable. He should have a security officer who reports to him (not Operations) and without personal interest in the subject, he won't drive any change.
The reason is, its cheaper to pay the fine when caught than to audit and enforce policy. Paying the fine doesn't hurt anyone except the prisoners, since the MoJ has less money to spend on them.
"I'm sorry we lost your data, I'm going to have to fine you for it." is creepy - like paying for your own execution bullets.
I think you are onto something here Peter 39,
So MOJ and HMP staffers got to prison for the data loss which was completely avoidable; and lets see how the lags treat them for losing their data.....
Then in the same context the Police and Council in Rotherham should be doused in petrol and repeatedly assaulted and abused.
Currently there is a culture of "no accountability and no consequences" so nothing will change.
Perhaps its time for some "eye for an eye"