back to article Lag log leaks - Home Office contractor loses entire prison population

In a major coup in the government data loss stakes PA Consulting - which until Monday was one of the Home Office's favourite consulting outfits - has contrived to lose the entire prison population of England and Wales. Personal details of the 84,000 people behind bars, along with those of 10,000 prolific offenders, have vanished …

COMMENTS

This topic is closed for new posts.

Page:

  1. John Lettice (Written by Reg staff)

    Re: But unfortunately...

    Straw's data, Jacqui's contractor. But the PNC stuff I assume is Jacqui's data. So go ahead...

  2. Anonymous Coward
    Paris Hilton

    Am I the only person here...

    ...pleased that criminals are exposed to the possibility of getting a dose of their own medicine? I would find it hilarious if some fraudster had their loot pilfered by another ID fraudster. I also like the idea of some of these individuals suffering from said crime, such that they reconsider the effect of their own actions. The lack of empathy seems to be such a characteristic of such people, that perhaps this might inculcate some.

    OK I know the above is pure shite on my part and that by no means all lags/ex-lags fall into the above category, it is pure fantasy really. I also realise the idiocy of saying that 'criminals can't enjoy the protections of the European Convention on Human Rights, but they should respect others' human rights'; but -

    perhaps the lesson from these data losses is just that data is no longer sacred and liability for securing title to assets should lie with banks and similar organisations - it should be incumbent upon them to secure the most material assets, and we should just not worry too much about the rest?

    Oh, and the other lesson is that until every civil servant is paid £1 million each a year, and has an IQ of 180, and gives a damn, nobody should mention the words 'secure' and 'ID card', in the same sentence?

  3. TeeCee Gold badge
    Stop

    "Home Office contractor loses entire prison population"?

    I thought that this one was going to be SSDD. Then I read the article and found that they'd lost some data about prisoners rather than the prisoners themselves for a change.

    Sort of less of a big deal than usual for HMG then.

  4. ReadyPeople
    Coat

    Oceans 84000?

    Perhaps this is just a viral marketing campaign for the latest installment to follow Oceans Eleven, Twelve and Thirteen.

    Give it 20 years and there should be enough room to store the prisoners themselves on a memory stick - that should solve the overcrowding problems.

    Mines the one with a file, hidden in a cake, hidden in the secret pocket

    ReadyPeople - starting up the Essex .NET Developers Group - Interested?

  5. Anonymous Coward
    Anonymous Coward

    Just stabbing in the dark, but...

    Let me guess, the data was neither anonymised nor encrypted? I assume it's also reasonable to assume no one in MinJus or PA Consulting will be found at fault.

    So it's only a matter of time before the National ID database is downloaded for 'processing' and left lying around by someone from PA.

  6. Danger Mouse

    The Scenario

    How it played out in my mind.

    Home office bloke "John, we need some analysis of this data"

    John from PA "Ahhh, alright, dump it to csv file on this stick, I'm working from home tomorrow I'll do it then"

    Home office bloke "Golf this weekend?"

    John from PA "Sure why not"

    Home office bloke "Here's your stick back, see you Saturday"

    John from PA "see you then"

    John returns to office via a pub lunch on expenses, sits down at his desk turns on his laptop, inserts usb stick opens up expenses spreadsheet, does a bit of fiddling, saves it, removes it and places it on his desk just above the bin. Finishes up for the day, knocking his usb stick into the bin in his rush to beat the cue out of the car park.

    Impossible I hear you say, nope, I've seen a previous 'manager' do exactly that, in my case he was fortunate that I had to look for a postit note with a phone number that I passed him early on in the day. I did let him sweat for a couple of hours the next day before sliding the key back on his desk after he informed his director. And no, I didn't like working for him :).

  7. Anonymous Coward
    Alert

    Enough!

    I personally don't handle data that's as critical as the data the government and their contractors (mis)handle on a daily basis.

    However, I have to say that I consider ANY data that isn't my personal data to be vitally important to the owner or those the data might refer to. My own data's pretty important to me to, because I know what the implications of data loss can be. So my security is my affair.

    I'm constantly appalled by the cavalier way such data is treated by customers themselves.

    It has to be said that by and large the people in question are basically, muppets.

    They have little or no conception of the risks they take on a daily basis - worse, they won't be told. They assume everyone else is stupid, they are smart, and it couldn't possibly happen to them, so precautions are a sensless waste of their, oh so valuable time.

    Myself, I've never (yet) lost data by 'loosing' a USB 'thumb drive', CD/DVD, external HD, or a laptop (a laptop FFS! HOW do you manage that?).

    Customers REGULARLY loose USB 'thumb drives' and CD/DVDs.

    No one I deal with has yet managed to loose a laptop, though with a couple of them I feel it's only a matter of time...

    Yes, the Government is ultimately to blame. The decision to employ staff/consultants is their responsibility.

    But, it's abundantly clear that individuals and firms are being employed who are of the caliber of many of my customers.

    'It won't happen to me, because I'm too smart / know what I'm doing / don't need to waste my time taking precautions'

    'Muppets'. All parties involved.

    The solution? Accountability. The buck stops at the Cabinet Minister in questions desk. No more 'investigations' designed to stall the matter until it's forgotten. No more 'It won't happen again' - because it clearly will.

    Simple rules:

    'You lost xxxxxx? - clear your desk'

    'Your downstream staff member lost xxxxxx? - clear your desk'

    'Your firm lost xxxxxx? - contract terminated and no further employment'

    'Your department engaged this firm that lost xxxxxx? clear you desk and kiss your pension bye-bye'

    No excuses.

    Also - since the government is so damn keen on databases, how about a database blacklist of individuals, firms and directors of firms involved in data loss incidents? So it is possible to ensure none of the individuals involved are ever employed on government work again?

  8. Kwac

    Ms Smith cop out

    "Ms Smith said the government had held the data securely but PA Consulting appeared to have downloaded it, contrary to the rules of its contract."

    BBC News

  9. Anonymous Coward
    Anonymous Coward

    Sigh - it won't change anything..

    I suspect the usual will happen: the sap who lost that stick (stupid, but human failure should always be planned for) will get the sack, but the management who failed to put directives, policies, software and audit in place to keep things safe will at most get a slap on the wrist with a wet noodle - and still pick up their bonuses for all the profit they made at the taxpayers' expense.

    No news here, please move along, just pay your taxes..

  10. Peter Gold badge

    @ Enough & black lists

    Blacklists won't work.

    They'll lose them..

  11. Anonymous Coward
    Anonymous Coward

    @ Good timing

    Given that just about everything has been outsourced to contractors/consultants, any idea who did those reviews? Just musing.

    Oh, and why did nobody check that the contractors really did what they promised? I do vaguely recall some standards being demanded in most Gov contracts, and even 4 years ago there were various consultancies promising more than they delivered (mainly because implementing it would detract from their beloved profits/bonuses).

    I guess now the search is on for new friends in Government..

  12. Anonymous Coward
    Thumb Down

    Terribly honest consultants.

    At least someone owned up to losing the data.

    If your job is on the line.. Lie !

    Where's that usb drive I gave you ? Dog ate it... sorry.. I'd already removed all the data on it, here take one of mine instead.

  13. jack horner
    Black Helicopters

    HAHAHAHAHAHAHAHAHAHAHAHA....................

    Do 'Private Contractors'* have to pass any sort of certification or vetting procedure before being allowed to lose heaps of personal data - or can anyone do it?

    On the bright side - the recruitment of villainous henchmen just got a whole lot easier! HaHaHaHa...etc (Evil laughter echoes around interior of hollowed out volcano).

    (*English translation: Money-hungry spivs with the right connections)

    Thanks

  14. Anonymous Coward
    Thumb Up

    @ Enough & black lists

    "Blacklists won't work.

    They'll lose them.."

    NOT if they are tattooed on the PM's face :-)

  15. Anonymous Coward
    Black Helicopters

    @ the idiots they'll trust with a National ID card

    James, it may be worth investigating just who was involved in the feasibility study.

    The answer may not come as a surprise, but as a hint, there was no conflict of interest whatsoever (that's meant sarcastically, btw).

  16. yeah, right.
    Black Helicopters

    got me thinking...

    One of the posts above got me thinking. If the UK gov "loses" data on everyone in the country, that means they can do lots of scaremongering about ID theft and the likes. Then they could sell a "National (Anti-)ID(theft)" card to all those scared-silly punters that they claim will make ID theft a lot less likely. There are probably enough stupid people in the UK today to perhaps make such a scheme work.

  17. Anonymous Coward
    Thumb Down

    @Ms Smith cop out

    Ahha, I see the hand of D.O.P.E here, well if it was secure then the contactor would not have been able to download it.

    Wacky Jacqi, null points

    Can we have a WJ icon please?

  18. Anonymous Coward
    Paris Hilton

    @ Jack Horner, re vetting procedures

    Go to http://www.cesg.gov.uk/site/clas/index.cfm (CESG Certified Listed Advisory Scheme) and fill in "PA Consulting".

    A company can only appear in the "competent to perform security work" category on GCAT (Government CATalogue of accredited companies) if it has CLAS certified people.

    However:

    - a company only needs ONE (1) such an accredited consultant to become listed as a whole (yes, even with the 2..3k people PA Consulting appears to have) so it's made dirt easy to game the system (no idea if the specific people themselves are vetted, given the recent cock-ups I have my doubts)

    - the whole process is tick box driven and easy for people with half a braincell. I presume that is because they would otherwise not be able to get anyone at all, a theory underwritten by this latest stunt.

    So, let's sum up:

    - the club that hacked the ID Card justification and the scheme itself together has screwed up badly, to the point that it has become a political bomb

    - so far there is no evidence that there were ANY procedures and policies in place (gov/consultancy) that would have prevented such an event

    - the selection process for such a company appears to be holed below the waterline as well

    - nobody is in the least surprised, just resigned that it happened yet again

    What I want to know is which politician will now have the unmitigated gall to state that ID Cards are still a good idea. The Gov lacks competence, and so do their advisers. And it's not like that hasn't been a lot of "I told you so" already.

    What I like is that it's now weekend. They'll have to sit on this for the whole 2 days before they can do something about it. Sorry to be a bastard, but I rather enjoy the timing..

    Paris, because she at least learned after her contacts were stolen off her phone..

  19. Harry Stottle

    @Dunstan Vavasour

    Well said sir.

    A number of comments have focussed on introducing/increasing "criminal" penalties for data loss. This would be neither effective or realistic. Furthermore it does no more than reinforce the ill-IT-irate approach of the Government's existing incompetent attempts at Security Theatre. They THINK you can impose security with rules constraining humans. Wrong.

    As Dunstan puts it:

    "As far as I'm concerned, the problem isn't that the data was put onto a USB stick, it is that the data *could* be put onto a USB stick."

    The reason The Law cannot possibly help is that it is quite impossible to create a "proportionate" penalty. Why not? Because the point of penalties is to act as a deterrent and whether a penalty is a deterrent depends on the value of the data to the attacker - which is not something under our control.

    Yes, we might deter casual theft or incompetence with a fine of a few thousand quid, or a prison sentence. But if the purpose of the theft is serious enough (obvious example terrorism) then no penalty is going to have the required deterrent effect and it's THAT kind of attack we should be most concerned about. And the ONLY protection against that kind of attack is to make it physically impossible for attackers to get at the data. Dunstan again:

    "We come back to the basic shortfall: legitimate users shouldn't have access to the data, they should have a view of the data."

    And, in cases like the present example, they shouldn't even have a view of the "real" data. For the purposes of research, there is no obvious reason why they cannot have an anonymised view of the data, where any sensitive identifiers have been replaced with pseudo-data.

  20. Anonymous Coward
    Paris Hilton

    Somebody lend the BBC a picture of a memory stick...

    The news.bbc.co.uk coverage of this item featured a photograph of a plug belonging to some USB device or other (as is obvious from the lead trailing out of the back).

    I hope the device in question was a USB flash or an SD card rather than the memory stick quoted - wouldn't want public money wasted on overpriced Sony proprietary crap.

    Paris because she sticks in ones memory

  21. RW
    Unhappy

    PA Consulting

    Just why are they so favored by NuLab when, according to other comments, they've long since demonstrated their incompetence? Political connections, just perhaps? Or does our Jacqui have a thing for the MD?

    And what ever happened to the concept of ministerial responsibility, one of the cornerstones of the British constitution, pray tell? Jacqui Smith should have resigned long ago given the number of complete fiascoes that have happened under her guidance. The issue isn't whether she's personally responsible; it's that she has to take responsibility for both the good and the bad that occur on her watch.The woman's clearly out of her depth; AC's remark "Government for the hysterical housewife BY the hysterical housewife" is absolutely on point.

    Of course NuLab as a whole is clearly out of its depth. Its persistent discounting of intelligence, competence, education, experience, and skills in favor of political correctness and adherence to the party line means that now, after 11 years of NuLab, the Civil Service (or what's left of it) is infested with stupid political hacks from top to bottom. With the best will in the world, it will take decades to rebuild the British civil service, once the envy of the world.

    Anyone have any insight into the morale of the civil service?

    It would be funny if it wasn't so sad, seeing a once-great nation ground down into the current mess by a bunch of dimwitted ideologues.

  22. Andus McCoatover
    Joke

    @@ Enough & black lists

    <<"Blacklists won't work.

    They'll lose them.."

    NOT if they are tattooed on the PM's face :-)>>

    Er, what if Obama's our new poodle-caretaker PM? S'pose they'll have to be "Whitelists"?

  23. Boris the Cockroach Silver badge
    Pirate

    Not this again

    I used to be one of the despised civil servants working for the MoD in a secret job(in fact so secret, not even I knew what I was doing :=} )

    On the first day , all the new people were bluntly told:

    "You will keep all classified and above materials securely on site, you will not take them off site, and if part of your job does involve you taking them off site and you lose them, you will be subject to various penalties ranging from loss of job to 5 years in prison"

    My question to the minister currently in charge is..... whos been fired for the breach, and what criminal charges are being considered?

  24. Simon
    Coat

    The database of all UK citizens will be defeated but...

    it no longer matters. These data leaks are just the way the government is getting around the issue. No doubt every time there is a leak announced someone in a trilby and reading a broadsheet (with 2 holes cut in it), standing on a corner somewhere in Westminster is collecting it. Surely this is why no minister is having to forfeit their job.

    The one with the coat because that's the guy who is uploading the missing data to the government's everyone database.

  25. Anonymous Coward
    Anonymous Coward

    @Christopher P. Martin

    "I don't know why, but when people refer to what is most likely a USB flash drive as a "memory stick", for some reason I want to kill them."

    Could it be because you're very anal?

  26. Anonymous Coward
    Coat

    @ Anonymous Coward

    "- so far there is no evidence that there were ANY procedures and policies in place (gov/consultancy) that would have prevented such an event"

    Apart from the fact that Jacqui Smith on the one o'clock news specifically said that the Home Office and "The Contractor" had specific processes in place.

  27. Chris
    Paris Hilton

    Breach of contract...

    Is that really as far as Ms Smith will go? FFS heads should roll for this, esp. after all the previous cock-ups. Prison even. This should *NOT* still be happening. The question is not how was the data lost, but how on Earth was the data accessed in the first place. Contractors should not have unfettered access to this kind of data without a very, very good reason.

    Like others have said, this is confidential data that's been lost. In any other business you'd be out the door with your p45 in your hand faster than you can say, 'Paris Hilton.'

    This governement take the absolute piss and Gordon will be out after the next (soon to be lost) by-election and Labour soon after, I hope!

  28. kain preacher

    Hmm just a thought

    Could I not pay my taxes in the UK and then say hey I paid you chaps lost the records. Not my fault.

  29. Gulfie
    Thumb Down

    This is what happens...

    When you run government IT on a shoestring.

    Actually, PA are one of the better consultants working for the government - I've worked with them, EDS, CapGemini, Detica and Capita, all bid bargain basement prices so the service provided is straight from poundland...

    The government is reaping what it has sowed...

  30. Anonymous Coward
    Paris Hilton

    Mr Pedant makes a comment

    Just a small factoid... but pertinent all the same. The data is not lost. The storage device is lost (flash drive/USB/memory stick whatever). The problem is not one of lost data because the original database is still valid, but more one of "someone ELSE may now have a copy".

    PS - recommend we re-introduce quartering for politicians, anyone got a couple of spare horses?

  31. Anonymous Coward
    Anonymous Coward

    How incompetent is this country?

    I am looking for a refund on everything that has been enforced, by this lousy bunch of swindlers.

    There is not one iota of good in any of the public sector from education, policing, military, governance, and now the prison service, only the library service to go, oh wait.

    It is just goes on, we must be able to fire the lot of them, confiscate their property, stick them all in rowing boats and shove them off Dover beach, let the French deal with them :)

  32. Anonymous Coward
    Anonymous Coward

    Darn!

    I feel so much safer in the knowledge that my personal details will be secure once the UK introduces the national ID databse and cards

  33. Anonymous Coward
    Anonymous Coward

    @nomen

    More like the Government (etc) are losing them on purpose because by making us all open to identity theft, it is proving the case for needing an intense 'intentity proving' database. How very convenient.

    ID cards are supposedly needed because we need a way of proving EXACTLY who someone is. A driving license, bill and passport aren't enough, and can be faked.

    So they'll say that it doesn't matter if someone has your name and address, because in future, with the ID cards, they will need to have your fingerprints and retinas too. Otherwise they will get nowhere.

    (Although I give it less than 5 years before criminals are able to somehow 'steal' fingerprints and dupe eye scanners)

  34. Anonymous Coward
    Thumb Down

    2 things.

    "The data was held on PA's computers, in "a secure format" according to the Home Office, but was downloaded onto a memory stick and "for processing purposes." This was then lost. A search of the company's premises has failed to recover "

    It's completely irrelevant how secure it was last year, last week, or yesterday, if it has gone balls up today.

    Is that honestly supposed to (re)assure ANYONE of ANYTHING? Or has it just become such a habit to include a line like that whenever shit hits the fan?

    Secondly, it couldn't have been that secure if it managed to get easily transfered onto a freakin' PORTABLE usb stick by some random person.

    THEN subsequently lost.

    I suggest that any sensitive data should have to be stored on something so large that it's impossible to misplace it (so I guess it will have to be bigger than a laptop...) I mean, if you REALLY need to use a tiny memory stick, is it too hard to attach it to a keychain/lanyard so that you CAN'T possibly lose it? Or to have one of those beeping key finder devices attached to it?

    Common sense people. If you're so stupid that you lose small things then at least have the sense to attach them to something that makes it a bit harder for them to disappear. Or something that can locate them when they inevitably do.

    Seriously.. They expect us to believe our information is secure? Why are people allowed to make copies of ENTIRE databases whenever they want, presumably without any sort of special permission or supervision?

  35. I. Aproveofitspendingonspecificprojects
    Happy

    You lucky people.

    I think we should all have ID cards, not just the few who travel on London trains or break into civil servant's cars.

  36. Anonymous Coward
    Anonymous Coward

    Re. policies et al - just realized something..

    If I read the PA Consulting website "defence" section right, PA must be a cleared company (i.e. List X, although that apparently no longer exists). That suggests annual audits.

    The longer I look at this the more it starts looking like a one person cock-up, which is almost impossible to defend against (as evidence that rules don't stop problems, do a bit of digging for the "Kofi Annan bugging scandal" - tell me that lot doesn't have enough processes and rules).

    As cock-ups go, however, this one is of epic proportions. PA was already unpopular for a number of things it was doing (remember the speed camera study?) and seems not have guarded against the impression it was very much allied with one party (given that it was doing its dirty work re ID Cards it probably would have been a waste of time to claim otherwise anyway).

    The timing is thus a classic: a party under threat, and with a history of blatant incompetence when it comes to data retention, employs a now unpopular consultancy which demonstrates a compatibility in the area of data loss. Result: it has gone political at warp speed, with a government keen to show "it wasn't me" (for a change), an opposition not willing to let them off that easily and both sides firing at the consultancy in the middle. Sacking the person who lost that data is not going to fix this, it'll need more important scalps before this dies down.

    It'll be an interesting week ahead, I think..

  37. John Stag

    @ should we be automatically blaiming the goverment?

    Absolutely!

    They're the ones who could enact laws to send everybody concerned to prison for a long time whenever this happens (the personal responsible and his superiors).

    The only way to deal with this problem is to make everybody completely paranoid about carrying sensitive data around on their person. This sort of data should never leave the building in any form.

    The current system is based on a bunch of greedy contractors trying to get a slice of government money at any cost. Wouldn't it be better to have people scared of taking this sort of contract unless they were damn sure of their security procedures?

  38. heystoopid
    Paris Hilton

    But then again

    But then again the way the current UK has been installing barriers for all the local peons to travel about internationally and all those security cameras beeing installed even in public loos , I would have thought the prison population including all on day release jobs(well some one has to earn the money to pay the wages of the blue coated armed security guards who shoot foreign guest workers on sight without any provocation or probable cause) the current prison population must be about fifty four million men , women , grannies , children and babies inclusive give or take !

  39. Destroy All Monsters Silver badge
    Paris Hilton

    Very nice, very nice....

    <---- Is this a memory stick in your pants or you just glad to see me?

    I will make this "suggested reading" in our small informatics group, including the thread. Maybe I can get past the "gallic shrugs" this time 'round.

  40. Gary Samuelson

    If you don't care -> they won't care

    If you don't care they won't care.

    Worrisome to hear the crowd grumble about something that typically results from bad policy.

  41. This post has been deleted by its author

  42. Anonymous Coward
    Anonymous Coward

    Why was the data there in the first place?

    I agree with everything said about USB sticks and portable media.

    What I don't see is why the data was in clear and complete. According to the BBC report, it was provided for a research project on tracking prisoners through the system: how much of the data was needed for that? Surely a unique identifier, age in years, sex , sentence and possibly crime committed, and risk status would be adequate?

    Equally, how secure is secure remote access?

    *If* working from home is needed, wouldn't this be a better way than of authorising remote use of data than download onto any type of media, whether or not encrypted?

    You can tell I'm a GP - and not an IT consultant!

    PS what are the implications for the single shared electronic patient record being introduced under NPfIT?

  43. Anonymous Coward
    Boffin

    implications for the SSEPR being introduced under NPfIT?

    ... details regarding your most embarassing ailments will be up for sale to the highest bidder.

  44. Anonymous Coward
    Joke

    To be honest I don't see what the fuss is about.

    Memory sticks are like Bic Biro's. They fall into a seperate ether from which there is no return, unencrypted or not they are probably far more secure than having an encrypted stick in a known location. Until we've got some way of crossing dimensions there's not going to be a problem.

    Mines the one with the Tardis Key in the pocket.

  45. Anonymous Coward
    Coat

    oh goody :)

    does that now mean all the prisons are now empty???

    so they can start banging up all those chavs n other undesirables still loose on the streets.

    hey maybe they could impose new jail sentances, i sentance you to 20 years impisonment on USB stick... (for the worst offenders).

    we can but wish i suppose ;p

    mines the one with the pockets full of lags on a stick,,,, which im gonna delete as soon as i get home,,,,

  46. James Pickett
    Alert

    Icebergs - tips of

    It occurs to me that we only get to hear about the losses that have been confessed. If I lost a memory stick/CD/laptop with sensitive data, but still had access to the original files, I'd replace the device PDQ and keep my head down, so presumably this has only come to light because the stick's former owner can't reproduce the information easily.

    One thing this incident will help to ensure is the keeping of extra unofficial copies of everything!

  47. John Dougald McCallum
    Stop

    @Peter Gathercole

    " Disable the USB storage device handling drivers in all systems that can access private data to prevent non-tracked USB flash drives being used (I know this is difficult, but it should not be impossible, even if it means you have to put PS/2 keyboard and mouse ports back into PCs"

    Why have "USB" or"PS/2" ports at all I personally do not see the need for them on data procesing computer terminals have the keybords hard wired keyboard goes down replace the lot or use a DIN socket these can be made with as many pins as are needed some of which need not even be live.

    Any thing wrong in this approach?

  48. Goat Jam
    Paris Hilton

    What?

    Was it an access database or something?

  49. Anonymous Coward
    Coat

    Well...

    @John Lettice- You could have at least put it in ironic "quotes" to point out how silly the Home Office are,

    and

    @AC- Yes, I probably am a bit anal.

Page:

This topic is closed for new posts.