The UK's Office for National Statistics and Lockheed Martin are racing to check if hacker group LulzSec has got its hands on this year's census data. Such a massive data loss would be embarrassing even for a government with such an amazing record of data protection failures. LulzSec's Twitter page has no mention of the supposed …
Oh God, I hope so....
Please, Jim, can you fix it for me for this to be true?
Speaking as someone who's form "was posted, honest, it must of been lost" there was no way I would of trust *that* much information to the British Government and a single war-mongering organisation.
> "no way I would of trust *that* much information to the British Government and a single war-mongering organisation."
Did you actually read the census questions?
There really wasn't anything particularly exciting in there. Facebook probably has more detailed information on me.
"Facebook probably has more detailed information on me."
I think that says it all.
Facebook probably has more detailed information on me too, and I'm not a farcebook user.
EPIC FAIL (if true)
If this story is true, then why is this data on a network hooked up to the Internet???
Probably because you can submit the census online?
Going by the speed and efficiency of past government bureaucratic operations I'd be highly surprised if all the census data had been collected, entered and collated yet.
It'll be data from all those who completed the online form, methinks. Oh well, good luck to them, my life is not exciting enough for me to care!
Isn't it about time we gave this bunch of pompous tits at LulzSec a massive punch in the face?
I'm so fucking tired of these self-aggrandising little twats hiding behind the fig-leaf of testing security as an excuse for shits and giggles at everyone's expense.
The more this kind of stupid crap goes on, the more of everyones taxes the government will spend on security in an ever escalating arms race and, perhaps more importantly, the less useful stuff can be done with data by legitimate users.
All these bloody fools will achieve is to make everyone poorer, everyone's lives harder and restrict everyone's access to legitimate information, giving goverments and corporations the perfect excuse to be ever more restrictive and opressive.
To defend these oiks in any way would be like blaming yourself when your bicycle gets nicked, because you only used three medium strength locks rather than locking it in a lead-lined bunker behind a 12-tonne door with triple timer-protected dedalocks on 57-digit combinations.
JUST. LEAVE. OTHER. PEOPLE'S. SHIT. THE. FUCK. ALONE.
The takehome lesson here is not 'lulzsec are a bunch of little shits'. It is that net security is so woefully inadequate and the attitude of the people responsible for your information is lax to the point of irresponsibility if not dereliction of duty.
Sure, it sucks that a bunch of juvenile delinquents stole your stuff, but, get this: how on earth did a bunch of juvenile delinquents get to steal your stuff in the first place? If they can do it, so can pretty much anyone. And indeed, there's a pretty big chance that people already have, but because they are serious criminals you won't find out about it til your credit card bill comes.
Regarding bikes? Your metaphor sucks. Its a bit like giving your bike to someone else to keep safe, only to discover they left it locked up on the street with a £5 bit of wire and a 3-digit combination lock and it vanished the moment their back was turned.
You should be grateful that the people who have exposed such incompetence are not more malicious.
I'm agreeing here
Should slack security be highlighted? Of course it should, publicly and people should be made accountable for it. Is this the right way to go about it? No.
If I see someone in the street who's left their car door open with their wallet on the front seat do I?
a) Point this out to them so they can deal with it
b) Steal the wallet, sell the contents on ebay and then send a link for the completed auction to the owner.
These people have to understand that they're not sticking it to the man here; they're not fighting the power. They're just messing with people's lives.
Glad someone agrees with me
If this is true then they need to be stopped immediately. It's one thing to attack a big corporation it's another entirely to steal private information on potentially millsions of innocent people and publish it on the internet.
Again if true, this is them crossing the line into severe criminal activity needing harsh punishment.
Of course there will be people suporting them and saying things like "Yeah, stick it to the man, expose those security failings LOL!!!" but how will they feel when it's their credit card details being used by criminals. I've already had my card details stolen like this three times this year from different reputable companies and had to waste time cancelling and re-issuing my cards.
While I'm not a fan of lulzsec and they probably are a bunch of f*cknuts, moaning at them for getting the data is a bit short sighted. Yes they're probably doing it for kicks, but if they can do it so can criminal organisations that wont shout about it and the first thing you know is when the debt collectors come knocking.
By all means think they're muppets, but never complain that people have publicly warned you that your private details are available to any crim with an internet connection.
Except that if/when they post that information on the internet for anyone to see, what little justification they have for their little crusade goes right out the window. There's nothing socially responsible about Handing our data over to the people who will gladly fuck us over for real.
Couldn't have said it better myself
I was pretty much intending to post almost exactly the same thing but since you covered it quite well I don't think I will - I'll just say good on that man :)
The only thing I would add is that at this stage we don't have any direct confirmation that the census hack itself has happened but the post is just as valid without it.
@Glad someone agrees with me
So Lulzsec having this information = bad...
UK Gov, US Gov, EU, Arms Corp, whoever else the Gov sells it to = good?
NOBODY should have this much info, plain and simple.
"The takehome lesson here is not 'lulzsec are a bunch of little shits'. It is that net security is so woefully inadequate and the attitude of the people responsible for your information is lax to the point of irresponsibility if not dereliction of duty."
And you've gleaned that from one one unconfirmed posting on PasteBin which appears to be a lie? Well done.
but but but
they took away our OtherOS......
They haven't warned...
...they've threatened to publish, for no other reason than for 'lulz'. Totally ridiculous apologism for a criminal act here. Looks like a massive red herring anyway. Maybe it was an experiment to see how many people would defend them, just because they were going against 'the man'...
I'm not confirming that this was the mechanism used because I just don't know, but it is reported that Lockheed Martin's internal networks were compromised by the RSA failure reported several weeks back, so it would not surprise me if they used similar technologies for the UK Census.
If you are implementing a solution that relies on a security product that is proved faulty after installation, can the blame be put completely put at your door?
The fact that RSA keyfob one-shot password devices were in use in Lockheed Martin shows that someone was actually thinking about some security. RSA devices are widely used because they were trusted, and that problem has caught many organisations out.
I am not saying that a single security measure is sufficient, but I wonder how many people commenting here have really tried to build a complete infrastructure that a) does not rely on third party security devices, and b) provides the level of security mandated by CESG. I'm sure that some have, but most have not.
I'm not apologising for LM, but like so many things, it's actually much more difficult to do than most people think, and there are serious tradeoffs between security and cost.
When I worked at government agencies in the past, the most secure systems were effectively on air-gapped networks, with multiple networks to each desk. This cost a lot of money, and ultimately meant that remote support was difficult to impossible. As you cut costs, you link things together using security products. This makes the environment vulnerable to third-party security failure. One bank I worked at had multiple security layers, and adjacent security layers could not be provided by the same technology. Very sensible, but also very expensive.
While i invest in some tin manufacturing businesses...
Is anybody really surprised?
Having written to the ONS in January expressing my concerns about the use of Lockheed Martin and the security of my personal data, the stock reply from Helen Bray (2011 Census Stakeholder Management and Communications) had the wholly un-reassuring conclusion,
"I hope you will be reassured by the measures taken to protect the confidentiality of census information".
...oddly enough, I wasn't reassured. But since the incompetents at Lockheed Martin seem to have lost my form anyway, with luck at least my info didn't get leaked.
Is this the same Lockheed Martin that hadn't bother to upgrade access to its VPN two months after it was publicly announced that RSA would have to replace 40 million tokens due to private keys having been stolen from RSA's server?
>> " ... “Lockheed had slightly over two months from the time that EMC notified them and other RSA SecurID customers about their breach."
and the same Lockheed Martin that that has its traffic intercepted and monitored by the NSA?
Is there no UK data that ultimately ends up in the hands of the US Govt?
The NSA doesn't need to bother snooping. Thanks to the Patriot Act, any data held on American soil is fair game for examination.
The question here isn't about LulzSec or a red-herring hack post, but more WTFingF is the British government doing handing sensitive data on its citizens (even if the questions are boring, you can infer a hell of a lot from that much data) to a FOREIGN company where it will almost certainly be of interest to the FOREIGN government. If the British government does not feel competent to manage the census collection and collation, and there is no single British organisation capable, then the answer is bloody obvious - skip it. Wait until it can be coped with. Nationally, within the borders of the country concerned.
Fail icon, because the British government is a laughing stock. Whatever LulzSec may or may not have done, the data is far out of their (the govt's) control by now. Congratulations.
Just because a US contractor is working on a project does not mean that the data is being stored on US soil. I don't know about the Census, but I do know about the DVLA, where the contractors are IBM and Fujitsu, and I can tell you that there is no wholesale storage of your car or license data anywhere outside of Swansea and Salford (although the D90 mainframe in Salford should have been decomissioned by now). That's where the servers are, and that is where the contractors work.
There was simply no method of moving the data onto either IBM's or Fujitsu's corporate networks, and severe penalties (including prosecution) to for anybody who did. This was understood, and is drummed into all people working on the contract on a monotonously regular basis.
In case you hadn't noticed, there are very few companies prepared to work on large government bids that are not mutinationals.
If they did get their hands on the census data... what would that mean for the promises that were made about the security of our census data?
I'll hazard a guess. The contractor gets the blame and nothing changes in government/whitehall... that or 'these evil hackers' are hunted down and burnt at the stake.
If this is true
The ConDems are finished. This is the identity theft to end them all.
I think you're forgetting...
...it was NewLab that gave Lockheed Martin the contract.
But it was lost...
On the ConDem's watch. That counts for a lot. Who is going to remember who issued the contract 10 years or so ago?
At least, as my colleague has pointed out, this should put paid to all this craze in the govt about Cloud services.
I think *you're* forgetting
the moronic nature of the british public, with a 5-second attention span. I've heard people banging on about "da cuts", (look at the ILF, for example) and blaming "da tories" when it turns out they were implemented 18 months before the election.
Anyway, isn't one of the responsibilities of government that what happens on your watch is your fault, irrespective of who actually instigated it ? It's certainly why they claim the jobs are paid so much.
Not on it
AC in case TheReg gets hacked (not that that would probably help at all)
Never ever trust sending your details to the US .- if the government doesn't get it then the hackers will. I'd bet on the US gov getting it first though.
My sekret membership of the Sith will be revealed.
Who's the other one?
Always two there are. No more, no less.......
Never understood that line.
What if you're a Sith apprentice and your master gets run over by a bus? Then you're well and truly fucked.
Remember, kids: redundancy is your friend! Whether you're storing UK census information or supa-secret evil Jedi knowledge: a backup in time saves nine.
ive been told this is impossible
according to source ive been relibale informed that the data hasnt been processed by the government yet. so there isnt anything for lulsec to steal.
i hope he is right, otherwise this is a massive loss for the government, and it could be a massive issue for everyone in england and wales
some people filled the forms in online - so surely a subset is available. Maybe not processed, but in a raw form ?
Why do I *really* want this to be true ...
You know it's wrong, but somehow good ...
I just want to see people replay the assurances that were given before the census, (along with some saved webpages) and have our leaders tell us how wrong they were.
...as was mandatory to fill it in, where can i claim my bit of data protection compensation for allowing my details out?
I think I know where I can go for it.
Not significant - there are probably more damaging leaks of my data from other places - e.g. websites with my credit card details, medical history from my doctor's office, than from the census, which, when it comes down to it lists my name and address (in the phone book, with my phone number), my date of birth (not hard to find), my vocation and salary (as I work for a publically funded organisation it's a matter of open record) and very little else.
I do hope though, that the ICO fines the holders of this data a significant sum.
Per record, of course.
Fines are just passed on to the taxpayers - gaol terms are not.
This is going a bit too far...
Look, if you want to f--k around and piss off a few companies and 'for teh lulz' then, even if I don't think it's funny, I won't care that much.
However, if it's gotten to the point that the private information of every UK citizen is stolen and made available for anyone who wants it....that's just going too far. You're now putting peoples' lives at risk, in many different ways, not just from over-the-top fancies like terrorism (yeah yeah) but more from the risk that people will be able to find others who have had to make themselves lost for their own protection.
Those of us who considered our jobs might put at risk from "over-the-top fancies like terrorism (yeah yeah)" lied about our jobs, earnings and anything else vaguely related.
When asked what my role was, I wrote something along the lines of "paperwork and stuff".
Call me cynical, psychic or whatever but I kinda saw something like this happening.
Wouldn't want to be someone who'd admitted to being UK Govt in NI though!
Not holding my breath for a tweet
Seeing as how the police arrested a guy this morning, reportedly for being part of LulzSec
They're just bloody useless, the lot of them. Even the ones that aren't in control (oh wait, that's all of them)
What we need is a benevolent dictatorship.
My wife has been practicing her skills at running an almost benevolent dictatorship at our home for years. I'd say she's up to the task by now.
Heads will roll. On the Moment Magnitude scale, this is the equivalent of a 9.0+.
Heads never roll..
'Lessons are learnt".
Don't worry, Plod's made an arrest.
What the betting the poor sap had his PC compromised?
I note that its now being claimed that an alleged 'ringleader' for Lulzsec has now been arrested. In Essex.
If any of this proves actually proves to be true, then it may at least serve some useful purpose - to expose the utter idiocy of our government in entrusting personal data regarding UK subjects to a commercial organisation in the US,
No doubt the US will go for extradition -
'We want your citizen to stand trial in our country for stealing your data'.
No, I'm Spartacus!
- Product Round-up Smartwatch face off: Pebble, MetaWatch and new hi-tech timepieces
- Geek's Guide to Britain The bunker at the end of the world - in Essex
- FLABBER-JASTED: It's 'jif', NOT '.gif', says man who should know
- If you've bought DRM'd film files from Acetrax, here's the bad news
- Microsoft reveals Xbox One, the console that can read your heartbeat