Nicked unencrypted PC with 6,000 bank details lands council fat fine The Information Commissioner’s Office has fined Glasgow City Council £150,000 for losing two unencrypted laptops, one with the personal details of more than 20,000 people - just two years after a similar blunder. More than 6,000 bank account details were held on one of the stolen computers. “To find out that these poor …
The silly thing is the cost of the fine is less than the cost it would take to implement encryption to their laptops, maybe they should actually say "you have 28 days to implement council wide encryption to all laptops and removable media" and sideline this fine to help pay for it, otherwise the fine goes up by a HUGE amount, then the action of fining might actually mean something
Why is it we only hear about public bodies losing unecrypted laptops? Is it because the private sector doesn't ever lose any, the private sector only have encypted ones, that there is nobody to report the issues to in the first place for the private sector, or that the private sector keep quiet about it claiming it is "business sensitive information" ?
IIRC certain public sector organisations (the NHS, for example) are obliged to self-report. Telecoms providers are also obliged to self-report. Private sector organisations aren't, in most cases, under anyh obligation at all.
I'd guess that, in reality, the prevalence of data losses/breaches in the private sector, is no less than in the public sector. It's just kept quiet more often.
Maybe 10 years ago, not so much now. If you do business in California, you have an obligation to report if you've had an information breach and sensitive customer information may have been compromised.
The big difference is, in private business you can't just take it out of the taxpayer money pool to pay for it. Even if it isn't coming out of your personal paycheck, it is coming off the bottom line. And somebody important will notice that.
The other flip side is private businesses the size of Local goverments / NHS trusts etc (lets do like for like sizewise) I would hope, will almost certainly have encryption.
Why?
Well a 150k+ fine is FA compared to loosing a multi-million pound contract when the customer gets pissed that you've lost their information.
Public sector bodies are obliged to report any data breach, there is no duty on the private sector other than some vaguely worded best practice - "organisations are able to report losses of personal data to the ICO which the ICO encourages, however reporting such losses of personal data is not compulsory". Therefore the private sector rarely reports losses, if at all. They only tend to come to light by a different route because the organisation is, for example, in a highly regulated sector such as finance and they have to report it under compliance rules..
In 30+ years of working in IT I have worked for both the public and private sectors. Where this kind of thing is concerned neither side of the divide has anything to be smug about. I have experienced data losses in both types of organisation, but in the private sector we were able to hush it up - got to think of the affect on customer confidence and the share price after all! Nobody got fired either.
Basically this is an issue that nobody wants to take seriously until after something bad has happened.
I imagine that because bad publicity actually costs private firms money and is not just "water off a ducks back" then private industry approaches security in a much more robust manner than councils.
I recall getting a letter from a bank with whom I had a credit card a number of years ago (>12) telling me a laptop was stolen with my account details on it but that the laptop was encrypted. In addition they provided me with a new account number to ensure the information couldn't be used.
Unfortunately, organisations (like people) have to feel it in the abdomen when this stuff happens for them to do anything real about it.
My work laptop has hard disk password protected encryption - unfortunately using the password incorrectly 3 times renders it a brick. I imagine that the way laptops are shared and passed about in local government due to a lack of funds may mean that it is harder to implement such things. But not impossible!!!
HMG Security Policy Framework only requires that government employees comply with the Data Protection Act, which for some unknown reason does not require encryption of sensitive data unless departmental guidelines require it.
But for heaven's sake disc level encryption has been transparent to the user for about 10 years, there must be a dozen companies out there offering tried and tested solutions CESG go through a hell of a lot of work to ensure that products are available and tested to a level that will work at all levels of government.
With the number of High profile instances of this sort of data loss hitting the press time after time after time surely the only thing this shows is the complete lack of competence of the people at the top in both the IT and governance roles.
there's no excuse for it, it's just plain incompetence and I agree with the poster who suggest which is fire the people at the top.
There are news stories about private companies that have lost a heap of personal data. It gets reported if the data has credit card numbers or some such sensitive information.
As questioned above, why are punters taking laptops full of sensitive data out of the office with them? There should be no reason a council employee must work at home with these sorts of files or should be allowed to. Identity theft is one of the fastest growing crimes and lost laptops facilitate it.
I don't even see the need to have remote access to personal data. Work should get done at the office and home life done at home. If an employee needs to do work at home, there is something wrong with their job classification. Hire another person in the office.
Here's another example of why BYOD is a bad idea.
Encryption helps, but it would have to be the whole disk. Even if the whole disk was encrypted and the laptop was from somebody in defense and was targeted, the data has to be considered compromised. The same thing goes with a laptop stolen from somebody where it might be known that they regularly have sensitive banking information. No encryption is 100% and foreign governments have the technology to break through it. I wouldn't be surprised if some organized crime families are savvy in the art of computer espionage.
Another good point brought up is that the council doesn't pay the fine, the ratepayers do. Same thing goes with setting fines against corporations. The fines are too small to matter to them and their customers pay the fines in higher prices, just like corporate taxes. If the fines get levied against the people at the highest levels, change might wander into procedures. For too long the people at the top have had cushy jobs that pay obscene amounts of money and have zero risk. I would call it negative risk as there will be a flock of expert lawyers to defend them and some sacrificial goats lower down on the corporate chain to take the blame.
There is no such thing as too much beer. Cheers.
No encryption is 100%
Without brute force and millions, if not billions of years, how does one break into 256 bit AES? It may not be 100% (in theory) but in practice it is.
...and foreign governments have the technology to break through it.
Any evidence to support your claim that foreign governments have the technology to break through any encryption? Thought not.
The Maginot line was unbreakable too. That's why the Germans went around it. I expect most foreign governments know this too.
On the brute force front, I give it about 30 years. Intel et al. will keep doubling processor power during that time. Security researchers will sniff around the edges finding a weakness here, and a soft spot there. None of them will break the algorithm outright, but taken in total the combination will break the encryption in less time than the theoretical calculations we make now.
What protects us is that as each weakness is found, a new fix for that weakness is found and we ill move to a new encryption algorithm. Security isn't the castle wall or the moat around the castle wall. It's building and manning them and adding new protections in an evolving environment.
"Without brute force and millions, if not billions of years, how does one break into 256 bit AES? It may not be 100% (in theory) but in practice it is."
But what if the thief threatens to pour a kettle of freshly boiled water over your head if you don't give him your private key? I've only just been made aware of this terrifying scenario over in the Car Door Hack Outrage story, but it seems thieves have no scruples about using one's own tea-making equipment as improvised torture devices.
Possibly a hard-hat diving helmet wold prove an adequate defense, but this is hardly practical. For one thing, field workers may not be audible unless they open their faceplates, exposing them to a possible faceboiling. For another, what if the wily thief connects the kettle spout to the hose inlets before boiling, steaming the hapless public servant's head until they give up the key?
I've given this quite a bit of thought, and I think we must move aggressively to ban the kettle.
"I don't even see the need to have remote access to personal data. Work should get done at the office and home life done at home. If an employee needs to do work at home, there is something wrong with their job classification. Hire another person in the office."
Easy enough to say until accounting tells you there's not enough in the labor budget to retain another worker. That's the big big problem with labor these days: people are expected to be working as much as possible or they'll find someone who works harder than you. It's a race to the bottom to find people who work as hard as possible for as little as possible...if they don't find a foreign worker who can work for what we'd consider a pittance or just turn the job over to an expert system who can work round the clock with virtually no time off.
As for remote access, consider that some places have very poor Internet access. If you have to make a deadline (maybe it's for a contract), you can't stay in the office, and you can't rely on remote access, what options do you have left?
This post has been deleted by its author
I’m going to go ahead and assume following the last time Glasgow council probably invested time and money in producing a new policy for laptop encryption, probably spending lots of money to make sure it followed some ISO standard and they signed it off and said ‘that will stop it happening again’.
And left it at that.
And then it got down to department management, and some of them made sure their departments followed the new policy and procedures, and others didn’t.
And then it got down to the user level, and while some users did exactly what they have been told to do, others left their laptops in an unlocked desk in an unsecured building and probably had a post-it with “pa$$word22” stuck on the laptop screen.
Its these people who have screwed it up, and everyone will have to pay out of their wage packets/ tax money.
Every place I have worked I have found people that are just too arrogant, self-important or just stupid and seem to want to go do exactly the opposite of what they should, no matter who tells them, how many policies are made, how many awareness courses they go on, and then they bitch and moan when you take away their laptops and give them a desk PC at work because they can’t be trusted and treat them like a child.
Yes! Yes! Fire everyone and hire people who know what they are doing.
Provided they will work cheaply enough of course.
Then replace the laptops. Low bid, of course, so people should expect a few issues with the more expensive software options (like encryption).
Make sure there are bulletproof standards and practices that constrain the purchasing too. Make those bastards buy the cheapest O/S from the Right People.
Now, do we have everything in place? Good! Cancel the training budget so everyone's skills get moth-eaten.
Now, cut taxes! Cut them some more! Trim budgets to match!
Locksmith? Do we believe the taxpayers are made of money?
Free software? Only if it is on the approved list! Thought not. Take another budget cut.
WHAT?!!! YOUR UNENCRYPTED LAPTOP WAS STOLEN?!!! HOW COULD THIS HAPPEN?!! WOE, WOE UNTO THE PEOPLE WHO MADE THIS POSSIBLE?!!
A Glasgow City Council spokesman told the BBC: "This data loss should not have happened and we took immediate steps to ensure it does not happen again. Like WHAT!!!!! Piss and moan???
The ICO acknowledges there is no evidence that any bank accounts have been targeted, that the council immediately informed it of the theft and that we carried out significant remedial action." Really, how long into the future will YOU be able to make that guarantee. WRT "remedial action", was the fool responsible fired? demoted? Most likely not.
The taxpayers ought to round up those responsible and display them in a pillory in the town square. Perhaps local produce vendors can be persuaded to provide plenty of spoiled or rotten product for taxpayer 'stress relief'.
I work for a similar uk organisation,and all mobile devices are encrypted,any usb device gets encrypted or blocked on access and most users are blocked from saving to local storage.
Even with the problems glasgow had with their machine encryption,they could at least have transferred the data to a secure network storage or even encrypted usb drive. I suspect we have to process the same data types and meet the exact same standards as glasgow.If we can do it,they can - so appalling management ,technical incompetence or laziness are to blame.
Not sure what the controversy is, when you install ubuntu (and most other linux distros these days) you are asked if you want the entire drive encrypted or just your home dir.
I always do the full drive encryption on my laptops cuz you never know.
Anyway, if you are an M$ fan (cant stand them myself and I live in seattle), there is built int volume encryption for the higher end editions of windows7 & 8: http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption
"Perhaps the data should never have been on a laptop in the first place."
You would not believe how often it happens in this day and age. Mainly down to poor IT Management and implementation.
2 Places I have been to this week alone doing Break / Fix repairs., staff were storing data locally on their Laptops, and not on the File Server which they did have in place in the office.
They were doing Server backups daily, but it was pretty pointless as data was never put on the server and was just walking out the front door every day.
Scary !.
Why do they even store data on laptops? Why didn't they stay with some terminal-server solution and have a VPN concentrator connecting between that terminal server and the Internet. Particularly when you have older solutions like serial terminals, that's trivial to do.
Data "flatrates" which will be throttled to about 50kbit/sec after a few megabytes are around 3 Euros in Germany. 50 kbit is perfectly enough for a serial terminal, and even gives acceptable performance for graphical sessions.
That way no data would have to be stored on the laptops themselves. If a laptop goes missing you can easily replace it and as long as you have a password on the VPN it's useless to a potential attacker. (Of course lost and then found laptops need to be wiped)
You assume the laptop isn't going to a dead zone where there's no Internet to speak of: wired or wireless. They still exist, meaning it's a local copy of the data or bust, because the person handling it MUST go there and MUST have access to the data. As for the drive encryption, suppose free solutions are "not on the approved list", it reacts badly to BitLocker, and the budget doesn't allow for a different laptop.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
