What were they thinking?
Losing the stick is not the most important issue here, but rather why on earth someone would think it was a good idea to put this kind of data on a USB stick.
Leicester City Council has found the USB stick containing key codes for several thousand vulnerable residents' front doors. The stick went missing in mid-March and contained key codes to open boxes outside the homes of users of the council's care service which contained front door keys. The council changed several thousand …
"we ran a series of tests on it which indicated that the data on it has not been accessed during the period the device was missing."
Is this actually possible? It sounds like the just the kind of BS an organisation comes out with to provide some reassurance to an unquestioning idiocracy.
Of course, I could be being unfair...
Translation: We looked at the "Last Access Time" file attribute and hoped it wasn't accessed by someone who knew how to reset it - or how to avoid modifying it in the first place - or who used a decent raw copy utility - or, or, or.....
Obviously the key wasn't securely encrypted in the first place, otherwise there would be no panic.
" . . . But it has now found the missing USB stick, in a member of staff's lunch bag.
The council told This is Leicestershire: "We have continued our search for the missing data stick and, as a result, can confirm that it was found over the weekend. "
Sounds about as plausible as 'the dog ate my homework'.
Why was this kind of data extant on removable media to begin with?
Surely IF the council needed to store this data, presumably so that officials can open the doors to the properties in question in an emergency, why was it not kept on a secure system, with codes being given out on a "need to know" basis only.
The whole point of this data being on a usb stick is to make it as simple as possible for staff to gain access to properties in an emergency situation.
The data should be on a encrypted drive which is pared to a particular laptop. with logging in place for when the data is accessed.
you can come up with all sorts of other plans for securing the info, like on a secure server and you have to phone up to get access codes... but the more layers the higher the risk of the data being unavailable in an emergency.
The problem is that you have to employ staff that can be trusted with sensitive information and not to loose that information.
I have a usb memory stick that I keep an excel spreadsheet of my "address book" which I update regularly. carry about with me.. and guess what? I have never lost it !
Mines the one with the memory stick in the pocket
it minimises the risk of the data being accessed from the laptop by some hacker when the user installs some P2P software and "shares" the entire hard drive.... you have to remember what sort of skills these people have when it comes to PC's
plug the memory stick in when its needed, it does not have to be accessible at all times.
also it simplifies the update of the data if you just have to hand over the memory stick to your IT department for 5 min...
Mount USB as read only. Not hard.
Read/copy drive at will
Return to Council.
They should still be nailed for having that data unencrypted on a removable device. The fact it has been recovered is borderline irrelevant.
Where was the data being moved to? An employee's personal computer? If so there is probably a copy at home on (generalising now) a spyware infested, torrent riddled, festering pit of a PC.
If they have a work laptop then why would they need to put the data on a drive anyway? Nope, Leicester's decent into the land of Fail continues unabated!
I don't think the Council will have placated the ICO by finding it.
It says
"However, whilst we have been assured by our supplier that the information on the device is not accessible to anyone who may find it, we are taking every precaution to maintain the security of our LeicesterCare users",
From harsh experience "not accessible to anyone" usually means the file is password protected using the password written on the other side of the stick.
If it was encrypted they'd have been very careful to say encrypted because that would get them out of the crap they're in and they wouldn't be bothering to do anything about securing coded keysafes.
Incidentally that does mean they've probably wasted shoite loads of time and overtime money changing all these codes not to mention putting a large number of vulnerable people into a state of fear and alarm.
You may now join Leicester on their decent to planet Fail for taking any public statement at it's face value.
To do it once is forgiveable, but to repeat the mistake requires intervention.
The word you are looking for is 'descent'. You have marred a phrase that could possibly have gone on to live in internet folklore, and possibly spawned a whole dynasty of 'planet Fail' spin-offs (escape from; ascent from; born on) Maybe even a movie tie-in - "It came from planet Fail"? But now it will probably end its days on a grammar pedant website being repeatedly dragged out to amuse the public as a curiosity in a grammatical freak show.
Sorry for the overreaction to a harmless dropped 's' but I need sleep and can no longer tell where the internet finishes and the voices in my head begin.
Oh for the folly of youth. I am that AC and I lament the lost opportunity presented by that phase to start a new and original internet meme.
Oh the T-shirts I could have printed, the mug sales, the mouse mats the endless milking of geek subculture.
Damn you unchallenging education system!
Damn you all to hell!
Just because the file access times may not have changed, it still doesn't mean that someone didn't make a bit-image copy of the device, and then read the data later, elsewhere. A small stick like that could be cloned in a few minutes, without any evidence of that on the original device.
> As soon the data stick had been recovered, we ran a series of tests on it which indicated that the data on it has not been accessed during the period the device was missing ..
Orlowski: Do you believe this crap, Oates?
Oates: It's not our job to believe it, Andrew. Our job is to tell the people --
Orlowski: "Exactly what they tell us." I Know but do you think that people will believe it?
Oates: They will if it's you that's telling it to them. Now let's try it again.
This is not a low-level failure. This should not happen in a large public sector organisation. The council is required to have rigourous information management policies in place under an over-arching Information Management Strategy, with governance that goes all the way to chief officer level.
We will be happy to assist you with this regard.
David Gale
CEO
SITFO.org
along with what machine it was plugged into when accessed if they had been using SafeConsole from BlockMaster as that has a full audit trail of what machines a device has been plugged into, along with what files have been accessed.
Obviously SafeConsole only works with encrypted drives from BlockMaster or Kingston but it does give you full logging on a device.