back to article Leicester unloses key data

Leicester City Council has found the USB stick containing key codes for several thousand vulnerable residents' front doors. The stick went missing in mid-March and contained key codes to open boxes outside the homes of users of the council's care service which contained front door keys. The council changed several thousand …

COMMENTS

This topic is closed for new posts.
  1. Ole Juul

    What were they thinking?

    Losing the stick is not the most important issue here, but rather why on earth someone would think it was a good idea to put this kind of data on a USB stick.

    1. tony2heads

      on USB stick

      Not only why it was on a USB stick, but how did it get in a lunchbox?

    2. Dunstan Vavasour

      Encryption

      Is it me? Setting up an encrypted drive is so easy that to not do so is reprehensible, whether the USB fob is lost or not.

  2. ChrisF18

    Genuine question

    Genuine question - educate me! How do you check if data has been accessed?

    1. Dale Richards
      FAIL

      Genuine answer

      Genuine answer - you can't.

      Presumably they've checked the "last accessed" time stamp on the files. It's very easy to avoid updating this stamp when reading a file, and it's also fairly trivial to later change the stamp to an arbitrary value.

  3. The Dark Lord
    WTF?

    Please help calibrate my BS meter

    "we ran a series of tests on it which indicated that the data on it has not been accessed during the period the device was missing."

    Is this actually possible? It sounds like the just the kind of BS an organisation comes out with to provide some reassurance to an unquestioning idiocracy.

    Of course, I could be being unfair...

  4. Fuzz

    "A series of tests"?

    That'll be checking the file a-times then.

  5. Anonymous Coward
    Grenade

    "We ran a series of tests...."

    Translation: We looked at the "Last Access Time" file attribute and hoped it wasn't accessed by someone who knew how to reset it - or how to avoid modifying it in the first place - or who used a decent raw copy utility - or, or, or.....

    Obviously the key wasn't securely encrypted in the first place, otherwise there would be no panic.

  6. Elmer Phud

    Really?

    " . . . But it has now found the missing USB stick, in a member of staff's lunch bag.

    The council told This is Leicestershire: "We have continued our search for the missing data stick and, as a result, can confirm that it was found over the weekend. "

    Sounds about as plausible as 'the dog ate my homework'.

  7. Glug
    Thumb Up

    A new first?

    Is this the first recorded case of lost data actually turning up again? A landmark moment in British history.

  8. Allan 1
    FAIL

    More worryingly

    Why was this kind of data extant on removable media to begin with?

    Surely IF the council needed to store this data, presumably so that officials can open the doors to the properties in question in an emergency, why was it not kept on a secure system, with codes being given out on a "need to know" basis only.

    1. Anonymous Coward
      Coat

      why not...

      The whole point of this data being on a usb stick is to make it as simple as possible for staff to gain access to properties in an emergency situation.

      The data should be on a encrypted drive which is pared to a particular laptop. with logging in place for when the data is accessed.

      you can come up with all sorts of other plans for securing the info, like on a secure server and you have to phone up to get access codes... but the more layers the higher the risk of the data being unavailable in an emergency.

      The problem is that you have to employ staff that can be trusted with sensitive information and not to loose that information.

      I have a usb memory stick that I keep an excel spreadsheet of my "address book" which I update regularly. carry about with me.. and guess what? I have never lost it !

      Mines the one with the memory stick in the pocket

      1. Wize

        erm...

        "The data should be on a encrypted drive which is pared to a particular laptop."

        If it only works on one laptop, whats the point of putting it on a USB stick? You would put an encrypted file on the laptop.

        1. Anonymous Coward
          Anonymous Coward

          because

          it minimises the risk of the data being accessed from the laptop by some hacker when the user installs some P2P software and "shares" the entire hard drive.... you have to remember what sort of skills these people have when it comes to PC's

          plug the memory stick in when its needed, it does not have to be accessible at all times.

          also it simplifies the update of the data if you just have to hand over the memory stick to your IT department for 5 min...

          1. Wize

            @because

            And nothing to stop it being read when inserted into the laptop.

            Plus the idiot user who will copy the info to a non-secure location (maybe via print-screen if you manage to disable copy & paste) as plugging in an external device is too fiddly when you want to use the data.

      2. Mark Aggleton
        Thumb Down

        Vegetables

        I thought paring was something you did to vegetables, not laptops and USB sticks.

  9. Anonymous Coward
    WTF?

    Mwhahahah

    Mount USB as read only. Not hard.

    Read/copy drive at will

    Return to Council.

    They should still be nailed for having that data unencrypted on a removable device. The fact it has been recovered is borderline irrelevant.

    Where was the data being moved to? An employee's personal computer? If so there is probably a copy at home on (generalising now) a spyware infested, torrent riddled, festering pit of a PC.

    If they have a work laptop then why would they need to put the data on a drive anyway? Nope, Leicester's decent into the land of Fail continues unabated!

    I don't think the Council will have placated the ICO by finding it.

  10. Anonymous John
    Joke

    Lunchbox?

    "We've looked everywhere else. So we now want all the male staff to drop their trousers."

  11. Tom Wood

    Presumably

    in years gone by such data was carried on pieces of paper.

    Presumably nobody could tell if that had been "accessed" either.

  12. npo4

    Data was encrypted

    If you read the previous article - http://www.theregister.co.uk/2011/03/22/data_loss_leicester/ it does mention that it was encrypted

    1. Anonymous Coward
      FAIL

      I think not my young padawan

      It says

      "However, whilst we have been assured by our supplier that the information on the device is not accessible to anyone who may find it, we are taking every precaution to maintain the security of our LeicesterCare users",

      From harsh experience "not accessible to anyone" usually means the file is password protected using the password written on the other side of the stick.

      If it was encrypted they'd have been very careful to say encrypted because that would get them out of the crap they're in and they wouldn't be bothering to do anything about securing coded keysafes.

      Incidentally that does mean they've probably wasted shoite loads of time and overtime money changing all these codes not to mention putting a large number of vulnerable people into a state of fear and alarm.

      You may now join Leicester on their decent to planet Fail for taking any public statement at it's face value.

      1. stuwaldy
        Headmaster

        Hey AC, I think you dropped this >>>> 's'

        To do it once is forgiveable, but to repeat the mistake requires intervention.

        The word you are looking for is 'descent'. You have marred a phrase that could possibly have gone on to live in internet folklore, and possibly spawned a whole dynasty of 'planet Fail' spin-offs (escape from; ascent from; born on) Maybe even a movie tie-in - "It came from planet Fail"? But now it will probably end its days on a grammar pedant website being repeatedly dragged out to amuse the public as a curiosity in a grammatical freak show.

        Sorry for the overreaction to a harmless dropped 's' but I need sleep and can no longer tell where the internet finishes and the voices in my head begin.

        1. Anonymous Coward
          FAIL

          Noooo

          Oh for the folly of youth. I am that AC and I lament the lost opportunity presented by that phase to start a new and original internet meme.

          Oh the T-shirts I could have printed, the mug sales, the mouse mats the endless milking of geek subculture.

          Damn you unchallenging education system!

          Damn you all to hell!

  13. Christoph

    It sounds like

    Their security staff were out to lunch

  14. William Boyle
    FAIL

    Copying without chaning atime

    Just because the file access times may not have changed, it still doesn't mean that someone didn't make a bit-image copy of the device, and then read the data later, elsewhere. A small stick like that could be cloned in a few minutes, without any evidence of that on the original device.

  15. Peter Clarke 1
    FAIL

    Missing the Important Question.

    Why was the lunchbox left unopened and unwashed for nearly a month?

    Yeah, I'd like to know how they could check access.

  16. Anonymous Coward
    Big Brother

    data not been accessed

    > As soon the data stick had been recovered, we ran a series of tests on it which indicated that the data on it has not been accessed during the period the device was missing ..

    Orlowski: Do you believe this crap, Oates?

    Oates: It's not our job to believe it, Andrew. Our job is to tell the people --

    Orlowski: "Exactly what they tell us." I Know but do you think that people will believe it?

    Oates: They will if it's you that's telling it to them. Now let's try it again.

  17. kain preacher

    I know what happened

    Some wanted a USB stick and snagged it. They had no idea what was on it till some one said some thing.

    If that is not the case you need to do a real investigation. Cause the other possibility is that it did leave the building and the thief knows how stupid the council is .

  18. Stevie

    Bah!

    Obviously these "tests" involved prying the bits of cheese and pickle sandwich out of the socket so the stick could be plugged in and read.

  19. Anonymous Coward
    Anonymous Coward

    "Homer, are you just holding on to the cans?"

    Your point being?

  20. David Gale

    Information Management Strategy

    This is not a low-level failure. This should not happen in a large public sector organisation. The council is required to have rigourous information management policies in place under an over-arching Information Management Strategy, with governance that goes all the way to chief officer level.

    We will be happy to assist you with this regard.

    David Gale

    CEO

    SITFO.org

  21. Anonymous Coward
    Go

    They could tell the last accessed date

    along with what machine it was plugged into when accessed if they had been using SafeConsole from BlockMaster as that has a full audit trail of what machines a device has been plugged into, along with what files have been accessed.

    Obviously SafeConsole only works with encrypted drives from BlockMaster or Kingston but it does give you full logging on a device.

This topic is closed for new posts.

Other stories you might like