contractor?
I'm having trouble imagining what job this contractor was doing that would require putting the names address and bank account details of 26,000 people on a stick.
A contractor who lost an unencrypted memory stick with confidential data during a visit down the pub has landed two London housing bodies in trouble with data privacy watchdogs. The memory stick contained details of over 20,000 tenants of Lewisham Homes and 6,200 tenants of Wandle Housing Association. More seriously, 800 of …
As usual it was more convenient for the contractor to drop the whole database on the stick than it was to just get the details s/he needed. Just like it was more convenient to use an unencrypted stick than an encrypted one. And it was more convenient to keep the stick in a pocket than securely locked in a car or the office.
The trouble is that most people know what they should be doing, but let their personal convenience override that. People are lazy.
People can't be bothered to create certificates to sign (and later encrypt) e-mail, even when generally trusted CAs give them out for free (startssl and comodo).
most people working in IT can't be bothered to encrypt company data on their laptops and you are surprised that a typical suit couldn't be bothered?! Are you sure you're not a slider or some such?
(also i know that trusted CA =/= trustworthy CA, it's still better than sending sensitive data in clear)
Is this another example of the ICOs double standards. They are only too happy to name and shame and even fine public bodies, but scared witless of doing anything to private companies.
There is absolutely no reason why a private company should have data protection standard which are lower than those for a public body, but the ICO seem to believe that there is.
I know we have all this stuff about data protection and so on, but what is so secret about bank account details? Every time I pay by cheque I give a piece of paper to someone, who I probably don't know, which contains my name, bank a/c no and sort code, and a copy of my signature. Quite possibly if I have posted this information the covering letter includes my address.
Similarly all my invoices contain details of my company bank a/c.
All the recipient can do with this info is to pay money *into* my a/c - and I have no problem with them doing that.
If you believe the info can only be used to pay money 'into' your account, then post your bank details on this forum - no risk right? I mean - it't not like that information is enough to complete a direct debit or standing order or anything - which to my recollection take money OUT of your account.
I refer you to the title of your own comment.
Thus it becomes clear - if an eeevil person ever finds data that they want to steal, they should simply copy it and then hand it in to the police.
The ICO, the data holder and everyone else will then believe that no data was stolen at all and they can go ahead with their evil plans with no risk of discovery.
Because data can't be copied, right? Copying 26,000 electronic records from a USB stick would take several days to copy, like photocopying 26,000 paper records.
And again - who is the contractor? Why is the directly responsible company allowed secrecy, while the merely indirectly responsible organisations are not?
*There's an 'un' missing somewhere. Ten points to whoever spots it.
This post has been deleted by its author
This post has been deleted by its author
"Saving personal information onto an unencrypted memory stick is as risky as taking hard copy papers out of the office."
That's wrong, it's worst. Paper copies of 26 000 odd records takes a whole lot of physical room, making it very unlikely the idiot would have taken it into the pub in his pocket, where this is probably what this idiot did with the flash drive.
Also, making photocopies of 26 000 paper records is very time consuming and likely to leave evidence. Copying a flash drive takes at most 2 minutes and can be done without anyone noticing it.
When we buy machines they are have empty disks. We load an image in it. Then hook it up to the domain, and from there it gets its policy as to what to do with inserted media. And you can differentiate between mice/keyboards and storage devices. You can do that in Windows just as well as you would on any *nix flavour.
And yes, we get on average one person per day asking us to enable USB ports for storage devices. And we say 'no'. Most of the time in this line of business you'll find that most of these common problems have been solved already technically, even by MS. Although the settings are not always in clear view. Sometimes you have to search a little, but what's more difficult is keep telling the users 'no'.
Most of these problems aren't technical problems. They have to do with users demanding the same kind of functionality from their workstation as they have at home, and that includes demanding laptops, USB storage, local admin rights, world writeable shares, flash plugins and certainly no screen lock or strong passwords.
/enough about work
http://www.theregister.co.uk/Design/graphics/icons/comment/devil_32.png
This is the attitude of too many info security types: prevent the user from doing his/her job and the security problem goes away! They never seem to realize that this only forces users to bypass their protocols.
Tell them how to do the job while keeping data secure; don't just tell them what they can't do!
This is the attitude of too many info security types: prevent the user from doing his/her job and the security problem goes away! They never seem to realize that this only forces users to bypass their protocols.
Tell them how to do the job while keeping data secure; don't just tell them what they can't do!
"Fortunately no harm was done because the lost stick was safely found and handed in to the police."
And this can be *guaranteed* how ?
A canny wrong'un would copy the data. Lie low, and pop up in a years time, when everyone has forgotten, and start to go through the list.
btw - you think that's bad, check out this
http://www.guardian.co.uk/government-computing-network/2011/jul/28/manchester-police-memory-stick-burglary
strangely not reported in El Reg.
As a long suffering Lewisham Homes tenant I am grateful to mark63 for spotting the real issue here, which is more than the Information Commissioner managed.
The Data Protection Act undertaking given by Lewisham Homes, http://j.mp/ng55kW , states inter alia: "Enquiries revealed that the USB stick was the property of a contract worker who had carried out a project for the data controller. He had copied the data to this device due to problems encountered backing up work on the data controller’s network. In addition, the Commissioner was told that there was no effective measure in place to prevent the use of personal or unencrypted USB devices on the data controller’s systems, and there was no provision for training contract workers in the data controller’s policies on data protection." but fails miserably to address the question of whether he should have had that much access in the first place.