back to article DOH! Housing contractor loses unencrypted stick down the pub

A contractor who lost an unencrypted memory stick with confidential data during a visit down the pub has landed two London housing bodies in trouble with data privacy watchdogs. The memory stick contained details of over 20,000 tenants of Lewisham Homes and 6,200 tenants of Wandle Housing Association. More seriously, 800 of …

COMMENTS

This topic is closed for new posts.
  1. mark 63 Silver badge
    WTF?

    contractor?

    I'm having trouble imagining what job this contractor was doing that would require putting the names address and bank account details of 26,000 people on a stick.

    1. Anonymous Coward
      Anonymous Coward

      There's no such job

      As usual it was more convenient for the contractor to drop the whole database on the stick than it was to just get the details s/he needed. Just like it was more convenient to use an unencrypted stick than an encrypted one. And it was more convenient to keep the stick in a pocket than securely locked in a car or the office.

      The trouble is that most people know what they should be doing, but let their personal convenience override that. People are lazy.

  2. cocknee
    FAIL

    sigh...

    stupid is as stupid does...

    An e-petition to bring back the stocks for people like this?

    Not forgetting the management team that allowed it to happen of course

  3. nsld
    Mushroom

    who was the contractor

    Its all very well naming and shaming the housing authorities but which numbnuts contractor lost the stick in the pub.

    Regardless of the policy of the housing association (or lack of) how dumb is the contractor for not encrypting it him or herself?

    1. Tomato42
      Unhappy

      Encrypting it himself

      People can't be bothered to create certificates to sign (and later encrypt) e-mail, even when generally trusted CAs give them out for free (startssl and comodo).

      most people working in IT can't be bothered to encrypt company data on their laptops and you are surprised that a typical suit couldn't be bothered?! Are you sure you're not a slider or some such?

      (also i know that trusted CA =/= trustworthy CA, it's still better than sending sensitive data in clear)

    2. Anonymous Coward
      Anonymous Coward

      Double Standards?

      Is this another example of the ICOs double standards. They are only too happy to name and shame and even fine public bodies, but scared witless of doing anything to private companies.

      There is absolutely no reason why a private company should have data protection standard which are lower than those for a public body, but the ICO seem to believe that there is.

  4. Pen-y-gors

    Call me Mr. Naive, but...

    I know we have all this stuff about data protection and so on, but what is so secret about bank account details? Every time I pay by cheque I give a piece of paper to someone, who I probably don't know, which contains my name, bank a/c no and sort code, and a copy of my signature. Quite possibly if I have posted this information the covering letter includes my address.

    Similarly all my invoices contain details of my company bank a/c.

    All the recipient can do with this info is to pay money *into* my a/c - and I have no problem with them doing that.

    1. Anonymous Coward
      Stop

      Are you confident enough to test your theory here?

      If you believe the info can only be used to pay money 'into' your account, then post your bank details on this forum - no risk right? I mean - it't not like that information is enough to complete a direct debit or standing order or anything - which to my recollection take money OUT of your account.

      I refer you to the title of your own comment.

    2. Guido Esperanto

      not quite

      I think Jeremy Clarkson made a foolish attempt to say the same thing and published his bank details. He was later left £500 short after funds were donated to a charity for his foolishness.

      http://news.bbc.co.uk/1/hi/7174760.stm

  5. Tom_

    how do they know...

    Can they be sure it went from pub floor to police without anyone taking a copy first?

    1. Richard 12 Silver badge
      Unhappy

      Fortunately it's impossible to know whether anybody copied the contents*

      Thus it becomes clear - if an eeevil person ever finds data that they want to steal, they should simply copy it and then hand it in to the police.

      The ICO, the data holder and everyone else will then believe that no data was stolen at all and they can go ahead with their evil plans with no risk of discovery.

      Because data can't be copied, right? Copying 26,000 electronic records from a USB stick would take several days to copy, like photocopying 26,000 paper records.

      And again - who is the contractor? Why is the directly responsible company allowed secrecy, while the merely indirectly responsible organisations are not?

      *There's an 'un' missing somewhere. Ten points to whoever spots it.

  6. This post has been deleted by its author

    1. This post has been deleted by its author

  7. Kevin 43
    FAIL

    Safely?

    "Fortunately no harm was done because the lost stick was safely found and handed in to the police."

    I wouldn't consider anything handed in to the police as "safe" what with their reputation these days...

    1. Tomato42
      Stop

      Police

      I still trust them more than Russian mafia, thankyouverymuch.

  8. Anonymous Coward
    Anonymous Coward

    Wrong

    "Saving personal information onto an unencrypted memory stick is as risky as taking hard copy papers out of the office."

    That's wrong, it's worst. Paper copies of 26 000 odd records takes a whole lot of physical room, making it very unlikely the idiot would have taken it into the pub in his pocket, where this is probably what this idiot did with the flash drive.

    Also, making photocopies of 26 000 paper records is very time consuming and likely to leave evidence. Copying a flash drive takes at most 2 minutes and can be done without anyone noticing it.

  9. zaax
    FAIL

    USB ports shuld be closed

    This is the problem in M$ leaving USB ports open when machines / software are sold. If the the port are switch off at POS then a Sysops would have to switch them on.

    1. BryanM
      WTF?

      RE: USB ports should be closed

      So where do I plug my keyboard and mouse into?

      1. mark 63 Silver badge

        RE here do I plug my keyboard and mouse into?

        well we just disable the mass storage drivers , so mouse, keyboard , printers , and 99p dancing dog toys still work

    2. Throatwobbler Mangrove
      Thumb Up

      If you're going to take that approach...

      ...then surely the problem is that power sockets are left "live". If users needed to contact an Sysop-approved electrician to have a socket connected to the power supply, we wouldn't have half the IT problems we do today.

    3. /dev/me
      Pint

      Re: USB ports shuld be closed

      When we buy machines they are have empty disks. We load an image in it. Then hook it up to the domain, and from there it gets its policy as to what to do with inserted media. And you can differentiate between mice/keyboards and storage devices. You can do that in Windows just as well as you would on any *nix flavour.

      And yes, we get on average one person per day asking us to enable USB ports for storage devices. And we say 'no'. Most of the time in this line of business you'll find that most of these common problems have been solved already technically, even by MS. Although the settings are not always in clear view. Sometimes you have to search a little, but what's more difficult is keep telling the users 'no'.

      Most of these problems aren't technical problems. They have to do with users demanding the same kind of functionality from their workstation as they have at home, and that includes demanding laptops, USB storage, local admin rights, world writeable shares, flash plugins and certainly no screen lock or strong passwords.

      /enough about work

  10. Risky
    Stop

    RE USB Ports closed

    Exactly. If you can't connect a keyboard then you can't log in and start copying data. Standard IT security approach - I remember I guy saying that he seriously belived that the more difficult it was to use a computer, the more secure it was..

    1. Peddler
      Devil

      RE USB Ports closed → #

      http://www.theregister.co.uk/Design/graphics/icons/comment/devil_32.png

      This is the attitude of too many info security types: prevent the user from doing his/her job and the security problem goes away! They never seem to realize that this only forces users to bypass their protocols.

      Tell them how to do the job while keeping data secure; don't just tell them what they can't do!

    2. Peddler
      Devil

      RE USB Ports closed

      This is the attitude of too many info security types: prevent the user from doing his/her job and the security problem goes away! They never seem to realize that this only forces users to bypass their protocols.

      Tell them how to do the job while keeping data secure; don't just tell them what they can't do!

  11. Anonymous Coward
    FAIL

    my thoughts

    "Fortunately no harm was done because the lost stick was safely found and handed in to the police."

    And this can be *guaranteed* how ?

    A canny wrong'un would copy the data. Lie low, and pop up in a years time, when everyone has forgotten, and start to go through the list.

    btw - you think that's bad, check out this

    http://www.guardian.co.uk/government-computing-network/2011/jul/28/manchester-police-memory-stick-burglary

    strangely not reported in El Reg.

  12. handle

    memory stick?

    It's fine - if it was a Memory Stick (TM), then no-one would be able to read it anyway...

  13. Anonymous Coward
    Paris Hilton

    Where's the NoTW connection?

    just asking

  14. MonkeyBot
    FAIL

    Re: "their contractor's (likely drunken) lapse"

    Was he drunk when he copied the details to an unencrypted memory stick and took it out of the office?

    This wasn't a "lapse", this was a grade-A fuck-up.

  15. Bill Ellson
    Facepalm

    Doh! It is not about encryption

    As a long suffering Lewisham Homes tenant I am grateful to mark63 for spotting the real issue here, which is more than the Information Commissioner managed.

    The Data Protection Act undertaking given by Lewisham Homes, http://j.mp/ng55kW , states inter alia: "Enquiries revealed that the USB stick was the property of a contract worker who had carried out a project for the data controller. He had copied the data to this device due to problems encountered backing up work on the data controller’s network. In addition, the Commissioner was told that there was no effective measure in place to prevent the use of personal or unencrypted USB devices on the data controller’s systems, and there was no provision for training contract workers in the data controller’s policies on data protection." but fails miserably to address the question of whether he should have had that much access in the first place.

  16. pPPPP

    Problem is

    Most people who use computers don't know how they work. So even though this guy has copied lots of sensitive files to an unencrypted USB stick and admitted losing it, there are plenty of others who would think that by deleting the files then that would be OK.

  17. Christian Berger

    Why?????

    Why on earth should they even have a copy of a database on an USB stick. We live in the age of the Internet. They could just as well ssh into a computer with that database on it. Then you'd also always have access to the current version of the data.

This topic is closed for new posts.

Other stories you might like