back to article Nicked unencrypted PC with 6,000 bank details lands council fat fine

The Information Commissioner’s Office has fined Glasgow City Council £150,000 for losing two unencrypted laptops, one with the personal details of more than 20,000 people - just two years after a similar blunder. More than 6,000 bank account details were held on one of the stolen computers. “To find out that these poor …

COMMENTS

This topic is closed for new posts.
  1. Rufus McDufus

    What a terrible punishment, getting someone else to pay the fine.

    1. Tom 13

      @Rufus

      My thoughts exactly.

      Perhaps if each member of the council had to personally pay the fine it might have an effect.

  2. Usually Right or Wrong
    Unhappy

    Double whammy

    So Glasgow tax payers are told to bend over and take an ICO £150K shafting and whilst they are bent over, open their mouths and take a bank account fraud shafting as well. Lucky devils.

  3. Ian 62

    Who pays then?

    It's a council, funded by and for local residents (tax payers).

    So thats £150,000 less to spend on services. Or £150,000 more to take from tax payers.

    I doubt it's likely to come out of the pocket of whom ever left it unlocked, or unencrypted, or someone in management who made the decisions.

  4. taxman
    FAIL

    and that we carried out significant remedial action

    by purchasing a further 74 laptops to replace those missing'

  5. Halfmad

    Yet nobody will be fired..

    The problem with these fines is that organisations pay up and there's no long term change in attitude, sure they'll do something in the short term as people try to cover their own backs but there's no fundamental shift in attitudes to IT and information security as the same managers, who usually have it as a very low priority remain in post.

    The head of their IT department should be sacked for poor IT strategy and management, the manager of the offices where the laptops were stolen due to the poor physical security (regardless of encryption) should also find their job on the line. The role, of their IT security staff should also be checked to see if it's advisory (as many are) and whether those staff need extra backing from the senior management team - which is lacking in most organisations.

    Until people know that their jobs are genuinely at risk for this sort of breach they'll never put the necessary importance on IT/info security.

    1. Tom 13

      Re: Yet nobody will be fired..

      Not so sure about assuming poor physical security at the office. The whole point of a laptop is the worker takes it home or into the field. I expect that's the point at which it was stolen. One case in my support history was a user who had the laptop stored in a bag so it wasn't clearly visible while the user stopped to visit an embassy. Car was broken into and the bag was stolen. At the time I think the user also thought his tax return forms were also stolen, which is pretty much your identity here in the US.

      But on the encryption issue, yeah, there's a real problem there.

      1. Anonymous Coward
        Anonymous Coward

        Re: Yet nobody will be fired..

        Actually the original two laptops were stolen on council premises during a refurbishment.

      2. John Smith 19 Gold badge
        Unhappy

        Re: Yet nobody will be fired..

        " I expect that's the point at which it was stolen. One case in my support history was a user who had the laptop stored in a bag so it wasn't clearly visible while the user stopped to visit an embassy. "

        So 74 cars and houses broken into?

        And they can't get encryption software working because?....

  6. Frankee Llonnygog

    What does the ICO do with the money?

    Any gov. department that says, 'you must do x' should first ensure there is a Govt. wide deal in place for procuring x at the best price with economies of scale. So, not just, 'you must use encryption' but 'you must use one of the encryption products available through the framework'.

    1. Halfmad

      Re: What does the ICO do with the money?

      Agreed although those frameworks have to be kept up to date, which many aren't otherwise you end up having to take an out of date product at an inflated price. Frameworks aren't the answer and certainly aren't an excuse especially when they could have used free products to encrypt these laptops.

    2. Velv

      Re: What does the ICO do with the money?

      The ICO does not mandate encryption. The ICO does not mandate anything.

      The ICO simply states "you have a duty to keep of information from being disclosed to people who don't have a right to it".

      Encryption is only a means to an end. Perhaps locking the laptops in a drawer is sufficient (clearly not if you put the key in the next drawer). Perhaps the data should never have been on a laptop in the first place.

      Your point about procurement is an interesting one, since the govt has a very good deal with Microsoft, and Windows now includes encryption, so it's largely a free option (bit of back end PKI required). So there really is no excuse for any govt department to have laptops that don't have the most basic of protection (aside from many are still on XP).

      1. Frankee Llonnygog

        Re: What does the ICO do with the money?

        Yes, it's all very well saying 'comply' but it should be made easy to comply. ICO has form for manadnting compliance without considering the real-world consequences

        1. Anonymous Coward
          Anonymous Coward

          Re: What does the ICO do with the money?

          @Frankee Llonnygog

          re: "Yes, it's all very well saying 'comply' but it should be made easy to comply. ICO has form for mandating compliance..."

          Why?!? It's not the ICO's responsibility to tell the councils how to do their job - the ICO is only there to state the requirement and ensure it's being met.

          Councils should be designing processes to meet those requirements. Not just expecting someone else to come up with solutions for them. Why is that so different from how they meet their other obligations - or are they just spoon fed and never have to think for themselves?

      2. keithpeter Silver badge
        Windows

        RDP? Re: What does the ICO do with the money?

        "Perhaps the data should never have been on a laptop in the first place."

        I'm an end user and have little knowledge of network costs &c.

        My employers allow me to use an RDP session to log into my Windows desktop, from where I can access the rather minimal amount of data about students that I need to keep useful records of progress &c. We have to type passwords in each time we access the RDP desktop. I therefore use my own laptop, at home, in a room with walls and a door (and not in the middle of a Starbucks, for instance, and there has been staff training on data protection) to do bits of admin. If my laptop gets nicked, the neds would not be able to access the remote desktop session at all. The laptop has no personal information about students on it, just teaching materials that I write in my own time.

        Is this a way forward? Laptops in 'offices known to be insecure' run a session back to a central server? As the server takes the load, money could be saved on hardware refreshes?

        The tramp: I'm on a reduced income but pay full council tax and have to use Windows at work

        1. Hellcat

          Re: RDP? What does the ICO do with the money?

          keithpeter has hit the nail firmly and squarely on the head.

          There is no reason for data to ever be on a workstation. Everyone else seems to live in a world where Citrix doesn't exist. Give the users a published desktop if the individual app doesn't play nicely as a published application. Then they can access it in the office or at home, and no need for expencive laptops or workstations - a Wyse device or similar thin client device is all that is needed at the user's end, and servers capable of hosting the sessions are getting cheaper all the time. To save on licences, server 2012's terminal server solution is nearly as good as Citrix's own offering.

          1. Charles 9

            Re: RDP? What does the ICO do with the money?

            And everyone else seems to think the Internet is literally everywhere. What if you need to meet a deadline but you're going to be "out of the loop" for a while? What if your Internet access is notoriously unreliable or hard to secure (you're using a WiFi setup that's not yours)? Then there's the matter of drive-by (hidden in a popular site) rootkit (hidden from detection) malware that can still nick the RDP details.

  7. Velv
    Go

    Bonus's all round at Glasgow City Council this year then?

    Senior Managers and Executives will have targets to meet to be eligible for bonus. If they meet the targets, then award the bonus. Then directly reduce the bonus by the amount of any fines incurred in the Councils name since they have responsibility.

  8. nsld
    FAIL

    If the report is correct

    and the staff requested encryption and this was denied then whoever denied it should be fired and the ICO fine should be taken from the pension pot, only when the individuals who fail in this appalling manner are held to account will others take notice.

    Until the fines are met by the people responsible and not the tax payer they will have no effect.

    It smacks of a criminal level of negligence but stuff all will happen to the muppets responsible.

    1. Phil W

      Re: If the report is correct

      I don't think the encryption request was denied, so much as just ignored.

      Not that that makes it ok, but there is a different level of stupidity involved in forgetting/not getting round to taking action to encrypt the data and actively refusing to do so.

      1. Tom 13

        Re: I don't think the encryption request was denied,

        Article says pretty clearly it wasn't installed because it either didn't work or they couldn't figure out how to install it so it would work. While it is normally true that incompetence suffices and is preferable to malice, in this instance I think we need to deny them the incompetence option. They've become too competent at taking incompetence as the easy way out.

        Crimeney! This sort of crap pisses me off and I'm not even a loyal subject of Her Majesty.

  9. The BigYin

    I did not cost the council one penny

    It cost the TAX PAYER £150,000.

    Who was responsible? Did they follow procedure? No? Fire them.

    Was there no procedure? Who should have written it? Fire them.

    They were blocked from writing it? Who did that? Fire them.

    They were blocked from implementation? Who did that? Fire them.

    Repeat until you reach the top.

    Unless we start sacking the idiots in the civil service, we will keep getting crap like this. In the private sector this would almost certainly be grounds for summary dismissal. Of course, this is Glesga council with a vainglorious history of incompetence, corruption and utter disregard for the will of the Glaswegian people (which is pretty typical for Labour). I give you the previous (and planned) destruction of George Square as but one example.

    More importantly....I wonder how I find out if I am affected?

    1. Magister
      Coat

      Re: I did not cost the council one penny

      >>More importantly....I wonder how I find out if I am affected?<<

      I would say Much More Importantly.

      I'm betting that if you submit an FOI request, you'll be told that they "cannot supply that information due to the Data Protection Law".

      Or am I just being my usual cynical self?

      1. The Serpent

        Re: I did not cost the council one penny

        You would use the Data Protection Act to find out specific information about yourself - it is called a subject access request.

        The Freedom Of Information Act is for more general, non-personal requests unless it is of an environmental nature in which case it is much the same process as FOI but under the guidance of the Environmental Information Regulations

    2. Halfmad

      Re: I did not cost the council one penny

      I agree with regards to sacking those responsible - the problem is that councils and the public sector never do.

      However your point about the private sector is a little odd, we'd never have known about this loss if it was in the private sector, the chances of them self reporting to the ICO are incredibly small and of course you couldn't use an FOI to investigate it.

    3. haloburn

      Re: I did not cost the council one penny

      This probably was not due to incompetent IT staff. Council’s and public bodies have an obligation to follow the GSX code of connection for access to the Public Services Intranet. One of the stipulations is that they must encrypt all mobile devices and removable storage. However there is a mindset that goes “no one else (other Councils) pay any attention to this so we won’t either”. Until the ICO and Cabinet Office start to conduct unannounced ITC audits individual Councils are going to continue to disregard or interpret the rules and regulations as they see fit.

    4. Anonymous Coward
      Anonymous Coward

      Re: I did not cost the council one penny

      "In the private sector this would almost certainly be grounds for summary dismissal."

      Er - not necessarily... depends how much the disclosure of such issues could affect the share price.

      AC for reasons that should be obvious

      1. Triggerfish

        Re: I did not cost the council one penny

        Everyone comments about how much it costs the tax payer, and they're right but its not going to make a difference that sort of culture seems endemic in councils.

        I've worked in a few and it always seems to me that a large percentage of the wastage money wise with a council is because its not earned just given so no one is as accountable. If you went to your boss in a private company and had to explain how you were pissing money up the wall because of x,y,z and that you wasn't doing anything about it, how long do you reckon you'd last?

        Yet I have worked for council departments who don't even bother finding out the x,y,z let alone try and fix it or have to explain it.

        Working for the council really made me resent paying my council tax - not because I don't think we should contribute to society I do, but because if I do I don't want it being sodding wasted by idiots.*

        *Apparently commenting this to your boss whilst working for the council shows a bad attitude.

    5. tomsk

      Re: I did not cost the council one penny

      “Unless we start sacking the idiots in the civil service, we will keep getting crap like this. In the private sector this would almost certainly be grounds for summary dismissal.”

      I hear this kind of thing a lot, and yet I’m not convinced that the private sector is all that much more efficient or less error-prone than the public sector, based on my experience working with both. Companies certainly have an easier time concealing their fuckups than public-sector entities, and you could argue that they tend to fuck up in different ways; amazing feats of bureaucratic inertia and buck-passing are more common in the public sector, while ridiculous misadventures caused by dumbfounding levels of exec-grade arrogance and narcissism happen more often in the private.

      Both sectors come out with these kinds of staggering ineptitude often enough that I can no longer take this whole ‘private sector lean and efficient; public sector bloated and incompetent’ mythos very seriously. And while some people in the corporate world may be more likely to face the consequences of their mistakes – lower-paid people, mostly – the upper echelons often seem bafflingly immune to the faintest hint of accountability. Just look at the leaders of so many of our glorious financial institutions, or the seemingly ineradicable Ballmer, or any number of serial failures who nevertheless sail blithely into a succession of heavily-remunerated leadership roles, leaving a trail of destruction behind them.

      1. Tom 13

        Re: the upper echelons often seem bafflingly immune

        While that is true to some extent, at least some of the people in the lower echelons are accountable. You don't even get that in government. These days, to the extent you do, it is because they've contracted the job to someone so the contractor can be disposable. I'd also note that all of the examples you site have significant interfaces with the government in one way or another. Even Ballmer who owes his fortune to government backed copyright monopoly combined with government enforced "terms and conditions" contracts.

        I'd also say that even in the private companies I've worked in that are tightly associated with government (living inside the abysmal swamp makes it nearly impossible not to do so), while the higher ups who frell it up might not get the public treatment, they do seem to eventually disappear. Not necessarily in a manner traceable to the injury, but they disappear none the less.

        1. tomsk

          Re: the upper echelons often seem bafflingly immune

          “at least some of the people in the lower echelons are accountable”

          Often they’re just taking the fall for mistakes that are really the fault of someone higher up, though.

          “I'd also note that all of the examples you site have significant interfaces with the government in one way or another.”

          Up to a point. The misdeeds that led to the financial crisis really weren’t the government’s fault. The government could have done more to stop the madness, but it certainly wasn’t forcing banks to go on insane lending binges in various bubbly property markets or to make enormous gambles on highly-leveraged pools of credit derivatives.

          It sometimes feels like once you’ve made it to C-level you’re almost guaranteed perpetual lucrative employment, no matter how much you screw up (short of actual imprisonment). It’s like football managers; there are so few that are known quantities (and so perceived as less of a gamble by risk-averse boards) that a month after steering Club X into relegation and bankruptcy you’ll be sitting at a press conference with your new employer talking about how you’re looking forward to working with players and staff to restore Club Y to the prominence its proud heritage deserves.

    6. Tom 13

      Re: More importantly....I wonder how I find out if I am affected?

      You can't because they don't even know what information may have been compromised.

      So, if you've had any dealings with them, assume your information has been compromised and act accordingly.

    7. Anonymous Coward
      Anonymous Coward

      Re: I did not cost the council one penny

      Let's hope the voters in Glasgow hold their councillors to account.

      It is the councillors who hold their civil servants to account, unlimately being able to get rid of the CEO through a vote of no confidence if he/she hasn't satisfied them that suitable action has been taken.

      If nothing happens, and the councillors are still seated this time next year, then blame the voter :)

      Probably the IT is outsourced. The ITcompany gave a quote for encryption, which was sniffed at by the council as costing too much so declined. The council will argue that Central Givernment cuts meant they didn't have the resources to pay for betetr security. Blame will be passed around and diluted between the workers. Only the voters hold the true power to get something done about it.

    8. Anonymous Coward
      Anonymous Coward

      Re: I did not cost the council one penny

      You tell'em pal, you tell them.

    9. Michael Dunn

      Re: I did not cost the council one penny @ the Big Yin

      Who was responsible? Did they follow procedure? No? Fire and fine them.

      Was there no procedure? Who should have written it? Fire and fine them.

      They were blocked from writing it? Who did that? Fire and fine them.

      They were blocked from implementation? Who did that? Fire and fine them.

      (And possibly imprison too.)

      There, fixed that for you!

  10. Crisp
    WTF?

    The council issued unencrypted laptops to staff when it had problems with its encryption software

    Well that was daft.

    What the council should have done was train their employees properly. (If they still can't use encryption tools after that, then the council needs to fire their incompetent staff).

    It's just encryption, it's not rocket science.

    1. Gordon 10

      Re: The council issued unencrypted laptops to staff when it had problems with its encryption

      To be fair it doesnt say it was the staff who had problems - just that there were problems. Could just as easily be bad install/config or bad policies/governance.

      1. Tom 13

        Re: To be fair

        In fact, given that it sounds like none of the laptops were encrypted, I expect it was a problem with the installation, not that Jane Smithe couldn't login to her encrypted laptop and therefore got a verbal waiver for having the software installed.

    2. Boothy

      Re: The council issued unencrypted laptops to staff when it had problems with its encryption sof..

      I doubt it was related to training etc. Full disk encryption is essentially transparent to the end user, the only differences a user see's is likely to be an extra icon in the notification area, and depending on the vendor of the software, sometimes additional log in prompt during initial boot.

      I would suspect that it was probably more to do with a bad install image, or some clash between existing applications or something else in their SOE build. (Assuming they have a proper Standard Operating Environment of course!).

      But saying that, irrespective of issues, they still shouldn't have sent out unencrypted laptops to anyone accessing sensitive data.

      Install some desktop in a secure area, if you want to work on banks details, you need to come into the office and use the PCs in the secure room for the day, not your laptop.

      Then once the issues are resolved, roll out full disk encryption. Also update your domain login process to make sure each device accessing the network has encryption enabled, if not, deny access and tell them to phone the help desk.

      1. Anonymous Coward
        Anonymous Coward

        Re: The council issued unencrypted laptops to staff when it had problems with its encryption sof..

        My guess would be they were using McAfee and were running into issues with the hidden partition on vendor equipment. At the very least it was the encryption software and the hidden partition. We ran into that problem once for a couple of weeks during a planned version upgrade. Some systems would install fine, encrypt fine, and upon reboot after the encryption was complete, they blue screened. During the problem period we used the old version of the software. Eventually we figured out you needed to blow away everything on the drive and put the bog standard image on it. But if you let the tech off the hook, he won't keep looking for a solution to the problem.

  11. Anonymous Coward
    Anonymous Coward

    Why on a laptop

    Can someone please explain to me why they had 20,143 individual information as well as at least 6,000 bank account details on a laptop in the first place?

    1. Kubla Cant
      Thumb Down

      Re: Why on a laptop

      Exactly.

      All sensible businesses keep sensitive data on secure servers. The more clued-up ones disable any workstation features that would allow data to be exported. The last place I worked had an instant-dismissal rule for taking data - including source code - off site. If you need to send something to another office, you have a WAN, or at least a VPN, to do it on. If you need to work on something at home you use remote access.

      But the public sector seems to be stuck in the age of sneakernet. Massive files of sensitive data on laptops, CDs in the post, flash drives down the pub, and so on. Why?

      1. Anonymous Coward
        Anonymous Coward

        Re: Why on a laptop

        +1

        We have a secure room in our office specifically for this type of activity.

        Want to work on this sensitive data? Then you'll have to use one of the secured, locked down (i.e no USB, no CD etc.) desktop PCs that's in the secure (pass card entry) room in the middle of the building. Thats the room without windows, where you have to leave your bags and your phone with security if it has a camera. etc.

      2. Anonymous Coward
        Anonymous Coward

        Re: Why on a laptop

        Because external USB drives are a cheaper solution than a proper backup unit and they needed to make contract budget. Besides, the data has to be converted on that computer over there, which isn't permitted to touch the isolated network* on which the data is processed, and it's easier to transfer the data using the USB disk.

        *Dweeb telling me this didn't think about the fact that I knew he had a way of remotely monitoring the jobs on the "isolated network" which tells you just how "isolated" it really was.

        Honest. That was a real answer I got once. But I R only the held desk doobie and don't know anything real about computers.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why on a laptop

      For the same reason I once worked in a location where even larger volumes of PII was stored on unencrypted drives: someone told them because of their special relationship with the government, they didn't have to.

      Despite the alleged security on the room it would have actually been fairly easy for someone to bust through the wall (frame and drywall) connect an external USB drive, and copy the data. Yes, it would have been bloody obvious the next day, but still you would have walked away with millions of medical records including social security numbers.

      I understand they have improved security since then, but since I no longer work there I can't vouch for how safe the records actually are. Their biggest defense was, and I expect remains: most people have no idea exactly what information is in that particular room. And of those who do, their livelihood depends on most people not know that.

  12. Shasta McNasty
    Mushroom

    The ICO hasn't a fucking clue

    How the hell does fining a public body AGAIN prevent a re-occurrence of data loss?

    Change the law. State that if an employee loses a device with unencrypted & sensitive data on it then they and their manager go to prison for a minimum of 3 months and are liable for any losses incurred by those whose details were part of the data.

    This will force change as employees will refuse to have any data that isn't secure and will make damn sure they keep it safe.

    1. Gordon 10
      FAIL

      Re: The ICO hasn't a fucking clue

      Its hardly the fault of the ICO if those in power have a vested interest in not giving it the teeth it needs.

      Financial remedies are about all it has - even that was fought tooth and nail.

    2. Anonymous Coward
      Anonymous Coward

      Re: The ICO hasn't a fucking clue

      Says someone without a clue.... the ICO has asked for powers to use custodial sentances but successive governments have refused to put them in place.

    3. Anonymous Coward
      Anonymous Coward

      Re: The ICO hasn't a fucking clue

      "State that if an employee loses a device with unencrypted & sensitive data on it then they and their manager go to prison for a minimum of 3 months and are liable for any losses incurred by those whose details were part of the data."

      Back to paper, locked filing cabinets and biros then. No-one would want to risk anything else.

      Nostalgia, fond memories, and nice long lunch breaks, but forget any form of reporting or process check. It is also easy to 'loose' paper if you know what I mean, so forget accountability.

  13. Dr_N

    Fines should come out of the council management remuneration pool...

    It's the only way to make it fair/accountable.

    I bit of Googling reveals Glasgow has the highest number of employees with +100K packages in the UK.

    So there's plenty of money in that pot to pay for these time of **** ups.

    1. Colin Miller

      Re: Fines should come out of the council management remuneration pool...

      Glasgow CC also has one of the largest populations, at 600,000 or so. What is the executive per 10,000 residents ratio for all councils?

  14. weevil

    The silly thing is the cost of the fine is less than the cost it would take to implement encryption to their laptops, maybe they should actually say "you have 28 days to implement council wide encryption to all laptops and removable media" and sideline this fine to help pay for it, otherwise the fine goes up by a HUGE amount, then the action of fining might actually mean something

    1. Boothy

      Just fine them £150,000 a month for every month until they confirm they have either encrypted all the laptops, or wiped them securely and taken them out of circulation.

  15. Anonymous Coward
    Anonymous Coward

    Genuine Question

    Why is it we only hear about public bodies losing unecrypted laptops? Is it because the private sector doesn't ever lose any, the private sector only have encypted ones, that there is nobody to report the issues to in the first place for the private sector, or that the private sector keep quiet about it claiming it is "business sensitive information" ?

    1. ed2020

      Re: Genuine Question

      IIRC certain public sector organisations (the NHS, for example) are obliged to self-report. Telecoms providers are also obliged to self-report. Private sector organisations aren't, in most cases, under anyh obligation at all.

      I'd guess that, in reality, the prevalence of data losses/breaches in the private sector, is no less than in the public sector. It's just kept quiet more often.

      1. Tom 13

        Re: Private sector organisations aren't,

        Maybe 10 years ago, not so much now. If you do business in California, you have an obligation to report if you've had an information breach and sensitive customer information may have been compromised.

        The big difference is, in private business you can't just take it out of the taxpayer money pool to pay for it. Even if it isn't coming out of your personal paycheck, it is coming off the bottom line. And somebody important will notice that.

    2. Anonymous Coward
      Anonymous Coward

      Re: Genuine Question

      The other flip side is private businesses the size of Local goverments / NHS trusts etc (lets do like for like sizewise) I would hope, will almost certainly have encryption.

      Why?

      Well a 150k+ fine is FA compared to loosing a multi-million pound contract when the customer gets pissed that you've lost their information.

    3. qwertyuiop
      Facepalm

      Re: Genuine Question

      Public sector bodies are obliged to report any data breach, there is no duty on the private sector other than some vaguely worded best practice - "organisations are able to report losses of personal data to the ICO which the ICO encourages, however reporting such losses of personal data is not compulsory". Therefore the private sector rarely reports losses, if at all. They only tend to come to light by a different route because the organisation is, for example, in a highly regulated sector such as finance and they have to report it under compliance rules..

      In 30+ years of working in IT I have worked for both the public and private sectors. Where this kind of thing is concerned neither side of the divide has anything to be smug about. I have experienced data losses in both types of organisation, but in the private sector we were able to hush it up - got to think of the affect on customer confidence and the share price after all! Nobody got fired either.

      Basically this is an issue that nobody wants to take seriously until after something bad has happened.

    4. Christian Berger

      Re: Genuine Question

      The private firms I've seen so far are so badly run they wouldn't even notice data missing... and that's in Germany, where there are laws on what you may or may not do with private data.

  16. MuddyBoots
    Unhappy

    Private Firms

    I imagine that because bad publicity actually costs private firms money and is not just "water off a ducks back" then private industry approaches security in a much more robust manner than councils.

    I recall getting a letter from a bank with whom I had a credit card a number of years ago (>12) telling me a laptop was stolen with my account details on it but that the laptop was encrypted. In addition they provided me with a new account number to ensure the information couldn't be used.

    Unfortunately, organisations (like people) have to feel it in the abdomen when this stuff happens for them to do anything real about it.

    My work laptop has hard disk password protected encryption - unfortunately using the password incorrectly 3 times renders it a brick. I imagine that the way laptops are shared and passed about in local government due to a lack of funds may mean that it is harder to implement such things. But not impossible!!!

  17. Anonymous Coward
    Anonymous Coward

    Just Sack the Person at the Top

    First time it happens and a CEO goes, all the others will think 'there but for the grace....', the second time it happens will be the last as proper security would be implemented across the board.

    The Admiral Byng solution is the only way

    1. Charles 9

      Re: Just Sack the Person at the Top

      And if it STILL happens? It's not like a government bureau can be dissolved, and a "changing of the guard" could result in a bad-to-worse transition.

  18. Steve Barnett
    FAIL

    Inexcusable failure

    HMG Security Policy Framework only requires that government employees comply with the Data Protection Act, which for some unknown reason does not require encryption of sensitive data unless departmental guidelines require it.

    But for heaven's sake disc level encryption has been transparent to the user for about 10 years, there must be a dozen companies out there offering tried and tested solutions CESG go through a hell of a lot of work to ensure that products are available and tested to a level that will work at all levels of government.

    With the number of High profile instances of this sort of data loss hitting the press time after time after time surely the only thing this shows is the complete lack of competence of the people at the top in both the IT and governance roles.

    there's no excuse for it, it's just plain incompetence and I agree with the poster who suggest which is fire the people at the top.

  19. MachDiamond Silver badge
    Pint

    Ban Laptops

    There are news stories about private companies that have lost a heap of personal data. It gets reported if the data has credit card numbers or some such sensitive information.

    As questioned above, why are punters taking laptops full of sensitive data out of the office with them? There should be no reason a council employee must work at home with these sorts of files or should be allowed to. Identity theft is one of the fastest growing crimes and lost laptops facilitate it.

    I don't even see the need to have remote access to personal data. Work should get done at the office and home life done at home. If an employee needs to do work at home, there is something wrong with their job classification. Hire another person in the office.

    Here's another example of why BYOD is a bad idea.

    Encryption helps, but it would have to be the whole disk. Even if the whole disk was encrypted and the laptop was from somebody in defense and was targeted, the data has to be considered compromised. The same thing goes with a laptop stolen from somebody where it might be known that they regularly have sensitive banking information. No encryption is 100% and foreign governments have the technology to break through it. I wouldn't be surprised if some organized crime families are savvy in the art of computer espionage.

    Another good point brought up is that the council doesn't pay the fine, the ratepayers do. Same thing goes with setting fines against corporations. The fines are too small to matter to them and their customers pay the fines in higher prices, just like corporate taxes. If the fines get levied against the people at the highest levels, change might wander into procedures. For too long the people at the top have had cushy jobs that pay obscene amounts of money and have zero risk. I would call it negative risk as there will be a flock of expert lawyers to defend them and some sacrificial goats lower down on the corporate chain to take the blame.

    There is no such thing as too much beer. Cheers.

    1. ed2020
      Thumb Down

      Re: Ban Laptops

      No encryption is 100%

      Without brute force and millions, if not billions of years, how does one break into 256 bit AES? It may not be 100% (in theory) but in practice it is.

      ...and foreign governments have the technology to break through it.

      Any evidence to support your claim that foreign governments have the technology to break through any encryption? Thought not.

      1. Tom 13

        Re: Without brute force and millions

        The Maginot line was unbreakable too. That's why the Germans went around it. I expect most foreign governments know this too.

        On the brute force front, I give it about 30 years. Intel et al. will keep doubling processor power during that time. Security researchers will sniff around the edges finding a weakness here, and a soft spot there. None of them will break the algorithm outright, but taken in total the combination will break the encryption in less time than the theoretical calculations we make now.

        What protects us is that as each weakness is found, a new fix for that weakness is found and we ill move to a new encryption algorithm. Security isn't the castle wall or the moat around the castle wall. It's building and manning them and adding new protections in an evolving environment.

      2. Stevie

        Re: Ban Laptops

        "Without brute force and millions, if not billions of years, how does one break into 256 bit AES? It may not be 100% (in theory) but in practice it is."

        But what if the thief threatens to pour a kettle of freshly boiled water over your head if you don't give him your private key? I've only just been made aware of this terrifying scenario over in the Car Door Hack Outrage story, but it seems thieves have no scruples about using one's own tea-making equipment as improvised torture devices.

        Possibly a hard-hat diving helmet wold prove an adequate defense, but this is hardly practical. For one thing, field workers may not be audible unless they open their faceplates, exposing them to a possible faceboiling. For another, what if the wily thief connects the kettle spout to the hose inlets before boiling, steaming the hapless public servant's head until they give up the key?

        I've given this quite a bit of thought, and I think we must move aggressively to ban the kettle.

    2. Charles 9

      Re: Ban Laptops

      "I don't even see the need to have remote access to personal data. Work should get done at the office and home life done at home. If an employee needs to do work at home, there is something wrong with their job classification. Hire another person in the office."

      Easy enough to say until accounting tells you there's not enough in the labor budget to retain another worker. That's the big big problem with labor these days: people are expected to be working as much as possible or they'll find someone who works harder than you. It's a race to the bottom to find people who work as hard as possible for as little as possible...if they don't find a foreign worker who can work for what we'd consider a pittance or just turn the job over to an expert system who can work round the clock with virtually no time off.

      As for remote access, consider that some places have very poor Internet access. If you have to make a deadline (maybe it's for a contract), you can't stay in the office, and you can't rely on remote access, what options do you have left?

  20. This post has been deleted by its author

  21. Maharg

    I guess a mix of user error and un-enforcement

    I’m going to go ahead and assume following the last time Glasgow council probably invested time and money in producing a new policy for laptop encryption, probably spending lots of money to make sure it followed some ISO standard and they signed it off and said ‘that will stop it happening again’.

    And left it at that.

    And then it got down to department management, and some of them made sure their departments followed the new policy and procedures, and others didn’t.

    And then it got down to the user level, and while some users did exactly what they have been told to do, others left their laptops in an unlocked desk in an unsecured building and probably had a post-it with “pa$$word22” stuck on the laptop screen.

    Its these people who have screwed it up, and everyone will have to pay out of their wage packets/ tax money.

    Every place I have worked I have found people that are just too arrogant, self-important or just stupid and seem to want to go do exactly the opposite of what they should, no matter who tells them, how many policies are made, how many awareness courses they go on, and then they bitch and moan when you take away their laptops and give them a desk PC at work because they can’t be trusted and treat them like a child.

  22. Anonymous Coward
    Anonymous Coward

    I wonder what would happen if...

    ...we all did freedom of information act requests to our local councils to ask for details of their policies that 'ensure' that this couldn't happen to us?

  23. Stevie

    Bah!

    Yes! Yes! Fire everyone and hire people who know what they are doing.

    Provided they will work cheaply enough of course.

    Then replace the laptops. Low bid, of course, so people should expect a few issues with the more expensive software options (like encryption).

    Make sure there are bulletproof standards and practices that constrain the purchasing too. Make those bastards buy the cheapest O/S from the Right People.

    Now, do we have everything in place? Good! Cancel the training budget so everyone's skills get moth-eaten.

    Now, cut taxes! Cut them some more! Trim budgets to match!

    Locksmith? Do we believe the taxpayers are made of money?

    Free software? Only if it is on the approved list! Thought not. Take another budget cut.

    WHAT?!!! YOUR UNENCRYPTED LAPTOP WAS STOLEN?!!! HOW COULD THIS HAPPEN?!! WOE, WOE UNTO THE PEOPLE WHO MADE THIS POSSIBLE?!!

  24. John Smith 19 Gold badge
    Unhappy

    so virtual desktops, encrypted hard drives still just too damm difficult to explain to PHB's

    Others are right until senior managers start doing prison time this will not change.

    Sadly AFAIK the options to put criminal penalties (with jail time) into the DPA are still not set up.

    1. Fatman

      RE: Re: so virtual desktops, encrypted hard drives still just too damm difficult to explain to PHB's

      Others are right until senior managers start doing prison time are taken out and shot, this will not change.

      FTFY

  25. Fatman

    More blame shifting bullsh-t!!!!

    A Glasgow City Council spokesman told the BBC: "This data loss should not have happened and we took immediate steps to ensure it does not happen again. Like WHAT!!!!! Piss and moan???

    The ICO acknowledges there is no evidence that any bank accounts have been targeted, that the council immediately informed it of the theft and that we carried out significant remedial action." Really, how long into the future will YOU be able to make that guarantee. WRT "remedial action", was the fool responsible fired? demoted? Most likely not.

    The taxpayers ought to round up those responsible and display them in a pillory in the town square. Perhaps local produce vendors can be persuaded to provide plenty of spoiled or rotten product for taxpayer 'stress relief'.

  26. Anonymous Coward
    Anonymous Coward

    bad and lazy management

    I work for a similar uk organisation,and all mobile devices are encrypted,any usb device gets encrypted or blocked on access and most users are blocked from saving to local storage.

    Even with the problems glasgow had with their machine encryption,they could at least have transferred the data to a secure network storage or even encrypted usb drive. I suspect we have to process the same data types and meet the exact same standards as glasgow.If we can do it,they can - so appalling management ,technical incompetence or laziness are to blame.

  27. tigerike

    encryption is free

    Not sure what the controversy is, when you install ubuntu (and most other linux distros these days) you are asked if you want the entire drive encrypted or just your home dir.

    I always do the full drive encryption on my laptops cuz you never know.

    Anyway, if you are an M$ fan (cant stand them myself and I live in seattle), there is built int volume encryption for the higher end editions of windows7 & 8: http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption

  28. P Taylor
    FAIL

    Data on Laptops.

    "Perhaps the data should never have been on a laptop in the first place."

    You would not believe how often it happens in this day and age. Mainly down to poor IT Management and implementation.

    2 Places I have been to this week alone doing Break / Fix repairs., staff were storing data locally on their Laptops, and not on the File Server which they did have in place in the office.

    They were doing Server backups daily, but it was pretty pointless as data was never put on the server and was just walking out the front door every day.

    Scary !.

  29. Christian Berger

    What I don't understand...

    Why do they even store data on laptops? Why didn't they stay with some terminal-server solution and have a VPN concentrator connecting between that terminal server and the Internet. Particularly when you have older solutions like serial terminals, that's trivial to do.

    Data "flatrates" which will be throttled to about 50kbit/sec after a few megabytes are around 3 Euros in Germany. 50 kbit is perfectly enough for a serial terminal, and even gives acceptable performance for graphical sessions.

    That way no data would have to be stored on the laptops themselves. If a laptop goes missing you can easily replace it and as long as you have a password on the VPN it's useless to a potential attacker. (Of course lost and then found laptops need to be wiped)

    1. Charles 9

      Re: What I don't understand...

      You assume the laptop isn't going to a dead zone where there's no Internet to speak of: wired or wireless. They still exist, meaning it's a local copy of the data or bust, because the person handling it MUST go there and MUST have access to the data. As for the drive encryption, suppose free solutions are "not on the approved list", it reacts badly to BitLocker, and the budget doesn't allow for a different laptop.

  30. GeekinOrpington

    I've seen a couple of council laptops issued to staff with encryption but the password was on a sticker on the base.

This topic is closed for new posts.

Other stories you might like