back to article David Cameron's Passport number emailed to footy-head

Last week, Australia passed mandatory metadata retention laws, over objections that personal data should only be accessible by a very small number of people under very secure circumstances because it is is bound to leak and cause embarrassment. Two business days later, the antipodean tentacle of the Grauniad revealed that …

  1. Winkypop Silver badge
    FAIL

    Oh the G20

    That's right, I remember that hideous waste of money.

    Just one of many screw ups by stunt-boy Abbott.

  2. Ole Juul

    defaults

    Autocomplete is great for regular casual situations. I'm just wondering why people handling sensitive information have it turned on. Is it possible that their computers are just running on out-of-the-box defaults and not nicely set up by an IT department with appropriate skills?

    1. caffeine addict

      Re: defaults

      More importantly, why is the IT department allowing unprotected excel files to be flung around the place? Shouldn't they either be blocking these sorts of files from leaving government networks, or insisting all excel sheets are password protected before being sent?

      1. frank ly

        @caffeine addict Re: defaults

        The last time I had cause to 'play' with an Excel file that was password protected, I renamed it to a .txt file and opened it with Notepad - the password was clearly visible. Excel may have improved since then.

        1. david 12 Silver badge

          Re: @caffeine addict defaults

          The last time you had cause to 'play' with an Excel file that you think you remember was password protected, perhaps it was Excel 2003. Or earlier. And it was probably a protected sheet, workbook or project in a file, not a protected file.

    2. Graham 32

      Re: defaults

      "Autocomplete is great for regular casual situations. I'm just wondering why people handling sensitive information have it turned on"

      Without autocomplete you have to not make a typo every time you type an email address. I reckon autocomplete prevents emails going to the wrong recipient more often than not having it. And when you do screw up it goes to someone you already have a relationship with and therefore may cooperate, as seems to be the case here.

      However, if your emails are spreading gossip you probably wish it did go to a complete stranger rather than the wrong friend/colleague.

  3. Anonymous Coward
    Anonymous Coward

    Peace be with you

    I am Daniel Cameroon, fomerly a presidente of the Unided Kingodoom of Great New England and it has been Brought to my personall attencion after the lost 2014 parlimentari elections, that apon vocting the 10 Downing HIll premisees, it was dicovered the some Of no less than 10 trillon USD troubles in two thick browne envelops, addressed personnally to you, dear Sir. Therefor and henceforth I besech you to provide me with your full account details so that I can return the envolops to you (minus handling fees and postal charges) at hte earlyst oportunity. May God be with You and have mercy Upon your sol and mine.

    Your dearest frend,

    Donald Cameraon

    1. Voland's right hand Silver badge

      Re: Peace be with you

      Come on, it is only 30th. There is still 1 day to go until April's fool's day, though I have to admit, it is ramping up quite nicely. First the NEST, then this.

    2. Anonymous Coward
      Thumb Up

      Re: Peace be with you

      +1

      Top satire

    3. Anonymous Coward
      Anonymous Coward

      Re: Peace be with you

      Well done.

      You win all the 10 trillon USD troubles in the world!

    4. Anonymous Coward
      Anonymous Coward

      "Provide me with your full account details so that I can return the envolops to you"

      That's too funny!

      On the less funny side, has anyone noticed how many hacking / data protection / cloud / privacy classic fuckups are on the front of page of El Reg recently? Has anyone in charge got a clue? LA DE DA sleep-walking to the mother of all data-fuckups with no accountability or jail time ...........

      http://www.theregister.co.uk/2015/03/30/david_camerons_passport_number_emailed_to_footyhead/

      http://www.theregister.co.uk/2015/03/30/unlimited_uber_accounts_flogged_for_5/

      http://www.theregister.co.uk/2015/03/30/starryeyed_hackers_stuff_eurovision_ballots/

      http://www.theregister.co.uk/2015/03/30/jailed_brit_con_issues_his_own_bail/

      http://www.theregister.co.uk/2015/03/29/british_airways_frequent_flyers_hacked/

      http://www.theregister.co.uk/2015/03/27/hotel_antlabs_inngate_rsync_vulnerability/

      http://www.theregister.co.uk/2015/03/27/slack_hacked/

      http://www.theregister.co.uk/2015/03/27/google_safari_appeal/

      http://www.theregister.co.uk/2015/03/27/github_under_fire_from_weaponized_great_firewall/

      http://www.theregister.co.uk/2015/03/27/one_man_operated_750000_twitter_accounts/

      http://www.theregister.co.uk/2015/03/27/brisbane_court_recording_outfit_breached/

      http://www.theregister.co.uk/2015/03/27/google_botches_another_cloud_patch_this_time_messing_up_app_engine/

      http://www.theregister.co.uk/2015/03/26/close_your_facebook_account_if_you_want_data_privacy_eu_commish_tells_court/

      http://www.theregister.co.uk/2015/03/26/chrome_trumps_all_in_reported_vulnerabilities/

      http://www.theregister.co.uk/2015/03/25/customer_data_selloff_part_of_radioshack_bankruptcy_auction/

      http://www.theregister.co.uk/2015/03/30/nest_learning_thermostats_bst_google_leaves_consumers_freezing/

      1. Crazy Operations Guy

        Re: "Provide me with your full account details so that I can return the envolops to you"

        Data theft isn't increasing, its merely more visible in the media. Which is a good thing overall, despite what we're seeing.

        Years ago it was trivial to compromise a system, now it has to be done through obscure zero-days and spear-phishing attacks.

        1. YetAnotherLocksmith Silver badge

          Re: "Provide me with your full account details so that I can return the envolops to you"

          Crazy, what a load of crap.

          Data breaches 30 or more years ago were people stealing ledgers from buildings, & made little difference to anyone. You needed physical access, and special spy cameras to not get found out.

          15 years ago no-one cared much. The scale was still small and what use was most of the data? A customer number, possibly an address, maybe a credit card.

          Now? You get access for 3 minutes and you can pull gigabytes of data over the network or onto a thumbdrive, which has links to enough other related stuff you can know everything of worth about someone (or, more likely, 100,000+ someone's) and then turn around and sell that data through a ready for action network for actual money without much risk.

          Data theft is far more common, & the scale is breathtaking when you think about it, in number of crimes, number of attempts and number of people affected.

          Was there a database of more than a million credit card details that wasn't a bank or the card company itself 20 years ago? Because there are hundreds of them now, hence patches like PCIDSS.

          Further, there are now many people looking for 0days to sell them on, & plenty of people targeting specific organisations who are prepared to pay out for them.

          Add in the the letter agencies harvesting everything in site* & sharing it around, which I personally see as a data breach, & there is little that *isn't* leaked.

          *pun-tastic!

  4. Anonymous Coward
    Anonymous Coward

    Passport Chip

    Unfortunately the passport number also being the decryption key for the passport chip which can be read remotely, therefore allowing access to the photo and further personal details of those leaders.

    Oops.

    1. Anonymous Coward
      Facepalm

      Re: Passport Chip

      Seriously? Tell me that you made that up.

      1. SteveK

        Re: Passport Chip

        See http://www.theregister.co.uk/2013/06/20/home_office_slips_out_android_passport_reader/

        It is certainly encrypted with passport number (maybe DOB too), however I don't believe these can be read from the passport via NFC - they need to be typed in (or optically read) so would need physical access. There's nothing extra stored in the chip beyond what is printed on the card.

        That does remind me though, I need a new passport photo for a different ID card, maybe I'll just read the image off my passport and send that in!

        1. djack

          Re: Passport Chip

          Yep, it's passport number, date of birth and the expiry date of the passport.

          Once you have thise details, you can access the passort via NFC to get at the biometric data.

          1. Gordon 10

            Re: Passport Chip

            Seriously? surely for fraud prevention alone it should be pki, allowing anyone to read but only the Govt to write. then embed the public key in the machine readable text.

        2. Anonymous Coward
          Anonymous Coward

          Re: Passport Chip

          You don't need physical access once you have those details. There is an Android App called NFC Passport Reader which allows you to type in those details in and then read your passport NFC chip by placing it against the phone and you will see all the details held on the chip.

  5. Hans 1
    Coffee/keyboard

    >The person who received the file promised they deleted it – by emptying their Deleted Items folder – and apparently did so before the daily backup preserved the file.

  6. John H Woods Silver badge

    "Microsoft Outlook was the culprit: the sender meant for the mail to go to someone else, but was undone by an unwanted autocomplete"

    This should read:

    "The sender was the culprit for not ensuring that the recipient field was correct. But fortunately, because only the recipient had the corresponding private key to the public key used for encrypting the material, they weren't able to read it."

    There is absolutely *no* excuse for this. It's one thing if you're all at the same organisation and the worst that happens is, for instance, a UK-based worker like myself is sometimes asked to "pop in" to the Sydney office "tomorrow" to do something (my stock answer is that, as long as they clear the travel, I'm on my way, but it may actually be "the day after" when I get there).

    Emailing sensitive unencrypted material to the wrong person is utterly unacceptable. In fact even emailing it to the right person is pretty much unacceptable, as there should be no expectation of the material remaining private unless it is properly encrypted. It's not even hard: if your recipient is cryptographically naive, send them an encrypted zip and phone them up with with password. If you can't do that, you are not the right person to be sending the email.

  7. James O'Shea

    Wanna bet?

    "It's considered unlikely that the document reached the public domain. Even if it did, it would be of limited use: who could attempt to get through immigration with a passport for Barack Obama or Angela Merkel? "

    People such as Jose Lantigua might try. See http://www.palmbeachpost.com/ap/ap/top-news/suspicion-surrounded-florida-businessman-who-faked/nkd2x/ Apparently one of the reasons why he got caught (after a delay of several years, something which speaks highly of the competence of the immigration authorities) was that, and I quote, "The passport he had used to get back into the U.S. had proved his downfall. The man whose name Lantigua was trying to steal was black — the photo Lantigua submitted showed he is white." And, oh, "Finding him wasn't hard — while the other information on his passport application was allegedly forged, he listed his supposed widow as his emergency contact and gave the correct North Carolina address." You can't make this up.

  8. Ashton Black

    Empty Deleted Items....

    'Fraid not old bean. If you select Deleted Items and (depending on your version) select "Recover Deleted Items" you'll see that even those ones "emptied" are recoverable. Depending on your Exchange config, they can be in there for 14 days. It's known as "deleted item retention time".

    Oh, and yes it does get backed up.

    Oops!

    1. Phil O'Sophical Silver badge
      Windows

      Re: Empty Deleted Items....

      > DEL file.txt

      Are you sure?

      Really, really sure?

      Certain?

      Shall I keep it for a while in case you change your mind later?

      OK, it's gone, but let me know if you, like, regret this over the next week or two, I'm sure we can do something.

      Well, that's not a nice thing to say at all.

    2. Anonymous Coward
      Facepalm

      Re: Empty Deleted Items....

      Lest not forget they may employ Journalling at both ends.

    3. Crazy Operations Guy

      Re: Empty Deleted Items....

      And then you have data the Malware scanning systems may be hanging onto. Then there may be additional copies stored elsewhere as part of an auditing system. Or maybe some sysadmin had been debugging a network link and have a packet capture of the data...

      Then you have malicious folks: rouge admins running packet dumps on all port 25 traffic; intelligence agencies capturing the organization's traffic (and someone running an international conference like this would be an obvious target).

      1. John Brown (no body) Silver badge
        Headmaster

        Re: Empty Deleted Items....

        "rouge admins"

        Well, someone is certainly red-faced.

    4. david 12 Silver badge

      Re: Empty Deleted Items....

      Lets not forget, he may not be using Exchange at all. Outlook also connects to other kinds of message stores.

  9. Irongut

    Microsoft Outlook was the culprit:

    No it wasn't. Poor Outlook only does what you tell it. The culprit was the brain dead mouth breather who told it to send the email to the wrong person.

  10. jake Silver badge

    ::snickers:;

    Further proof that manglement should have no say about security ...

  11. Buzzword

    Not just Outlook

    All email clients have an autocomplete functionality. Outlook was the tool in use on this occasion, but I've seen the same mistake made in other clients, in web-based mail, in phone apps, etc.

  12. s. pam Silver badge
    Holmes

    What a choke!

    So the end user deleted the email - what about the Email Archive and the Exchange logs?

    I suspect if they did a real search, it is probably available on an #IRC channel now!

  13. alain williams Silver badge

    The wrong address is not the real issue

    Sending the list by (presumably unencrypted) email is a bigger problem. Sending email is like putting a post card into a letter box, it can be read by anyone who handles it. So: this email has potentially been read by all sorts of people.

    This is the REAL cluelessness - it seems that el-reg's journalists have also forgotten this problem with email.

    OK: in this case the NSA has already got this information, but who knows who else has tapped into the Internet routers that the email went through ?

  14. Derichleau

    Is it such a big deal?

    I regularly submit Subject Access Requests and in response, I am constantly being asked for photo ID as identifying information. I have argued on numerous occasions to the ICO that I'm not going to give any company a copy of my passport or driving licence because of the security risk and because it's excessive.

    A data controller can validate me by phoning me and asking me a few questions about my account. Or they could send me a letter to my home address and ask me to quote the reference number on the letter. Or they could wait for the £10 fee to clear and that validates me. Or they could ask me to pay the fee by credit card as that would validate me too!

    There are lots of ways that a data controller can be satisfied about my identity without me having to give them photo ID.

    The ICO however is adamant that requesting a copy of a passport is not excessive. If the UK's Data Watchdog couldn't care less who sees passport information then what's the big deal? Having said that, the ICO also told me that a year on its own constitutes a date for the purpose of a Subject Access Request. This organisation is not fit for purpose.

    webmaster@www.mindmydata.co.uk.

    1. Anonymous Coward
      Thumb Up

      Re: Is it such a big deal?

      There is no obligation, at least for UK citizens, to have either a passport or a driving licence, so they cannot assume that everyone has these documents. Plenty of people don't - many elderly people who no longer drive or travel for example. Offer them a copy of your Bingo Club membership card.

    2. Yet Another Anonymous coward Silver badge

      Re: Is it such a big deal?

      I thought it was illegal to make a copy of your passport since Her Maj owns the copyright and will set the corgis on anyone who tries.

    3. alain williams Silver badge

      Re: Is it such a big deal?

      So if they want a copy of your passport so that you can see what information they hold about you, does that not suggest that they did not do enough to assert who you were when you signed up on their web site in the first place ?

      Surely: give the exact same information (be that true or false) should be enough.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like