back to article Culture of insecurity blamed for HMRC data loss

A culture of insecurity rather than mistakes by any single official has been blamed for the HMRC data loss debacle, an official inquiry is expected to report on Wednesday. The Poynter report will highlight poor security practices at the government agency leading up to the loss of discs contained child benefit information on 25 …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Of course

    Of course no one is to blame. The government is involved.

  2. Anonymous Coward
    Coat

    "We'll have more on the Cabinet Office report later today"

    "We'll have more on the Cabinet Office report later today"

    ...assuming it doesn't get lost in the post

    (mines the one with the 2 CDs in the pocket)

  3. Columbus
    Coat

    three wise monkeys icon please

    "The Independent Police Complaints Commission is due to report its take on the on the HMRC breach"

    Hmm.. let me see into my crystal ball, that will be, no evidence of any named person doing anything wrong, but policies & procedures have changed....

    Mines the coat that never changes its spots

  4. Ash

    People are the weak link?

    So make the people legally culpable!

    Follow procedure, or do not pass Go.

  5. Tony

    Security & Lies

    It may be that there are issues with the security policies; in most cases, you can always find areas to improve.

    However, the biggest single issue is not in the policies themselves, but in the implemention, management and monitoring. If senior managers do not enforce the polices that they have signed up to, then the policy is worthless. If they do not monitor to ensure that policies are known and adhered to, then the policy is of no value. (Don't tell the staff about the security policy for resasons of security - seen that happen before)

    On an aside.....

    Did anyone see the interview with Bill Gates at Redmond on the Beeb? He and Fiona Bruce left the building to walk around the gardens, then when they wanted to get back in, Bill found he had left his swipe card in his office. Whilst he stood there puzzling about what he could do, Fiona hit the button to open the disabled entrance, which opened to let them in without any security validation!

    <joke)Look for terry to start recruiting amongst the disabled community</joke>

  6. Simon.W
    IT Angle

    Ah! Those wonderful things called reports...

    - aren't they the pieces of paper this government dutifully ignores?

    This Labour government are pig ignorant when it comes to I.T. in any of its iterations, security or otherwise. I doubt that there will be anyone with enough nous to actually understand the contents of the Poynter report. But more likely it will be lost before it ever gets a chance to breach the doors at Number 10.

  7. Jack Harrer
    Thumb Down

    Translation

    Which basically means nobody's to blame.

    Business as usual, please move along.

  8. Mike

    The only possible outcome

    So no one person is to blame - i.e. no-one will be punished for these lapses.

    "Ain't guvvernment brilliant. We can do what we like and get our mates to say it's not our fault."

    Viva le revolucion

  9. Anonymous Coward
    Coat

    and in other news

    A government office proves incapable of handling basic information security.

    In other news... Most snow found to be white, Pope suspected of being Catholic, and my cat's breath smells of catfood.

    Of course it's down to the culture rather than one individual - the odd breach could be down to individuals breaking rules or not knowing better, but the frequency of these breaches in government department just tells me that the civil service as a whole doesn't have a clue about real security. There is simply no excuse for not having a rigorous infosec policy and enforcing it, when you are handling so much potentially sensitive information.

    Until such a time as we have confidence in the policies and procedures, these government departments should be limited to handling the absolute minimum relevant information they require to do the job, which is a lot less than they currently have, and there's no question of ID cards being introduced. If you can't trust the people with the information, don't give them any!

    Mine's the coat with the RFID guardian and no identifying papers in the pockets.

  10. Writebaby
    Paris Hilton

    Culture to Blame

    No, it means that everybody is to blame and that no-one from the top down in government understands or takes information security seriously or, if they do, they are largely or completely ignored or even stamped on from above.

    Paris - because even she knows more about information security than the whole of government put together.

  11. Anonymous Coward
    Paris Hilton

    Ouch, that smarts!!!

    Imagine that, lambasted. And this following so closely after that vicious tongue-lashing. Are these make believe punishments reserved only for the government and its staff complement of incompetents? If you want to see real progress, start meting out penalties such as dismissals, fines and jail time - you know, the kind of things that ordinary folk have to deal with. Hell even the odd tar-and-feathering would go a long way in pushing up standards in the civil service.

    Paris, because even she appreciates the value of a good spanking.

  12. Anonymous Coward
    Flame

    @ Writebaby

    "or even stamped on from above".

    How true - been there, been stamped on. Usual scenario is :

    Boss - copy this onto a disc & put it in the out tray

    Pleb - But that's completely against the rules

    Boss - Just bloody do it

    Pleb - rules say we need to send it courier

    Boss - Nah that costs, which comes out of my budget

    Pleb - But.....

    Boss - DO WHAT I TELL YOU NOW!

    Poor little pleb now has the choice of either breaking the rules, or having a really bad report written on them which means no pay rise for the next 10 years let alone any chance of progression. They can't insist they get the instructions in writing, same result. They can't report the boss, as that will give them a reputation that means they can't even get a transfer to another area. So they do what the boss says, and just pray no-one else further down the line loses the data.

    AC for obvious reasons

  13. night troll
    Pirate

    Wot title?

    Chancellor Alistair Darling told Parliament in November that a "junior official" had posted the encrypted discs to the National Audit Office, contrary to "strict security rules".

    But the report says "A culture of insecurity" is resposible, so there aren't any STRICT security rules or ther would not be a culture of insecurity would there?

    So the little tinker's been lying again, no change there then.

  14. Anonymous Coward
    Coat

    I didn't know this ...

    There are some real gems in the report :

    'Last year, for instance, HMRC sent out around 300 million letters and mailings to its customers, an average of 8 per household and 68 per business. The media it uses for data transfer is similarly archaic. For example, the Magnetic Media Handling operation in Longbenton, Newcastle, accepts all media (reel to reel tape, cartridges, floppy discs, CDs etc.) on which employers submit their end of year returns and could be designated a museum if the criteria were variety of media no longer generally used (media, incidentally often associated with systems incapable of creating encrypted data)..'

    Is there also a department for 'non-magnetic' media, where I could submit my tax return on paper tape ?

  15. Anonymous Coward
    Anonymous Coward

    Government Agencies

    Have you ever worked in a government agency? I have.

    They couldn't give a s**t about anything. You can't fire the staff, - it's extremely difficult - so people screw up and you can't get rid of them.

    So, there's no real punishment that takes place so who cares if they mess up. Procrastination is the order of the day. They're not in competition with another company, so there's no pressure on them to deliver results.

    As much as I loathe this Labour government, I don't think this security issue is really about them, it's about the kind of people that make-up civil servants that make up the agencies, the managers.

  16. Wize

    Can we make it illegal to send personal data in an unsecure way?

    When the 999 data was lost, the people in charge started blaming the courier.

    Things will get lost in the post, thats why you insure expensive items.

    Anything sent should be encrypted.

    If I posted my companies info without encryption and it was lost, I'd be out of a job for sending it unsecured.

This topic is closed for new posts.