back to article Blundering London council emails unredacted version of notorious Gangs Matrix to 44 people. Data ends up on Snapchat

Newham Council has been fined £145,000 after an employee sent out a mass email containing an unredacted version of the police database that ranks people's likelihood of gang-related violence. According to the UK's data protection watchdog, some 203 individuals' personal data was shared with 44 people, and screenshots of the …

Page:

  1. Anonymous Coward
    Anonymous Coward

    They knew who sent the e-mail - Were they sacked?

    From my personal experience if staff steal a couple of A4 notepad it'll be taken more seriously than breaches of this from a disciplinary perspective.

    It doesn't matter if the employer didn't have specific guidance on this document, we don't put signs up everywhere detailing what staff shouldn't break or steal. There's a need for common sense to start applying when it comes to information security across the board. People have to start feeling repercussions of their actions.

    I am absolutely not letting the council off the hook here, but part of the problem I face daily is the lack of acceptance by staff and management that people should be held responsible for their actions and when it comes to personal information it should be taken very seriously.

    1. LucreLout Silver badge

      Re: They knew who sent the e-mail - Were they sacked?

      part of the problem I face daily is the lack of acceptance by staff and management that people should be held responsible for their actions and when it comes to personal information it should be taken very seriously

      Yes, this is absolutely the core of the problem. I don't buy services from Talk Talk because I simply don't trust them after their leaks and woeful attitude of their board & CEO in the aftermath. If others choose to use them, that is their business.

      We, however, have no such choice in the public sector - we have to have public healthcare via the NHS, policing via, well, the police, and passports from the passport office etc etc It's a monopoly provision. Given that, we can't decline to have our data processed by these organisations and continue to enjoy provision of the services they exist to supply. It is for that reason that when data is leaked in this manner, careers must end: there's nothing else that will force them to take privacy and data security seriously.

      You've hit the nail square on the head when you suggest that theft from the stationary cupboard will be treated more harshly than spaffing our data up the wall like a half baked CEO.

      1. phuzz Silver badge
        Unhappy

        Re: They knew who sent the e-mail - Were they sacked?

        "we have to have public healthcare via the NHS, policing via, well, the police, and passports from the passport office etc etc It's a monopoly provision"

        Well privatisation is all the rage these days, so if you're really lucky some of these services in your local area will be taken over by Capita.

        I bet you can't wait.

      2. Anonymous Coward
        Anonymous Coward

        spaffing?

        I'm not British - what is this 'spaffing'?

        I know your former Foreign Secretary does it but any attempt I make at guessing what it might be harms my imagination and I'm at work so I'm not going to google it in case my worst fears are realised graphically.

    2. Anonymous Coward
      Anonymous Coward

      Re: They knew who sent the e-mail - Were they sacked?

      The staff member can always claim, if they haven't, they were never given training on data protection. This is the problem with local government. Sometimes the person at the bottom of the chain is innocent and under pressure from shit management. Shit management that are being forced to push through practices that aren't best practise. Some of these are yes people and just want to keep their job. We'd all like to stand up and say no, but when stuck with a mortgage, the difficulty of getting a new job and pressure, you can somewhat understand why said people act the way they do. Doesn't make it right though.

      "Moreover, the council didn't report the breach to the ICO, it waited until December 2017 to launch its own internal investigation, and then failed to produce a final report of the probe."

      I have no doubt they'll be in PR mode attempting to cover it up. The amount you read in Private Eye in the Rotten Borrowers section is shocking.

      Councillors should also be probed in this as, despite it being against electoral law, and a breach of the Councillor Code of Conduct, you'll still get some trying to force their views of "how to do things" and what to do with "reports". When in fact they aren't allowed to interfere directly with how a council or council officer does their job, but some still do.

      1. Anonymous Coward
        Anonymous Coward

        Re: They knew who sent the e-mail - Were they sacked?

        I've sat on disciplinary panels where staff have claimed "But I wasn't trained on information governance and protection". It's a legitimate defense too.

        But IG training is mandated these days by pretty much every employer so the issue because "why didn't you undertake your MANDATORY training?" the defense then shifts to "I wasn't given time"

        At which point you can pull out the hours they spent looking at holiday websites outwith break periods.

        1. Doctor Syntax Silver badge

          Re: They knew who sent the e-mail - Were they sacked?

          The best way to sort that one out would be that they have mandatory training, tested and get a certificate to prove it. Without the certificate they don't get anywhere near sensitive data and anyone who tries to force them to do so is committing a disciplinary offence and gets their certificate revoked. Needless to say anyone who then does something stupid like this also gets their certificate revoked. If there aren't any posts that don't require certification, tough.

          In the public sector, of course, there's an alternative: misfeasance in public office. We need ICO enabled to prosecute for that.

          1. low_resolution_foxxes

            Re: They knew who sent the e-mail - Were they sacked?

            The average person barely understands legal and regulatory standards. I consider myself a technical academic and frankly there are a myriad of regulations that I barely comprehend myself (perhaps being semi-aware is more confusing than unaware?).

            I always try to imagine the council worker is my gran in this situation. My gran can barely operate her VHS recorder, why would you think she'll a) read an e-mail and understand the legal ramifications in their entirety (as a lawyer would), b) have the technical capacity to be 100% certain the document your sending isn't confidential, c) is 100% capable of knowing the difference between "To:" "Cc:" and "Bcc:".

            In that situation - I recommend a big red text at the top making it clear to junior colleagues what the context is upfront. That way if they ignore the capslock red text warning "CONFIDENTIAL - DO NOT FORWARD. ASK FOR MANAGERIAL ADVICE AND USE THE BCc FUNCTION" and still fuck it up, no excuses, frankly someone needs to be fired (or for really terrible public sector workers, a quiet career change to become a trade union rep).

            My personal favourite is the spoon at work who continually sent out confidential Word documents with the full tracked change history visible (or even funnier, when he tried to hide confidential figures by hiding it behind a white 'text box').

      2. GnuTzu Bronze badge

        Re: They knew who sent the e-mail - Were they sacked? -- Outlook

        Agreed, but insert here the discussion about how email programs could have better highlighting and prompts to warn when an email might be going to the wrong people. Of course, that won't get it 100%, and training and policy enforcement are necessary, but email programs need improvements too.

        Of course, if your email program comes from a monopoly (at lease in the business software market where software needs to fully support policy compliance), then you may find it hard to sack the software. Why else have the oh so obvious improvements come so slowly?

        1. low_resolution_foxxes

          Re: They knew who sent the e-mail - Were they sacked? -- Outlook

          That's a good point. It does not seem that implausible to get Outlook to have a data security mode that scans the e-mail addresses, when more than 2 people from external agencies are receiving a file having a popup to point out the bcc field has not been used - check it does not include sensitive personal info - then press confirm.

          It'll be just like software license agreements - many will ignore it anyway, but at least you have active and unavoidable control systems that must be intentionally ignored.

      3. Doctor Syntax Silver badge

        Re: They knew who sent the e-mail - Were they sacked?

        "When in fact they aren't allowed to interfere directly with how a council or council officer does their job, but some still do."

        As an elector I'd like to think that overseeing that council officers was what councillors were for. That way my vote might have some effect. As ever, British public life gets things arse about face.

        1. This post has been deleted by its author

        2. Mike Pellatt

          Re: They knew who sent the e-mail - Were they sacked?

          There's a difference between overseeing and trying to directly influence.

          A world of difference.

          If you can't see that, you're as bad as what seems to be 90% of our local councillors. I know of what I speak, having been one once.

          It's also those (apparent) 90% who ensure that morale and service quality in our local government remain appalling.

          British public life absolutely gets it right in principle. The elected body sets policy, and ensure that the resources are available to deliver it, the paid staff implement it. Of course, in local government that all falls apart thanks to the responsibility/authority mismatch enforced on LG by Westminster - all of the responsibility to deliver delegated, none of the authority to ensure adequate resourcing delegated.

      4. Alan Brown Silver badge

        Re: They knew who sent the e-mail - Were they sacked?

        Shit management - who will actively cover things up when they realise they've fucked up and then when the inevitable is unavoidable will do everything they can to push the blame to flunkies.

        The fines aren't nearly large enough and there aren't elements of personal accountability for management to drive the point home.

    3. jmch Silver badge

      Re: They knew who sent the e-mail - Were they sacked?

      £145k fine.... to be paid by taxpayers either directly or in reduced services.

      Unless there is personal responsibility (ie people personally fined or fired), these sorts of things will continue

      1. MachDiamond Silver badge

        Re: They knew who sent the e-mail - Were they sacked?

        "£145k fine.... to be paid by taxpayers either directly or in reduced services."

        That's what always baffles me. How can one department of government fine another department of government? Obviously, if the money is deducted from somewhere, they can't meet payroll or do the things that money was budgeted for and where does the money from the fine go? Lobster dinners for some other mob? Is it re-allocated to MOD?

        It's better to sack the bonehead and the person that hired them and then get everybody else properly trained and the software fixed. There has to be a gateway setting that can prohibit or limit recipients on an email or just put those messages on hold until somebody higher up hits the "ok" button the same way they do at large market's cash registers. If that forces somebody to send messages out one at a time, maybe they won't be so keen to hit "reply all" and limit where the message is going.

        1. jmch Silver badge

          Re: They knew who sent the e-mail - Were they sacked?

          "There has to be a gateway setting that can prohibit or limit recipients on an email or just put those messages on hold until somebody higher up hits the "ok" button..."

          Also, some gateway setting that delays emails sent (to all recipients or only those out of the organisation) by a couple of minutes, giving time to recall if it is caught in time. Won't be foolproof but at least can save some 'butterfingers' or 'temporary brainfart' moments

      2. Sam Haine

        Dock their pay.

        Docking a percentage of the pay of all the individuals responsible (all the way up the corporate heirarchy) would help to concentrate the minds of those who need to learn and save the Local Authority money. Win/win!

    4. Mark 85 Silver badge

      Re: They knew who sent the e-mail - Were they sacked?

      I'm not sure that the person who sent the e-mails is the problem here. The problem that needs to be looked at is "who released it to Snapchat?". Governments, businesses, etc. send confidential e-mails all the time. The issue that's been overlooked is who violated the standard of trust and released it publically.

      1. Doctor Syntax Silver badge

        Re: They knew who sent the e-mail - Were they sacked?

        I'm not sure that the person who sent the e-mails is the problem here. The problem that needs to be looked at is "who released it to Snapchat?".

        Both were part of the problem.

    5. adnim Silver badge

      Re: They knew who sent the e-mail - Were they sacked?

      Or at least disciplined, educated then suspended.

      Why fine the police? It's the tax payer funding this fine ffs!

    6. The Nazz Silver badge

      Re: They knew who sent the e-mail - Were they sacked?

      A paltry £145,000?

      No doubt the Chief Executive could pay that out of their salary (not to mention other remuneration eg pension) and still live a comfortable life.

      In other articles on here, ie HPE/Autonomy, the overwhelming sentiment appears to be that Apotheker, as CEO, was responsible for everything, including a detailed knowledge of UK published accounts and accounting standards.

      Applying the same logic, why isn't the Chief Executive of the Council being dismissed, together with the head of IT? As with our LA, they take the large rewards yet never accept responsibility.

  2. }{amis}{ Silver badge
    FAIL

    Does it count as a database?

    Given there appears to be no security or central control I'm betting that this "Database" is an excel spreadsheet or maybe Access at best.

    As far as I am concerned all copies of this disaster should be destroyed for its blatant violation of data protection controls, how the hell can it comply with the requirements to for accuracy and proportionality when the police clearly don't even know who has a copy?

    I am sure there is plenty of relevant data on proven violent individuals but I'm also willing to bet that the bulk of the people on there just happened to be in the wrong place at the wrong time.

    You can just see the wrecking the lives of innocent people. they go to work in an environment that requires record checks and only then finding out a copy of this $%1t was uploaded and they are blocked from a job because of the awful crime of wearing a hoodie after dark.

    Am I the only one that thinks the home office is being run by Constable Savage.

    1. Arthur the cat Silver badge
      Devil

      Re: Does it count as a database?

      Am I the only one that thinks the home office is being run by Constable Savage.

      At least he managed to nick someone rather than running interminable initiatives.

    2. Anonymous Coward
      Anonymous Coward

      Re: Does it count as a database?

      "having simply forwarded the email they received from the Met police"

      Well, there's the initial problem. Sending (Sensitive) Personal Data *by email* (and I really would be most surprised and impressed if it were actually an encrypted email) to the council in the first place?

    3. Anonymous Coward
      Anonymous Coward

      Re: Does it count as a database?

      All valid points and, in addition, the Met appear to have to sent the original + redacted versions over standard email - so unencrypted and insecure. This should also result in the Met getting a fine.

    4. teebie
      Joke

      Re: Does it count as a database?

      'I'm betting that this "Database" is an excel spreadsheet or maybe Access at best.'

      Preposterous. You show me where in the dictionary it says a database can't be a bunch of etch-a-sketches on a shelf.

      1. Yet Another Anonymous coward Silver badge

        Re: Does it count as a database?

        I think the technical term for a list of names, home address, aliases of a bunch of gang members sent out to other gangs is a death list.

        The police probably see it as a solution rather than a problem

        1. MachDiamond Silver badge

          Re: Does it count as a database?

          "The police probably see it as a solution rather than a problem"

          Plausible deniability. That's the government way. Why else do all of those laptops get stolen loaded with sensitive information by a gov worker that left said laptop on the car seat while they popped into church on the way home. A fictitious worker is sacked for being naughty and the information on the laptop can be used in ways that wouldn't have been permitted. They can use a name of somebody that was sacked in the proper time frame, there has to be 2 or 3 government workers that are sacked each year if not 6 or 7. That way if anybody digs they will find a sacked employee with the name given. I guess it doesn't have to be too close to when the laptop was stolen. Most cases like that the employee is put on leave (paid or unpaid) while the matter is being "investigated".

  3. fnusnu

    More taxpayers money making an internal transfer inside government.

    This is utter incompetence and someone needs to be sacked.

    1. }{amis}{ Silver badge
      Unhappy

      This is utter incompetence and someone needs to be sacked.

      There are many hands over this one that's why nobody ever gets fired from the civil service, the first rule is alway's to spread any responsibility as far as possible so no one person can be pinned for their incompetence.

    2. Anonymous Coward
      Anonymous Coward

      > This is utter incompetence and someone needs to be sacked.

      "Here's the list that John asked me to send to you. Please pass on to your anti-gangs team".

      This arrives in your shared mailbox. John is not in the office at that moment. What do you do?

      No mention of the sensitivity of the information. No mention of the difference between the two versions. No encryption with password being sent by a second channel; no warning flags as to how sensitive the data is. Nothing to give the person who received it any warning that it was anything other than the hundreds of run of the mill emails received every day.

      But it must be okay, because you know that you have a secure means for transferring sensitive information with the Police and if that isn't being used then it's okay, isn't it?

      1. fnusnu

        The Information Commissioner's Office said it was "unnecessary, unfair and excessive" to share the unredacted version with so many people and that the risks "should have been obvious".

  4. cbars

    Thanks for the explanation

    "The unredacted version contained data that wasn’t in a redacted version"

    1. Justin Case
      Facepalm

      Re: Thanks for the explanation

      Loving the quality of the journalism here - I am feeling better educated with every word I read.

      1. amanfromMars 1 Silver badge

        Thanks for the explanation .... but be aware of the possibility of unintended consequences

        Loving the quality of the journalism here - I am feeling better educated with every word I read. ..... Justin Case

        A note of caution for those fed on paranoia and drinking of the KoolAid of hubris, and a timely word to El Regers? .......

        “The most dangerous man to any government is the man who is able to think things out for himself, without regard to the prevailing superstitions and taboos. Almost inevitably he comes to the conclusion that the government he lives under is dishonest, insane and intolerable, and so, if he is romantic, he tries to change it. And even if he is not romantic personally he is very apt to spread discontent among those who are.” …… H.L. Mencken

        1. Cliff Thorburn

          Re: Thanks for the explanation .... but be aware of the possibility of unintended consequences

          “The most dangerous man to any government is the man who is able to think things out for himself, without regard to the prevailing superstitions and taboos. Almost inevitably he comes to the conclusion that the government he lives under is dishonest, insane and intolerable, and so, if he is romantic, he tries to change it. And even if he is not romantic personally he is very apt to spread discontent among those who are.” …… H.L. Mencken

          And why would an individuals mindset change to such?, no smoke without fire perhaps?

          I mean its not as though any sophistication Western Country would embark on such frivolous activities such as psychological torture, abuse, and intentional infliction of emotional distress on one of its citizens surely?, perhaps even worse, unlawful human experimentation?, or genetic modification?, the list goes on.

          Of course such activities would only happen elsewhere, right?

          1. amanfromMars 1 Silver badge

            Is it still too much of a Quantum Leap for many currently? Oh well ... Onward for a Few then

            And why would an individuals mindset change to such ....[to be able to think things out for oneself, without regard to the prevailing superstitions and taboos.]? ......... Cliff Thorburn

            Natural human progression? Alien Advancement? Virtual Machine Programming Rethink?

            And that's only three very likely positive, possible reasons, CT, with all of them having an extraordinarily high probability of being a universal default improvement for a greater mutually beneficial and exciting co-existence with other elements in fundamental components ....... aka media hosted realities.

            Anything lesser has one surely trapped and tricked/captured and conned into servering a feudal lauded federal system stuck in the past? And one would have to be surely mad to think that acceptable in any day and age or place and space.

            1. amanfromMars 1 Silver badge

              AIMadness Outed in Systems Abusing You

              Is that the stock undereducated human condition in failed and rapidly failing exclusive elite executive office SCADA systems of administration .... Arrogant Ignorant Madness with petrifying self destructive bouts of hubris highlighting myriad series of psychotic episodes?

              1. Cliff Thorburn

                Re: AIMadness Outed in Systems Abusing You

                It certainly does nothing to support the perpetual ‘well being’ of either the behaviour or mindset of an individual so overwhelmingly promoted by face values, but demonstrates nothing other than sheer rampant frustrations of such failed Scada systems and crossover conflict-ions in both Live Operational Virtual Environments.

                Garbage instructions in = Garbage Results out.

            2. Cliff Thorburn

              Re: Is it still too much of a Quantum Leap for many currently? Oh well ... Onward for a Few then

              “Anything lesser has one surely trapped and tricked/captured and conned into servering a feudal lauded federal system stuck in the past? And one would have to be surely mad to think that acceptable in any day and age or place and space.”

              And one would completely agree with such amFM, however like the dog chasing its tail, it would of course help if such media presentations would present such solution rather than repeatedly bleat such nonsense as ‘You ran’ would it not?, which of course is, as such with all presentations thus far simply being a pre fabricated regurgitation of lies if it did not align correctly with the program?

              1. amanfromMars 1 Silver badge

                Checkpoint Charlie ..... For More than a Walk on the Wild Side.

                Fortunately, CT, there is alway at least this one systemic easily exploitable vulnerability full of crazily available opportunities which just keep on giving ........

                Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. .... Albert Einstein

                Can you believe that is what makes everything so simple for some, who may or may not be just a chosen few, to do everything they want to without anyone ever knowing how very easily everything is done.

                Is it any wonder that simply complex plain texted information on and in novel out of this world developments, and suitably beyond corruptive command and subversive perverse control, is so absolutely terrifying to failed intelligence operations. And what sort of an answer to such is an ineffective knee jerk reaction which delivers the white feather defence of fight or flight or FUD rather than a SMARTR Engaged AI Deployment and Remote Virtual Employment well worthy of the preeners of three feathers.? :-)

    2. Andre Carneiro

      Re: Thanks for the explanation

      Beat me to it... ;)

    3. mark 120

      Re: Thanks for the explanation

      I took that to mean that it contained additional rows or columns, i.e. someone had added further information to that version and not replicated it in the original.

  5. Chris G Silver badge

    I am not sure that the Met should even be sending an unredacted version to the council in the first place. Why would the council need all of thst info?

    The 'Savage' approach to policing is bad enough but allowing council clerks access is not responsible, having worked in and with a couple of councils I don't trust them with any of my data.

    Not surprised Newham has cocked up, Cockups R us could be on the borough coat of arms.

    1. Anonymous Coward
      Anonymous Coward

      Revs and Bens would like such info along with any internal Housing department. After all, you don't want "gang" members in your social housing as you know they'll probably never pay the rent.

      1. Voyna i Mor Silver badge

        They may pay the rent. Crack houses are quite profitable, why cause unnecessary problems?

        1. Anonymous Coward
          Anonymous Coward

          Because most are stupid and don't. You'd think they'd learn not to draw attention to themselves. Others just use cuckooking.

    2. MachDiamond Silver badge

      Is it a policy to send redacted versions with obvious redaction such as blacked out information, headers, etc? Does an un-redacted sensitive document have "un-redacted, sensitive" label on the top? It's not always obvious what might be considered sensitive. The police would know better than some local council members in their first term. If you get a document with a load of recipients or CC's, you might not think that keeping mum is in order.

      I do agree that the council probably didn't need to see the document. They may have only needed to know that it exists, the type of information that it contains and that it can be viewed at the police station or by special application.

  6. Thoguht Silver badge

    Fining a council?

    That's almost in the same league of stupidity as fining the NHS or a local health trust for a medical mishap. If you fine a council, the people who pay that fine in the end are the residents, not the people responsible for the breach. If there were personal liability at the top of the hierarchy, just as there is in the case of software piracy in a company where the directors are personally liable, then I think you'll find these sorts of things will happen much less.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019