back to article USB key to 4,000 vulnerable people's front doors lost

Leicester City Council has misplaced a USB stick containing personal details of 4,000 vulnerable and often elderly users of its care service. The data has disappeared from LeicesterCare, the council's vulnerable residents' support service. Along with personal information, the stick also has key codes for 2,000 people, which …

COMMENTS

This topic is closed for new posts.
  1. Whitter
    Thumb Down

    Excused by faint denigration

    It's not a "gaff" - it should be a criminal offense.

  2. Captain Scarlet Silver badge
    Paris Hilton

    sigh

    No-one seems to learn anything from these mishaps

    1. Anonymous Coward
      WTF?

      Should be?

      Is.

      Data Protection Act 1998.

  3. Anonymous Coward
    Alert

    I'm glad my data is being kept by such careful people.

    Census in 5 days time.

  4. The Alpha Klutz
    Megaphone

    how many times must this happen before people will watch where they put their USB sticks?

    I propose a new kind of USB memory device that will be mandatory for all public sector workers. It needs to be the size and weight of a breeze block.

    It will remind them to always ask themselves "do I really need to take this with me" and if they do, they will know pretty soon if they aren't carrying it anymore.

    Every time they check their breeze block key into the safe storage area at work, their boss should give them a gold star for being a good boy/girl.

    First boy/girl to get 10 stars can have a free glass of orange squash and an extra 5 minutes lunch time.

    Treat them like children, it's the only way.

  5. Simon Neill

    WHY.....

    ...was this data held on a USB stick?

    I can't see any reason why someone needs 4000 codes on a USB stick. The main DB should be on a secure sever, then a care worker should be given the 10 codes they need. If you do need to move 4,000 codes why not just put them straight on a laptop rather than a piddling easily lost USB stick?

    1. Conor
      FAIL

      Liability cost equal zero so why bother with security

      @Simon Neill: The reason is because the cost of any security is higher than the cost of liability, which is zero. This is an abysmal breach of trust, but it will be forgotten in 6 months and adds nothing to their bottom line. So they'll do it again next year.

      The funny thing is if they'd lost actual keys to actual doors (I mean physical keys), they'd be screwed. If the owners didn't sue them, the insurance companies would.

      1. Anonymous Coward
        Happy

        the cost

        is not zero - there's all the running around phoning and resetting codes people are doing, the bad publicity, answering all the 'when will i be burgled?' phone calls, and it could cost a councillor their seat.

        Not as high as you might like, but not nothing.

        The question remains, did their IT people approve this way of keeping these sensitive data?

      2. Anonymous Coward
        Big Brother

        Re: Liability cost equal zero so why bother with security

        a false assumption on 2 counts

        Under the new DPA rules, the first bill is up to £500k, since april last year. (loss of S2/DPA98 data)

        ICO hase been going easy with the new rules in the last couple of similar cases, so I would guess the cost of the lost USB stick will be in the region of £80,000 to £120,000

        Secondly, if any of these people are broken into or suffer any other lose as a result of the negilgence of LCC, the person (or more likely their insurance company) can recover some or all of the amount through civil action.

        True it would be difficult to prove the loss was solely down to LCC, and it would probably not be economical to pursue the action, but some times people and companies do pursue such claims.

    2. Anonymous Coward
      Anonymous Coward

      Nah, they'll just leave the block somewhere when they get tired.

      How about attaching the usb stick to the string that stops them losing their mittens?

      1. trarch

        Personal interest in security

        How about it be mandatory for people with access to the USB to have their own details/ID photo/risky Facebook pictures from Dave's bachelor party stored on the drive?

        Perhaps they may take a little more care in the future then.

    3. Anonymous Coward
      Happy

      No

      They'd leave the breeze block on the rood of the car, and it would be used to smash in the window of the car, in order to nick the laptop with LOTS of unencrypted data left on the back seat.

      The secure way will only work if it is also the easy way.

  6. Anonymous Coward
    FAIL

    Wahahaha

    "we have been assured by our supplier that the information on the device is not accessible to anyone who may find it"

    Translation - "It's in a file format made by our application that we can't open except with that app but it's not encrypted and probably anyone with a bit of savvy and 10min could open it but we're not going to say that coz the information commissioner is about to get medieval on our asses anyway and the Chief Exec would like to finalise his retirement package before the fine hit the doormat."

    1. Anonymous Coward
      Thumb Up

      "the information commissioner is about to get medieval on our asses"

      yeah, those letters of his send a chill through the spinal column

      "don't do it again or you will get another one of these letters"

      shocking stuff. Does he use a bigger font for the second letter? We will never know, nobody has dared incur his wrath twice!

      In other news, I can see a flying policeman.

      1. Anonymous Coward
        Happy

        Ref: ICO size of writing

        No, they still uses the same font as they did 18 monthes ago, they just get to write a 6 digit figure in there instead, followed by the words "YOU OWE US".

        Did note that HMG chickened out of giving the ICO the same powers as the FSA has for the loss of personal data. (Nationwide 7 digit number!, for a laptop stolen from inside a locked house)

    2. Anonymous Coward
      Anonymous Coward

      10 seconds?

      zcat file | strings | less

      Usually does the trick.

      Or maybe you open the file in MS Access and hit F11 to bypass the macro asking for the password, which is something like 12345 as you can see by examining the macro :)

      1. Anonymous Coward
        Anonymous Coward

        strings

        What a peculiarly useful and at the same time apparently useless bit of software. I only came across it the first time a month or two ago while attempting to find an email draft Outlook had decided to lunch. I'm very happy it exists.

        1. Anonymous Coward
          Anonymous Coward

          where have you been?

          one of my favorite commands from my days using an AT&T 3b2 machine, and that was almost 20 years ago.

      2. Anonymous Coward
        Anonymous Coward

        @tnovelli

        12345? That reminds me, I must change the code on my luggage...

    3. Elmer Phud Silver badge
      Happy

      Aaargh

      "It's in a file format made by our application that we can't open except with that app"

      Oh, an Excel sheet then?

  7. peter 45
    Thumb Down

    let me guess

    They will be storing all those new codes on another USB stick.......... but promise to look after this one really carefully this time.

  8. petur
    Dead Vulture

    Not accessible

    The data is not accessible... so, encrypted or obfuscated? Article doesn't say...

    If I lost an encrypted USB stick with passwords, I would be changing them anyway, just to be on the sure side. So did they really mess up, or are they just following proper security practices?

  9. John Riddoch

    Encrypted?

    "we have been assured by our supplier that the information on the device is not accessible to anyone who may find it" - are we to take it that the information was encrypted for a change?

    1. Martin Milan
      WTF?

      No!

      ... You most definitely are not meant to take it that way...

      If the data as encrypted, the third party supplier would have explicitly said so. The council would be screaming it from the rooftops.

      The fact that they aren't anywhere near the roof tells me that this is most likely data in an obscure format. Knowing public bodies, probably Microsoft Works.

      Someone needs to give these people a kick up the arse.

      1. Anonymous Coward
        Anonymous Coward

        re:Someone needs to give these people a kick up the arse.

        I'll do it. Get a few thousand (legitimate in every way) names on a petition asking me to, and I'll go buy a new pair of steel toe Doc Martins and head for Leicester before you can say "Christ! Me jacksie!"

    2. Peladon

      Keys wot you can't get into to get keys to get into places

      Wel, if this were to be translateable to identify the key in question as something like (advertising not intended and I have no link to them) an IronKey Personal or Enterprise, then yay them.

      Sadly, it probably isn't.

  10. zaax
    Headmaster

    Sheila Lock should go

    Like the ex head of HMRC, Sheila Lock should go, and hopfully it will teach top managers to look after their information

  11. Richard Jukes

    These

    These would be the same key boxes that look like they are made out of plastic at worst or at best really thin steel? Secure aint they.

  12. Anonymous Coward
    FAIL

    Security.....wassat?!?!

    Obviously the PC / laptop this data was taken from had the USB drive disabled......apparantly NOT!!!

    FAIL for on the council for leaving USB ports open and FAIL for the person who lost it!!!

    1. Anonymous Coward
      Anonymous Coward

      They are not too bad

      Mine is pretty beefy - would taken some effort to break it open, if anyone could find it in the first place.

    2. Anonymous Coward
      Joke

      plastic or tin?

      it really makes no difference what the box is made out of. 9 times out of 10 the "secure key box" will be more secure than the door that the box contains the key to.

      Joke alert - because most front door security is one !!

  13. Anonymous Coward
    Paris Hilton

    am I being thick?

    Why do they need a key to a box with a key in it? Surely they could cut out the bollocks and just have the council keep the key that would otherwise be in the box?

    Ooooh, for security you say? Well in that case I propose a key to a box in which is a box with a key in it for the box inside that box where there is another key (add layers of "security" as appropriate).

    /obligatory:

    yo dawg I heard you like keys in your boxes so we put a key in your box so you can key your box while you put the key in your box.

    1. Craig (well, I was until The Reg changed it to Craig 16)

      re: am I being thick?

      One key benefit of this is to allow the council to give emergency accommodation to vulnerable people at very short notice without having to dig someone out of their bed, wait until they get to site then mess around doing handovers. If the decision is made to give someone emergency accommodation then give them the code to the box, they get the key and can go in immediately.

      1. Stu_The_Jock

        Are you being thick ? . . . dare I answer ?

        I think the idea is NOT so someone requiring emergency accomodation can get in, but more, as stated in the article, that it allows care workers to get into the homes of the elderly and infirm. Instead of having to check in and out hundreds of keys to doors, the workers get a list of calls, with a code to open the little box and use a key they know works.

        The alternative = keys with addresses on tags (really secure when they lose that)

        or someone pressing their emergency call button and the response team spending 20 minutes going though a bundle of 50+ keys to kind the right one.

        Also if a carer has visited that day and an "emergency" extra visit is called, but that carer is halfway across town, nearest worker can get the code via SMS and help out.

      2. Anonymous Coward
        Happy

        lol "One key benefit"

        I Key what you did there.

    2. Oliver Mayes

      You are a bit

      My father is disabled and for a time had a care worker visit twice a day. The idea behind these was that a spare key to the front door was kept in a metal box with a combination lock bolted to the wall near the door.

      The care agency have the code to the box so if they arrive and the door is locked, rather than waiting for the occupant to make their way to the door to unlock it (or if there has been an accident or fall and the resident can't get to the door), the care worker can just let themselves in and you (theoretically) don't have the security risk of handing over your door key to an agency.

      Plus, if there is more than one care worker who visits (as they work shifts it may be a different person at different times of the day), you don't need to give each one a key, they just all have a copy of the box code.

  14. Craig (well, I was until The Reg changed it to Craig 16)

    Kick in the nuts

    I've said it before, I'll say it again, the only reliable way to ensure that data isn't lost on mobile devices is to introduce personal liability on the person who authorised its removal from a fixed storage server/device and the person who lost it.

    First offence: a kick in the nuts/female parts from everyone whose data was lost/compromised. In this case, that's 4000 kicks in the nuts/female parts each; as they may be old/vulnerable people, they can delegate the kicking to a professional nut kicker of their choice.

    Repeat offence: unlikely to happen but if it does then it should be considered as a capital crime.

    1. patrick_bateman

      lol

      funny name! ponder on changing myn now

  15. Anonymous Coward
    Joke

    LeicesterCare?

    More like LeicesterCareless !!!

    /gettingcoat

  16. Richard Jukes

    heh

    "Mine is pretty beefy - would taken some effort to break it open, if anyone could find it in the first place."

    I bet it wouldnt last five minutes with a cordless angle grinder. Indeed I bet it wouldnt last five minutes with tin snips !

    1. Anonymous Coward
      Grenade

      Batteries?

      Meh I'll knock it off the wall with a hammer then get to work on it with a big petrol powered disc cutter.

      Also the ICO has started issuing fines for DPA breaches. So it ian't fanciful to expect this lot to cop a fine. The only bother is that it'll be paid by local tax payers. The personal liability idea would work but the unions would never allow it.

      http://www.computerweekly.com/blogs/the-data-trust-blog/2010/11/ico-issues-first-fines---but-h.html

  17. The Fuzzy Wotnot
    Flame

    Disgusting

    So the first thing that will happen is every piece of scum will put thier feelers out to find this stick so they can either use the info, or sell all or bits of it off!

    Absolutely fucking disgusting to put people at risk like this! Some arse-munch in a council office, right-now, totally oblivious to the lives they have put at risk by losing this info.

  18. Conseal Security
    FAIL

    Locking it in a safe? Really?

    This news once again stands as testament to the fact that current storage security solutions for removable storage are not adequate or do not fit the way that users and organisations need to operate in order to remain efficient and productive.

    Complex endpoint security solutions that only allow specific USB devices or approved removable media to be used are extremely expensive and cumbersome, which almost certainly led to Leicester City Council relying on the rather out-dated need to lock up the memory stick in a safe every night.

    By using a solution that could remotely self destruct the data the moment they realised the memory stick had been misplaced would have afforded them an extra level of security and protection.

  19. KarlTh

    Why in the name of all that is holy...

    ...when encrypted memory sticks are widely available?

  20. Anonymous Coward
    Flame

    after removing the swearwords, all that remains is a blank line

    "we have been assured by our supplier that the information on the device is not accessible to anyone who may find it"

    [[not accessable to "anyone"]]... just to that particular group of people who might have, oooo dare I suggest, a computer?

    Kill the person who lost the USB stick, kill their supervisor for employing them, kill the IT security head who didn't secure their IT system, kill the security person who let them leave the building with it. There's far too many of these blinkered useless phukwits earning disposable income these days. Our economy can no longer afford to feed them.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019