Pants on fire.
"The government takes information security extremely seriously". Enough said really,
Discs containing information from three sensitive police inquiries – two of which involved highly controversial shootings in London, including that of Mark Duggan – have gone missing after being sent through the post. Yeah, you read that right: sent through the post. The information covers probes into the role of the police …
This comes to light at the same time as the abuse victims' details being "accidentally" leaked on the Commons website?
I feel I must clarify that I do not respect Russell Brand before I quote him that incompetence on this scale is indistinguishable from malice.
we've had everything from CD's to mothercare vouchers stolen whilst in the post (yes, post office, when I get the recorded envelope through the letter box without signing and missing contents it's been stolen).
They look for certain envelope types and stuff, it's big business and computer CD's may contain useable details and sell for lots to the 419 rings, boiler rooms etc.
So don't think they were not targeted for being media that may contain, not for their actual contant.
Maybe now some scammers are demanding money to not release the details of the shooter?
and they were encrypted to GCHQ approved standards
the mind boggles.
Just WTF are we paying for with all these government IT contracts.
In a way I *do* hope something bad happens as a result. It might just wake someone somewhere up.
By the way, my choice of icon is deliberate. This is in no way a "fail". It's sheer WTF all the way.
The one person who has been suspended is low down the payscale but apparently wrote the data protection policy for everyone? I just can't see how it is one persons wrap.
"I had access to all this super sensitive information, so I copied it off to some disks and nipped down the post office, was that wrong? oh sorry."
Meanwhile phrases like "take some time off, keep your head down" were muttered around bosses offices.
I'm off to buy me some shares in a paint firm, whitewash specialists.
"The one person who has been suspended is low down the payscale but apparently wrote the data protection policy for everyone? I just can't see how it is one persons wrap."
Yeah, I had that one when Oxford's John Radcliffe Hospital* emailed me the (frankly appalling) response to another patient's complaint in entirely unnecessary detail and presumably did likewise with mine.
When I contacted them, they assured me that the nameless person who sent the email was no longer working for them. Though given that they didn't name them, didn't say why they were supposedly no longer working there and made no reference to confidential medical information being sent using standard plaintext email, in contravention of their working practises, and by people probably not authorised to do so, I don't feel a great deal of confidence as a result of their response.
I did try reporting it to the ICO, who were utterly useless, which is probably why this sort of thing keeps happening and is going to keep happening.
* who are apparently already following an "undertaking" because of previous carelessness with personal information. I'm sure they're quaking in their boots.
>When I contacted them, they assured me that the nameless person who sent the email was no longer working for them. Though given that they didn't name them, didn't say why they were supposedly no longer working there and made no reference to confidential medical information being sent using standard plaintext email, in contravention of their working practises, and by people probably not authorised to do so, I don't feel a great deal of confidence as a result of their response.
Indeed they upgraded the server hardware of the mail-response system that was not thread safe - so indeed "another person".
... Not this again. And still using DISCS IN THE POST to send sensitive info? The ICO should issue the maximum fine for a data breach for that act alone, plus a fine for each case.
I really hope the discs were encrypted, but gov agencies have form for not doing so. And if not, then another maximum fine should be issued for each disk that failed to have this in place.
"Royal Mail Special Delivery is specifically mentioned as a permissible transmission channel for everything up to Top Secret"
In this case we don't know the marking nor whether it was Special Delivery. For all we know they were sent 2nd class in which case they might be delivered tomorrow.
"Royal Mail Special Delivery is specifically mentioned as a permissible transmission channel for everything up to Top Secret"
Or, to translate for Police and associated staff:
Royal Mail Special Delivery is specifically mentioned as a permissible transmission channel for everything up to Top Secret. To use this service, shred all information and send an empty envelope to the recipient. In the off chance this is not "lost" by Royal Mail or consciencous Police staff, when the recipient recieves the empty envelope and contacts you advise them the contents have been stolen.
> Royal Mail Special Delivery is specifically mentioned as a permissible transmission channel for everything up to Top Secret.
Which isn't as Special as you might think.
I sent a delivery of custom-made items to a long-time customer whom I know and trust. A little while later he contacted me saying that he hadn't received the items.
Checking with Royal Mail, they said "well they were signed for and the GPS location was at his address, so as far as we're concerned, he's got them" despite the fact that a) he lives alone and b) it wasn't his signature, nor was anyone else there or authorised to sign for them.
Their response "we asked the Postman and he said he'd delivered them, so that's that, screw you, you're not getting any compensation..."
"ICO should issue the maximum fine for a data breach"
It would make no difference in this case as fines just go to HMG. Now a fine to be paid personally and not reimbursable by the depts. Perm Sec or minister. That might have some effect. For one thing it would be made clear all the way down the chain that this would be a sacking offence.
The only problem with the ICO handing out the maximum fine to the MoJ is that it's not their money, it's tax payer money moving from one piggy bank to another.
If you really want to get prople's attention, it's the prospect of JAIL TIME, not a FINE that will make the muppets wake up (I hope)
"still using DISCS IN THE POST to send sensitive info?"
Using the post seems to have a certain amount of plausible deniability with the politicos, when inconvenient information conveniently goes missing.
As others have noted, the politicos are so ignorant that they typically get away with not asking about backups and the like,
The ICO should issue the maximum fine for a data breach for that act alone, plus a fine for each case.
That will have absolutely zero effect - they will be paying that with your tax money anyway so all you do is sponsor some lawyers and accountants to ship some money around.
I think this is really enquiry level stuff as it keeps happening - clearly something is fundamentally wrong there and it is time someone start digging deep enough that people start paying attention. This is not some expenses for a duck house - it's on an entirely higher scale altogether, also because that just happens to contain data from an extremely sensitive investigation. Call me cynical, but I have long stopped believing in accidents.
PNN and GSI have been around for some 15 years or so - don't try to tell me they have as yet to develop a way to securely transport data of that level of sensitivity, because then I want to know how it is possible that Youth Justice cases (read: concerning minors) ARE going via email.
It's time to stop the excuses - it's all too easy to say, "oops, silly me again". Until there is some personal accountability introduced this is not going to improve, and an enquiry will at least start to heat up some rear ends.
I can confidently predict that absolutely nothing of consequence will happen to anyone in regard to this loss. If, and let us not prejudge the quality of the coverup before it is completed, the data was not encrypted then people must be sacked and told to find careers outside of the public sector.
If the public sector cannot be trusted with the data they demand from us, and all evidence available shows that they cannot, and they are unwilling to take professional responsibility for their lack of basic competence, then we must enshrine in law a new criminal offence. Losses of sensitive data should ordinarily result in convictions and jail time. We are, after all, compelled to provide this data, so it's not like we can simply use another provider.
Since matter can't just vanish into thin air, they must be *somewhere*.
1) damaged in transit - presumably the royal mail have procedures for items like this
2) stolen by employee - although unless it looked like it had money in it, not likely
3) wrongly delivered - worrying if there was no tracking
4) somehow in the wrong part of "the system" - a thorough search should locate them
5) stolen by employee  - deliberately targeted. Raises more questions than it answers
6) we are of course assuming they made it to the postbox ....
However, there is a certain life-affirming feeling knowing that Royal Mail can cock it up for the great and glorious as well as for the little guy.
I wonder how long the MoJ had to spend on the phone ?
For some reason this case comes to mind. A large number of police had been charged with conspiracy to pervert the course of justice, three innocent men having been convicted for murder on the basis of false evidence. Then some files were lost and the prosecution case collapsed. A while later the missing files were mysteriously discovered.
Has the UK official posting via an approved method of transport lost them or the carrier? I'd say the carrier.. 'IF' the official did everything correct and they're encrypted then there's no problem is there? Suspensions can be stated but do they actually happen and for the reason that is reported?
"'IF' the official did everything correct and they're encrypted then there's no problem is there?"
Lets, think..... YES. FFS YYYEEESSSSSSS THERE IS SOMETHING FUCKING WRONG!
If the individual has followed an approved protocol, they may be in the clear. But for the MoJ, pointing to the post office and saying "they lost it" is no excuse. They had the fucking data, they've lost it. Doesn't matter if they gave it to a tramp, to a motorbike courier, a postman, or a passing tinker, the wankers of the MoJ have pissed confidential data into the ether. I wouldn't trust donkey post for confidential material, why should the clowns at MoJ?
What's wrong with encryption and electronic transmission? The whole idea of taking digital data, burning to optical, and sticking in a post box is imbecilic for any organisational data, but there's a further implication about data security here, and that is that flunkies at the MoJ have the facility to export large volumes of data (which shouldn't be possible) and evidently without any effective audit and control (which is unforgivable).
Head should roll, and they shouyld be at the very least the head of IT for the MoJ, the head of IT security at MoJ, and whoever authorised the sending of this data by post. Of course, that won;t happen, and they'll continue to accrue an over-generous pension despite their incompetence.
Looking up the case, I found that Mark Duggan was in possession of an unauthorized firearm, and that he was believed to be a member of an organized crime gang. Given that, why would his death be politically sensitive, or, indeed, a concern to anyone except perhaps his immediate relatives? Isn't the whole country at war with drug dealers and the like?
We don't have capital punishment in the UK. The police can't go around executing people they suspect of anything.
The Duggan case raised enough serious doubts about the police conduct to be *very* wary of believing their truth of the matter. Something these disks might actually demonstrate - especially if it has *all* the police testimony there. Before it was "adjusted".
Allegedly in possession of a firearm. There's a couple of witnesses say that the gun appeared afterwards and the taxi driver said he had a phone in his hand.
Yeah, he looked pretty thuggy on Facebook; but that isn't normally an automatic death sentence (anyway he was a drummer and I think it's a job requirement to look at least a little sketchy). There are major discrepancies between witness statements and several versions of police statements and there's a lot of speculation on the web; but not too much in the way of hard facts.
Whether he was genuinely a gang-banger or whether the police involved are backpedalling frantically to cover up their mistakes is open to speculation without facts...if the latter then the facts could be politically sensitive, if not incendiary.
Us Brits tend to frown on executing people for being brown...that's more America's thing. If someone is executed then we want to know that there's a bloody good reason for doing so. With proof.
His death was politically sensitive, because at the time of his death, a lot of people in the area thought criminal gang members more trustworthy than the local police.
Many people think that the "unauthorised firearm" was planted, and the witness statements make this entirely plausible.
Some people rioted because nothing was being done about crimes committed by the police which they had personally witnessed. Others were just out for what they could get. See other websites for comments on the police failing to investigate their own crimes.
I do not recall anyone suggesting Duggan was an innocent bystander, only that the police were expected to be of a higher standard, and did not appear to be.
A bit of a comment on the state of IT systems in that part of the civil service really and I guess the training/awareness of the staff (that it went by post in the first place). Although to be fair when I had to send data to the DTI for the company I worked for there was a secure repository where I could drop of the files - which worked really well and that was about 12 years ago. I guess if you could start from scratch..... some company would make a huge profit and the project would fail....
1. Central gov employs hundreds of thousands of people, and deals with sensitive information all day every day. The likelyhood of a complete muppet doing this is pretty high. That does not mean that everyone in Gov is an idiot.
2. From my experience, private sector organisations are just as bad. Came across an example recently that made my mind boggle, but you'll never read about it in the paper as the company will never tell anyone and it wasn't personal data or anything covered by the data protection act so it is not obligated to tell. Stupid things government does ALWAYS ends up in the paper
3. Don't have enough information from the story, but posting a disk encrypted with very strong encryption may be appropriate given the outcome of the risk assessment. The headline might be fun, but actually it could be a non-story (but that doesn't sell papers or get unique vistors). Use the right encryption software and the disks will be nothing but coasters to anyone who doesn't have the NSA's encryption munching capabilities (maybe not even them depending on what they used to encrypt it).
Downvoted because it's irrelevant what private companies get up to. At the end of the day they are just that. Private companies. You can choose to do business with them or not.
Data held by the state is obtained under duress. Don't provide it - go to jail. Which is why it's imperative the state demonstrates it takes great care of this data.
Your tax money is the same. Obtained from you under duress. And look how carefully the government look after that. They would never lose that in the Royal Mail. (Although they may lose it in a Royal Mail sale).
"Downvoted because it's irrelevant what private companies get up to. At the end of the day they are just that. Private companies. You can choose to do business with them or not."
Lord Jimmy, with respect, I must disagree (not that my agreement or otherwise need have any merit or value). These days, whether from existing service contracts (third party or sub-contracted service delivery), or simply by transfer of negotiable currency, private sector organisations may have or be able to gain access to Government data. The same data you comment as being obtained under duress.
As a result, in cases where that is so, _I_ do _not_ have a choice as to whether to do business with them or not. I do business with them whether I choose to or not. yes, at one remove, but it's still my data, whether it be (now or in the future) health care, my driving record or any other, including tax activity, potential criminal past or any other form of 'Bad Person' check data.
I therefore, personally and without prejudice or assumption as to any other point of view, have to support the use of Private Sector practices as a valid supporting example of why the world is generally going to heck in a bloody handcart - and not _just_ when dealing with Guv'Mint.
Of course, I'm an Idiot - so I'm probably talking nonsense :-).
"The discs were password-protected but unencrypted"
What? Are you telling me that the data was in plain text? And how does the password come into play?
Maybe it's along the idea of the Irish virus? The first line of the data has a line that says "the password is xxx. If that is not the password you were thinking off, please do not continue."
I mean, there is no other way to interpret this, other than that the spokesperson has no clue and is committing the cardinal media management sin of making assumptions when talking to the press.
>What? Are you telling me that the data was in plain text? And how does the password come into play?
The disc contained the data + autorun.inf which executes a Windows program on the disc that asks for a password, when no password/incorrect password is provided, the disc is unmounted ... turn off autorun and "All Your Data is Belong to US".
Must be something like that - it has to pass Microsoft Certified Windows/Surface Security Experts auditing practices.
will be learned, or have been learned, or are about to be learned etc..... They haven't had enough time yet for the PR dummy to come out with those words (or did I miss it?). I have had recent experience of the private sector "taking care" of my personal data. A pensions firm (based in Manchester( which handles my mother's widow's pension required sight of my power of attorney for her and would not accept a solicitor verified copy ( which was countersigned and verified on each and every page). So I toddled along to their Cardiff office with my original document- I was not willing to entrust it to the Xmas post, special delivery or no. So they had all this info on me, my brother, our certified witness and out two people to be informed etc., you get the idea... When I got home, I found that they had emailed this document in the clear to their Manchester office. How do I know? They had copied it to my email address, to "keep me informed of progress". Whilst I was working up a form of words to the ICO an envelope arrives in the post which informs me that the copy I had provided was not acceptable as it was only verified on the first page. I phoned up and informed them that the copy was theirs and I considered it unacceptable that they had sent it, unencrypted, via email. A few days later another letter arrives - carbon copy of the first, unacceptable etc... Flame on, phones up, demands to speak to arsehole in charge of section, did a mars attacks on him, informs him the ICO know about his organisation, told him whose copy it was and I would like an apology etc. Apology forthcoming, grave error, not how we normally do things etc.... Letter arrives, no need to do anything, accept document, fulsome apologies, bullshit etc. The problem is that these private sector people operate like this all the time, I only know how they handled my data because I was accidently copied into the emailing! How do we have oversight on how private companies handle this stuff?
I can only suggest that the ICO develop a form of words that we can attach to any document to any company, public or private, that warns of legal action if they are found to have breached the conditions attached to our submission of our private data.
severely pissed off,
Someone whose data is already out there.
Was this the ONLY copy of the data or not? My impression from this is that disks were burned and dropped into the mail. Then the original was wiped from whoever's HDD. And for what it's worth, whether the original was wiped or not, I would hope that the disks were encrypted, but like other things mentioned in the article, nothing is clear.
Biting the hand that feeds IT © 1998–2019