back to article Blundering London council emails unredacted version of notorious Gangs Matrix to 44 people. Data ends up on Snapchat

Newham Council has been fined £145,000 after an employee sent out a mass email containing an unredacted version of the police database that ranks people's likelihood of gang-related violence. According to the UK's data protection watchdog, some 203 individuals' personal data was shared with 44 people, and screenshots of the …

  1. Anonymous Coward
    Anonymous Coward

    They knew who sent the e-mail - Were they sacked?

    From my personal experience if staff steal a couple of A4 notepad it'll be taken more seriously than breaches of this from a disciplinary perspective.

    It doesn't matter if the employer didn't have specific guidance on this document, we don't put signs up everywhere detailing what staff shouldn't break or steal. There's a need for common sense to start applying when it comes to information security across the board. People have to start feeling repercussions of their actions.

    I am absolutely not letting the council off the hook here, but part of the problem I face daily is the lack of acceptance by staff and management that people should be held responsible for their actions and when it comes to personal information it should be taken very seriously.

    1. LucreLout Silver badge

      Re: They knew who sent the e-mail - Were they sacked?

      part of the problem I face daily is the lack of acceptance by staff and management that people should be held responsible for their actions and when it comes to personal information it should be taken very seriously

      Yes, this is absolutely the core of the problem. I don't buy services from Talk Talk because I simply don't trust them after their leaks and woeful attitude of their board & CEO in the aftermath. If others choose to use them, that is their business.

      We, however, have no such choice in the public sector - we have to have public healthcare via the NHS, policing via, well, the police, and passports from the passport office etc etc It's a monopoly provision. Given that, we can't decline to have our data processed by these organisations and continue to enjoy provision of the services they exist to supply. It is for that reason that when data is leaked in this manner, careers must end: there's nothing else that will force them to take privacy and data security seriously.

      You've hit the nail square on the head when you suggest that theft from the stationary cupboard will be treated more harshly than spaffing our data up the wall like a half baked CEO.

      1. phuzz Silver badge
        Unhappy

        Re: They knew who sent the e-mail - Were they sacked?

        "we have to have public healthcare via the NHS, policing via, well, the police, and passports from the passport office etc etc It's a monopoly provision"

        Well privatisation is all the rage these days, so if you're really lucky some of these services in your local area will be taken over by Capita.

        I bet you can't wait.

      2. Anonymous Coward
        Anonymous Coward

        spaffing?

        I'm not British - what is this 'spaffing'?

        I know your former Foreign Secretary does it but any attempt I make at guessing what it might be harms my imagination and I'm at work so I'm not going to google it in case my worst fears are realised graphically.

    2. Anonymous Coward
      Anonymous Coward

      Re: They knew who sent the e-mail - Were they sacked?

      The staff member can always claim, if they haven't, they were never given training on data protection. This is the problem with local government. Sometimes the person at the bottom of the chain is innocent and under pressure from shit management. Shit management that are being forced to push through practices that aren't best practise. Some of these are yes people and just want to keep their job. We'd all like to stand up and say no, but when stuck with a mortgage, the difficulty of getting a new job and pressure, you can somewhat understand why said people act the way they do. Doesn't make it right though.

      "Moreover, the council didn't report the breach to the ICO, it waited until December 2017 to launch its own internal investigation, and then failed to produce a final report of the probe."

      I have no doubt they'll be in PR mode attempting to cover it up. The amount you read in Private Eye in the Rotten Borrowers section is shocking.

      Councillors should also be probed in this as, despite it being against electoral law, and a breach of the Councillor Code of Conduct, you'll still get some trying to force their views of "how to do things" and what to do with "reports". When in fact they aren't allowed to interfere directly with how a council or council officer does their job, but some still do.

      1. Anonymous Coward
        Anonymous Coward

        Re: They knew who sent the e-mail - Were they sacked?

        I've sat on disciplinary panels where staff have claimed "But I wasn't trained on information governance and protection". It's a legitimate defense too.

        But IG training is mandated these days by pretty much every employer so the issue because "why didn't you undertake your MANDATORY training?" the defense then shifts to "I wasn't given time"

        At which point you can pull out the hours they spent looking at holiday websites outwith break periods.

        1. Doctor Syntax Silver badge

          Re: They knew who sent the e-mail - Were they sacked?

          The best way to sort that one out would be that they have mandatory training, tested and get a certificate to prove it. Without the certificate they don't get anywhere near sensitive data and anyone who tries to force them to do so is committing a disciplinary offence and gets their certificate revoked. Needless to say anyone who then does something stupid like this also gets their certificate revoked. If there aren't any posts that don't require certification, tough.

          In the public sector, of course, there's an alternative: misfeasance in public office. We need ICO enabled to prosecute for that.

          1. low_resolution_foxxes

            Re: They knew who sent the e-mail - Were they sacked?

            The average person barely understands legal and regulatory standards. I consider myself a technical academic and frankly there are a myriad of regulations that I barely comprehend myself (perhaps being semi-aware is more confusing than unaware?).

            I always try to imagine the council worker is my gran in this situation. My gran can barely operate her VHS recorder, why would you think she'll a) read an e-mail and understand the legal ramifications in their entirety (as a lawyer would), b) have the technical capacity to be 100% certain the document your sending isn't confidential, c) is 100% capable of knowing the difference between "To:" "Cc:" and "Bcc:".

            In that situation - I recommend a big red text at the top making it clear to junior colleagues what the context is upfront. That way if they ignore the capslock red text warning "CONFIDENTIAL - DO NOT FORWARD. ASK FOR MANAGERIAL ADVICE AND USE THE BCc FUNCTION" and still fuck it up, no excuses, frankly someone needs to be fired (or for really terrible public sector workers, a quiet career change to become a trade union rep).

            My personal favourite is the spoon at work who continually sent out confidential Word documents with the full tracked change history visible (or even funnier, when he tried to hide confidential figures by hiding it behind a white 'text box').

      2. GnuTzu Silver badge

        Re: They knew who sent the e-mail - Were they sacked? -- Outlook

        Agreed, but insert here the discussion about how email programs could have better highlighting and prompts to warn when an email might be going to the wrong people. Of course, that won't get it 100%, and training and policy enforcement are necessary, but email programs need improvements too.

        Of course, if your email program comes from a monopoly (at lease in the business software market where software needs to fully support policy compliance), then you may find it hard to sack the software. Why else have the oh so obvious improvements come so slowly?

        1. low_resolution_foxxes

          Re: They knew who sent the e-mail - Were they sacked? -- Outlook

          That's a good point. It does not seem that implausible to get Outlook to have a data security mode that scans the e-mail addresses, when more than 2 people from external agencies are receiving a file having a popup to point out the bcc field has not been used - check it does not include sensitive personal info - then press confirm.

          It'll be just like software license agreements - many will ignore it anyway, but at least you have active and unavoidable control systems that must be intentionally ignored.

      3. Doctor Syntax Silver badge

        Re: They knew who sent the e-mail - Were they sacked?

        "When in fact they aren't allowed to interfere directly with how a council or council officer does their job, but some still do."

        As an elector I'd like to think that overseeing that council officers was what councillors were for. That way my vote might have some effect. As ever, British public life gets things arse about face.

        1. This post has been deleted by its author

        2. Mike Pellatt

          Re: They knew who sent the e-mail - Were they sacked?

          There's a difference between overseeing and trying to directly influence.

          A world of difference.

          If you can't see that, you're as bad as what seems to be 90% of our local councillors. I know of what I speak, having been one once.

          It's also those (apparent) 90% who ensure that morale and service quality in our local government remain appalling.

          British public life absolutely gets it right in principle. The elected body sets policy, and ensure that the resources are available to deliver it, the paid staff implement it. Of course, in local government that all falls apart thanks to the responsibility/authority mismatch enforced on LG by Westminster - all of the responsibility to deliver delegated, none of the authority to ensure adequate resourcing delegated.

      4. Alan Brown Silver badge

        Re: They knew who sent the e-mail - Were they sacked?

        Shit management - who will actively cover things up when they realise they've fucked up and then when the inevitable is unavoidable will do everything they can to push the blame to flunkies.

        The fines aren't nearly large enough and there aren't elements of personal accountability for management to drive the point home.

    3. jmch Silver badge

      Re: They knew who sent the e-mail - Were they sacked?

      £145k fine.... to be paid by taxpayers either directly or in reduced services.

      Unless there is personal responsibility (ie people personally fined or fired), these sorts of things will continue

      1. MachDiamond Silver badge

        Re: They knew who sent the e-mail - Were they sacked?

        "£145k fine.... to be paid by taxpayers either directly or in reduced services."

        That's what always baffles me. How can one department of government fine another department of government? Obviously, if the money is deducted from somewhere, they can't meet payroll or do the things that money was budgeted for and where does the money from the fine go? Lobster dinners for some other mob? Is it re-allocated to MOD?

        It's better to sack the bonehead and the person that hired them and then get everybody else properly trained and the software fixed. There has to be a gateway setting that can prohibit or limit recipients on an email or just put those messages on hold until somebody higher up hits the "ok" button the same way they do at large market's cash registers. If that forces somebody to send messages out one at a time, maybe they won't be so keen to hit "reply all" and limit where the message is going.

        1. jmch Silver badge

          Re: They knew who sent the e-mail - Were they sacked?

          "There has to be a gateway setting that can prohibit or limit recipients on an email or just put those messages on hold until somebody higher up hits the "ok" button..."

          Also, some gateway setting that delays emails sent (to all recipients or only those out of the organisation) by a couple of minutes, giving time to recall if it is caught in time. Won't be foolproof but at least can save some 'butterfingers' or 'temporary brainfart' moments

      2. Sam Haine

        Dock their pay.

        Docking a percentage of the pay of all the individuals responsible (all the way up the corporate heirarchy) would help to concentrate the minds of those who need to learn and save the Local Authority money. Win/win!

    4. Mark 85 Silver badge

      Re: They knew who sent the e-mail - Were they sacked?

      I'm not sure that the person who sent the e-mails is the problem here. The problem that needs to be looked at is "who released it to Snapchat?". Governments, businesses, etc. send confidential e-mails all the time. The issue that's been overlooked is who violated the standard of trust and released it publically.

      1. Doctor Syntax Silver badge

        Re: They knew who sent the e-mail - Were they sacked?

        I'm not sure that the person who sent the e-mails is the problem here. The problem that needs to be looked at is "who released it to Snapchat?".

        Both were part of the problem.

    5. adnim Silver badge

      Re: They knew who sent the e-mail - Were they sacked?

      Or at least disciplined, educated then suspended.

      Why fine the police? It's the tax payer funding this fine ffs!

    6. The Nazz Silver badge

      Re: They knew who sent the e-mail - Were they sacked?

      A paltry £145,000?

      No doubt the Chief Executive could pay that out of their salary (not to mention other remuneration eg pension) and still live a comfortable life.

      In other articles on here, ie HPE/Autonomy, the overwhelming sentiment appears to be that Apotheker, as CEO, was responsible for everything, including a detailed knowledge of UK published accounts and accounting standards.

      Applying the same logic, why isn't the Chief Executive of the Council being dismissed, together with the head of IT? As with our LA, they take the large rewards yet never accept responsibility.

  2. }{amis}{ Silver badge
    FAIL

    Does it count as a database?

    Given there appears to be no security or central control I'm betting that this "Database" is an excel spreadsheet or maybe Access at best.

    As far as I am concerned all copies of this disaster should be destroyed for its blatant violation of data protection controls, how the hell can it comply with the requirements to for accuracy and proportionality when the police clearly don't even know who has a copy?

    I am sure there is plenty of relevant data on proven violent individuals but I'm also willing to bet that the bulk of the people on there just happened to be in the wrong place at the wrong time.

    You can just see the wrecking the lives of innocent people. they go to work in an environment that requires record checks and only then finding out a copy of this $%1t was uploaded and they are blocked from a job because of the awful crime of wearing a hoodie after dark.

    Am I the only one that thinks the home office is being run by Constable Savage.

    1. Arthur the cat Silver badge
      Devil

      Re: Does it count as a database?

      Am I the only one that thinks the home office is being run by Constable Savage.

      At least he managed to nick someone rather than running interminable initiatives.

    2. Anonymous Coward
      Anonymous Coward

      Re: Does it count as a database?

      "having simply forwarded the email they received from the Met police"

      Well, there's the initial problem. Sending (Sensitive) Personal Data *by email* (and I really would be most surprised and impressed if it were actually an encrypted email) to the council in the first place?

    3. Anonymous Coward
      Anonymous Coward

      Re: Does it count as a database?

      All valid points and, in addition, the Met appear to have to sent the original + redacted versions over standard email - so unencrypted and insecure. This should also result in the Met getting a fine.

    4. teebie
      Joke

      Re: Does it count as a database?

      'I'm betting that this "Database" is an excel spreadsheet or maybe Access at best.'

      Preposterous. You show me where in the dictionary it says a database can't be a bunch of etch-a-sketches on a shelf.

      1. Yet Another Anonymous coward Silver badge

        Re: Does it count as a database?

        I think the technical term for a list of names, home address, aliases of a bunch of gang members sent out to other gangs is a death list.

        The police probably see it as a solution rather than a problem

        1. MachDiamond Silver badge

          Re: Does it count as a database?

          "The police probably see it as a solution rather than a problem"

          Plausible deniability. That's the government way. Why else do all of those laptops get stolen loaded with sensitive information by a gov worker that left said laptop on the car seat while they popped into church on the way home. A fictitious worker is sacked for being naughty and the information on the laptop can be used in ways that wouldn't have been permitted. They can use a name of somebody that was sacked in the proper time frame, there has to be 2 or 3 government workers that are sacked each year if not 6 or 7. That way if anybody digs they will find a sacked employee with the name given. I guess it doesn't have to be too close to when the laptop was stolen. Most cases like that the employee is put on leave (paid or unpaid) while the matter is being "investigated".

  3. fnusnu

    More taxpayers money making an internal transfer inside government.

    This is utter incompetence and someone needs to be sacked.

    1. }{amis}{ Silver badge
      Unhappy

      This is utter incompetence and someone needs to be sacked.

      There are many hands over this one that's why nobody ever gets fired from the civil service, the first rule is alway's to spread any responsibility as far as possible so no one person can be pinned for their incompetence.

    2. Anonymous Coward
      Anonymous Coward

      > This is utter incompetence and someone needs to be sacked.

      "Here's the list that John asked me to send to you. Please pass on to your anti-gangs team".

      This arrives in your shared mailbox. John is not in the office at that moment. What do you do?

      No mention of the sensitivity of the information. No mention of the difference between the two versions. No encryption with password being sent by a second channel; no warning flags as to how sensitive the data is. Nothing to give the person who received it any warning that it was anything other than the hundreds of run of the mill emails received every day.

      But it must be okay, because you know that you have a secure means for transferring sensitive information with the Police and if that isn't being used then it's okay, isn't it?

      1. fnusnu

        The Information Commissioner's Office said it was "unnecessary, unfair and excessive" to share the unredacted version with so many people and that the risks "should have been obvious".

  4. cbars

    Thanks for the explanation

    "The unredacted version contained data that wasn’t in a redacted version"

    1. Justin Case
      Facepalm

      Re: Thanks for the explanation

      Loving the quality of the journalism here - I am feeling better educated with every word I read.

      1. amanfromMars 1 Silver badge

        Thanks for the explanation .... but be aware of the possibility of unintended consequences

        Loving the quality of the journalism here - I am feeling better educated with every word I read. ..... Justin Case

        A note of caution for those fed on paranoia and drinking of the KoolAid of hubris, and a timely word to El Regers? .......

        “The most dangerous man to any government is the man who is able to think things out for himself, without regard to the prevailing superstitions and taboos. Almost inevitably he comes to the conclusion that the government he lives under is dishonest, insane and intolerable, and so, if he is romantic, he tries to change it. And even if he is not romantic personally he is very apt to spread discontent among those who are.” …… H.L. Mencken

        1. Cliff Thorburn

          Re: Thanks for the explanation .... but be aware of the possibility of unintended consequences

          “The most dangerous man to any government is the man who is able to think things out for himself, without regard to the prevailing superstitions and taboos. Almost inevitably he comes to the conclusion that the government he lives under is dishonest, insane and intolerable, and so, if he is romantic, he tries to change it. And even if he is not romantic personally he is very apt to spread discontent among those who are.” …… H.L. Mencken

          And why would an individuals mindset change to such?, no smoke without fire perhaps?

          I mean its not as though any sophistication Western Country would embark on such frivolous activities such as psychological torture, abuse, and intentional infliction of emotional distress on one of its citizens surely?, perhaps even worse, unlawful human experimentation?, or genetic modification?, the list goes on.

          Of course such activities would only happen elsewhere, right?

          1. amanfromMars 1 Silver badge

            Is it still too much of a Quantum Leap for many currently? Oh well ... Onward for a Few then

            And why would an individuals mindset change to such ....[to be able to think things out for oneself, without regard to the prevailing superstitions and taboos.]? ......... Cliff Thorburn

            Natural human progression? Alien Advancement? Virtual Machine Programming Rethink?

            And that's only three very likely positive, possible reasons, CT, with all of them having an extraordinarily high probability of being a universal default improvement for a greater mutually beneficial and exciting co-existence with other elements in fundamental components ....... aka media hosted realities.

            Anything lesser has one surely trapped and tricked/captured and conned into servering a feudal lauded federal system stuck in the past? And one would have to be surely mad to think that acceptable in any day and age or place and space.

            1. amanfromMars 1 Silver badge

              AIMadness Outed in Systems Abusing You

              Is that the stock undereducated human condition in failed and rapidly failing exclusive elite executive office SCADA systems of administration .... Arrogant Ignorant Madness with petrifying self destructive bouts of hubris highlighting myriad series of psychotic episodes?

              1. Cliff Thorburn

                Re: AIMadness Outed in Systems Abusing You

                It certainly does nothing to support the perpetual ‘well being’ of either the behaviour or mindset of an individual so overwhelmingly promoted by face values, but demonstrates nothing other than sheer rampant frustrations of such failed Scada systems and crossover conflict-ions in both Live Operational Virtual Environments.

                Garbage instructions in = Garbage Results out.

            2. Cliff Thorburn

              Re: Is it still too much of a Quantum Leap for many currently? Oh well ... Onward for a Few then

              “Anything lesser has one surely trapped and tricked/captured and conned into servering a feudal lauded federal system stuck in the past? And one would have to be surely mad to think that acceptable in any day and age or place and space.”

              And one would completely agree with such amFM, however like the dog chasing its tail, it would of course help if such media presentations would present such solution rather than repeatedly bleat such nonsense as ‘You ran’ would it not?, which of course is, as such with all presentations thus far simply being a pre fabricated regurgitation of lies if it did not align correctly with the program?

              1. amanfromMars 1 Silver badge

                Checkpoint Charlie ..... For More than a Walk on the Wild Side.

                Fortunately, CT, there is alway at least this one systemic easily exploitable vulnerability full of crazily available opportunities which just keep on giving ........

                Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. .... Albert Einstein

                Can you believe that is what makes everything so simple for some, who may or may not be just a chosen few, to do everything they want to without anyone ever knowing how very easily everything is done.

                Is it any wonder that simply complex plain texted information on and in novel out of this world developments, and suitably beyond corruptive command and subversive perverse control, is so absolutely terrifying to failed intelligence operations. And what sort of an answer to such is an ineffective knee jerk reaction which delivers the white feather defence of fight or flight or FUD rather than a SMARTR Engaged AI Deployment and Remote Virtual Employment well worthy of the preeners of three feathers.? :-)

    2. Andre Carneiro

      Re: Thanks for the explanation

      Beat me to it... ;)

    3. mark 120

      Re: Thanks for the explanation

      I took that to mean that it contained additional rows or columns, i.e. someone had added further information to that version and not replicated it in the original.

  5. Chris G Silver badge

    I am not sure that the Met should even be sending an unredacted version to the council in the first place. Why would the council need all of thst info?

    The 'Savage' approach to policing is bad enough but allowing council clerks access is not responsible, having worked in and with a couple of councils I don't trust them with any of my data.

    Not surprised Newham has cocked up, Cockups R us could be on the borough coat of arms.

    1. Anonymous Coward
      Anonymous Coward

      Revs and Bens would like such info along with any internal Housing department. After all, you don't want "gang" members in your social housing as you know they'll probably never pay the rent.

      1. Anonymous Coward
        Anonymous Coward

        They may pay the rent. Crack houses are quite profitable, why cause unnecessary problems?

        1. Anonymous Coward
          Anonymous Coward

          Because most are stupid and don't. You'd think they'd learn not to draw attention to themselves. Others just use cuckooking.

    2. MachDiamond Silver badge

      Is it a policy to send redacted versions with obvious redaction such as blacked out information, headers, etc? Does an un-redacted sensitive document have "un-redacted, sensitive" label on the top? It's not always obvious what might be considered sensitive. The police would know better than some local council members in their first term. If you get a document with a load of recipients or CC's, you might not think that keeping mum is in order.

      I do agree that the council probably didn't need to see the document. They may have only needed to know that it exists, the type of information that it contains and that it can be viewed at the police station or by special application.

  6. Thoguht Silver badge

    Fining a council?

    That's almost in the same league of stupidity as fining the NHS or a local health trust for a medical mishap. If you fine a council, the people who pay that fine in the end are the residents, not the people responsible for the breach. If there were personal liability at the top of the hierarchy, just as there is in the case of software piracy in a company where the directors are personally liable, then I think you'll find these sorts of things will happen much less.

  7. Doctor Syntax Silver badge

    It's difficult to know what to do when confronted with incompetence of this nature. It's not just the initial breach that's the problem. It's also the attitude that the council decided they could deal with it as an internal matter. Either they didn't know about the GDPR provisions about reporting or simply decided they were too important for that. I'd like to think there was a mechanism for placing them under some sort of adult supervision but where would one find suitable adults? Certainly not in central government.

    1. Doctor Syntax Silver badge

      One possible solution occurs to me. A couple of decades ago I had a gig working with material which had similar sensitivity. I and everyone else had to have clearance to S/C. Shouldn't council staff with this exposure also need clearance?

      If anything the need should be greater than in my gig as the whole of the database is going to be local to the area from which council staff are likely to be recruited. Without clearance there's an unacceptable probability that a data subject might be known or even related to one of the staff.

      A failure like this should then result in the entire command chain losing their clearance and having to be redeployed within the council if they were even able to retain their jobs. This would result in greater awareness of all those involved about their responsibilities and what actions would be permissible.

  8. andy gibson

    How did the gangs get the information?

    From what I can see in the article, data went out, but to relevant responsible people tackling gang problems.

    So how did it end up in the hands of rival gangs on Snapchat?

    Yes, the council employee is wrong for sending the data in the first place. But isn't one of the recipients guilty of re-sharing here?

    1. Chris G Silver badge

      Re: How did the gangs get the information?

      Once a document gets into a council office, the world, his missus, snot nosed kids and his dog have access, council clerks are locals and are as likely to know some of the 'naughty' boys as anyone else. I have also seen desk tops left on all night to save firing up in the morning so the cleaners or anyone else in there at night could have access.

      The best security in a local council is when there is a meeting in the chambers, nobody gets to know what is discussed there.

  9. Anonymous Coward
    Anonymous Coward

    Newham Council haven't been fined £145k, Newham council rate payers have been fined £145k through no fault of their own. This is not holding those responsible to account and punishing them appropriately.

  10. Anonymous Coward
    Anonymous Coward

    Hopefully a few of the gangs will now dispose of their enemies

    See the leak as an aid to garbage disposal, and a public service

    1. Anonymous Coward
      Anonymous Coward

      Re: Hopefully a few of the gangs will now dispose of their enemies

      It rarely works as you would like - key people are removed and then the two gangs become one larger, more powerful unit as they tend to control a larger area for their favored trades.

      1. Korev Silver badge
        Coat

        Re: Hopefully a few of the gangs will now dispose of their enemies

        It almost sounds like the way corporate mergers and acquisitions happen; or Murders and Executions as Patrick Bateman would say...

      2. Alan Brown Silver badge

        Re: Hopefully a few of the gangs will now dispose of their enemies

        "key people are removed and then the two gangs become one larger, more powerful unit"

        There _are_ ways to take the wind out of gangs. The prime reason they exist with the power and danger they do isn't "cred", it's _money_ - specifically the insane profitability associated with drugs(*) and trading in stolen goods to pay for them.

        (*) A medically pure knockout dose of heroin or cocaine is less than a pound. It's a hell of a lot more on the street and cut with "godknowswhat". Every pence of the difference is why you have gang wars.

    2. Anonymous Coward
      Anonymous Coward

      Re: Hopefully a few of the gangs will now dispose of their enemies

      Might be worth remembering that the "enemies" of these gangs - as seen by the gangs - just might not actually be members of other gangs. And even if they are, their murder, as you are apparently "hopeful" of, might be disproportionate. And even then, more murder - even of supposedly worthless gang members - is unlikely to make a positive contribution to the wider public interest. Especially if the "winners" of such a gang war are the most ruthless, violent, and best armed of the lot.

  11. Anonymous Coward
    Anonymous Coward

    The council probably will say that lessons have been learnt or something like that.

    1. Anonymous Coward
      Anonymous Coward

      Only to be forgotten a few weeks later so the less will be learnt again the next time it happens.

      :/

  12. zaax

    On of the problem is pay; if you pay peanuts you get monkeys

    1. Anonymous Coward
      Anonymous Coward

      Yes. But unfortunately increasing the pay doesn't solve the problem, as you already have the monkeys installed.

      You turn them into better paid monkeys.

      1. Ommerson

        Councils face a real problem when it comes to employing competent - and particularly experienced - IT staff and developers. There's a skills shortage industry-wide, and when you're one of the lower payers, and perceived to be neither competent, nor an exciting place to work, the result is never likely to be great.

        The government's clamp down on IR35 in the public sector has made this much, much worse as this is how the skills gap used be filled in many a council.

        Councillors rarely have any insight or experience here either. It's hard to imagine them coming to the conclusion that they need to employ more competent people and pay them more in these roles when they're simultaneously contending with year-on-year budget cuts.

        Under GDPR there is now individual responsibility and culpability for the data protection officer. Who on earth would do this job?`

  13. Anonymous Coward
    Anonymous Coward

    Weasel Words, Nothing Will Change

    Others on here are making the same point, but it bears being made until it's heard and acted on:

    "Newham Council has been fined £145,000" gives the distinct impression that guilty parties working for or elected to the council are in some way being penalised.

    They are not, though they should be.

    Until those responsible are punished in person, nothing will ever change.

    By responsible, I mean all of those formulating and enforcing inadequate security policy and those who make the individual screw-ups.

    Feel free to suggest cruel and unusual punishments here, we might as well enjoy the fantasy. I don't expect to see effective measures in my lifetime.

  14. adam payne Silver badge

    However, in this case, a staffer within Newham shared both versions, having simply forwarded the email they received from the Met police with the January version of Newham Matrix.

    This person has since been retrained.

    Moreover, the council didn't report the breach to the ICO, it waited until December 2017 to launch its own internal investigation, and then failed to produce a final report of the probe.

    Internal review found nothing, doesn't surprise me.

    Cue the usual statement, we take privacy seriously blah blah blah, lesson have been learnt blah blah blah.

    1. Alan Brown Silver badge

      "Moreover, the council didn't report the breach to the ICO, it waited until December 2017 to launch its own internal investigation, and then failed to produce a final report of the probe."

      In some countries, covering up like that results in a multiplier of the fine being applied - and the decision to coverup _IS_ criminal misfeasance.

      Of course getting the Met to accept a criminal complaint is impossible because then they'd have to admit culpability too.

  15. Reality_Cheque

    ICO gets 145k. Victims get nothing.

    We have seen breach after breach of privacy by phone companies, councils, and other organisations. The ICO gets richer, and the victims get nothing.

    In this particular case, I can live with it. A gang member doesn't deserve anything even if his privacy has been breached, but in almost every other case the victims deserve compensation yet receive none at all.

    If data is negligently shared then each victim should receive £20 as a MINIMUM as an apology. It's not much, but it will encourage companies to not keep too much data in the same place, don't you think?

    1. Snowy Silver badge
      Thumb Up

      Re: ICO gets 145k. Victims get nothing.

      Considering the fine was £145,000 for sharing 203 people's private information maybe £714+ might be a better figure if your going to compensate the victims?

      1. JassMan Silver badge

        Re: ICO gets 145k. Victims get nothing. @Snowy

        Nice idea as a general rule but in this case most of the victims by definition are violent criminals. Paying them 700+ each would allow them to go out and buy better guns and knives or higher quality drugs to sell on at higher profit margins.

    2. Anonymous Coward
      Anonymous Coward

      Re: ICO gets 145k. Victims get nothing.

      "A gang member doesn't deserve anything even if his privacy has been breached"

      What? Some person, without any judicial process being followed other than a copper's 'through my judgement and experience' that a certain person is a 'gang member' spaffs their personal details to rival gang members, there's a murder of one of them, and they don't deserve any recompense if it turns out the council was responsible?

      Are you a complete idiot or something? Do you read the Daily Express? Is you brain broken in some way that excludes a sense of compassion?

  16. Jamie Jones Silver badge
    Facepalm

    Doh!

    At first I thought "why would they send this to a bunch of youth offenders.. redacted or not?"

    Then I realised that's probably not what "Youth Offending Team" actually means...

    1. JassMan Silver badge

      Re: Doh!

      Yes. You forgot we live in a land where we have "Police and Crime" comissioners. I always thought criminals were pretty good at commisioning their own crimes without help from officials. A job title with conflict of interest built in!

  17. itbod

    Reminds me of a blog article from 2015 about the Sony hack

    https://veoci.com/blog/sony-hack Sony Hack Lesson - Sensitive Content, Get out of Email, FAST.

  18. Anonymous Coward
    Anonymous Coward

    Gov Workers /No Expertise required

    Unencrypted, and through email?

    We're talking about an excel sheet here not an actual DB...

    This is what you get when you hire Glorified Clerks instead of Data Personnel with IT/IM Training.

    1. Doctor Syntax Silver badge

      Re: Gov Workers /No Expertise required

      Glorified?

    2. Ommerson

      Re: Gov Workers /No Expertise required

      A reliable assumption in local government: Anybody without a professional qualification (e.g. borough solicitor, survey, planning officer) is incompetent. Those with a professional qualification may be too - particularly if that skill could be used elsewhere more profitably.

  19. Anonymous Coward
    Anonymous Coward

    I found something similar here in the US

    I found a insecure database of high-risk offenders while just casually surfing the web:

    https://www.congress.gov/members

  20. Anonymous Coward
    Anonymous Coward

    Now, if only someone could propose send the council CEO to prison for these offences

    In the same way as is being suggested for leaders of tech companies.

    1. MachDiamond Silver badge

      Re: Now, if only someone could propose send the council CEO to prison for these offences

      I think that the best you might get is dismissal and a ban from government employment for several years. For the really naughty, loss of pension standing.

      The Thieves Code won't allow passing laws with harsh penalties on politicians by another mob of politicians. It smacks too much of cannibalism and why would they pass laws that might put them in prison themselves at some point?

      1. Anonymous Coward
        Anonymous Coward

        Re: Now, if only someone could propose send the council CEO to prison for these offences

        Like lawyers and the police, they close ranks when one of their own is under attack.

  21. Anonymous Coward
    Anonymous Coward

    And the unsatisfactory outcome

    Is thanks to yet more <expletive deleted> incompetence by BRITISH politicians.

    You're welcome :(

  22. Anonymous IV
    Joke

    Grossly negligent

    If Newham Council were grossly negligent, surely they should have been fined £144k not £145k?

    (Asking for a gang member.)

    (Oops...)

  23. TheTick

    "Newham Council"

    Say no more friend. Say no more...

  24. Anonymous Coward
    Anonymous Coward

    Redaction lite

    More than once, I've been tasked to publish a "redacted" PDF document on the web.

    The authors had employed the "lite" version of redaction: black boxes over existing text.

    However, when printed or highlighted with the cursor, the entire text was exposed.

    Many people understand privacy, just not how to achieve it.

  25. gcarter

    Fine culture

    I understand that organisations / companies etc need to be held accountable for when they're are breaches like this one.

    Unfortunately nowadays, its becoming almost a cultural thing... fine the hell out of anything, everything and everyone!

    Look at all of the companies popping up to cash in on this "fine culture" PPI fines been the most notable.

  26. JSIM

    "people's likelihood of gang-related violence."

    What does this mean? Can anyone tell without being a mind reader?

    More steaming excrement hits El Reg's pages. A daily occurrence.

  27. earl grey Silver badge
    Mushroom

    What i want to know

    Is who (and how many) may be on that list who aren't really members of any gang or criminal group and have just been slandered?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019