USB key to 4,000 vulnerable people's front doors lost Leicester City Council has misplaced a USB stick containing personal details of 4,000 vulnerable and often elderly users of its care service. The data has disappeared from LeicesterCare, the council's vulnerable residents' support service. Along with personal information, the stick also has key codes for 2,000 people, which …
I propose a new kind of USB memory device that will be mandatory for all public sector workers. It needs to be the size and weight of a breeze block.
It will remind them to always ask themselves "do I really need to take this with me" and if they do, they will know pretty soon if they aren't carrying it anymore.
Every time they check their breeze block key into the safe storage area at work, their boss should give them a gold star for being a good boy/girl.
First boy/girl to get 10 stars can have a free glass of orange squash and an extra 5 minutes lunch time.
Treat them like children, it's the only way.
...was this data held on a USB stick?
I can't see any reason why someone needs 4000 codes on a USB stick. The main DB should be on a secure sever, then a care worker should be given the 10 codes they need. If you do need to move 4,000 codes why not just put them straight on a laptop rather than a piddling easily lost USB stick?
@Simon Neill: The reason is because the cost of any security is higher than the cost of liability, which is zero. This is an abysmal breach of trust, but it will be forgotten in 6 months and adds nothing to their bottom line. So they'll do it again next year.
The funny thing is if they'd lost actual keys to actual doors (I mean physical keys), they'd be screwed. If the owners didn't sue them, the insurance companies would.
is not zero - there's all the running around phoning and resetting codes people are doing, the bad publicity, answering all the 'when will i be burgled?' phone calls, and it could cost a councillor their seat.
Not as high as you might like, but not nothing.
The question remains, did their IT people approve this way of keeping these sensitive data?
a false assumption on 2 counts
Under the new DPA rules, the first bill is up to £500k, since april last year. (loss of S2/DPA98 data)
ICO hase been going easy with the new rules in the last couple of similar cases, so I would guess the cost of the lost USB stick will be in the region of £80,000 to £120,000
Secondly, if any of these people are broken into or suffer any other lose as a result of the negilgence of LCC, the person (or more likely their insurance company) can recover some or all of the amount through civil action.
True it would be difficult to prove the loss was solely down to LCC, and it would probably not be economical to pursue the action, but some times people and companies do pursue such claims.
"we have been assured by our supplier that the information on the device is not accessible to anyone who may find it"
Translation - "It's in a file format made by our application that we can't open except with that app but it's not encrypted and probably anyone with a bit of savvy and 10min could open it but we're not going to say that coz the information commissioner is about to get medieval on our asses anyway and the Chief Exec would like to finalise his retirement package before the fine hit the doormat."
yeah, those letters of his send a chill through the spinal column
"don't do it again or you will get another one of these letters"
shocking stuff. Does he use a bigger font for the second letter? We will never know, nobody has dared incur his wrath twice!
In other news, I can see a flying policeman.
No, they still uses the same font as they did 18 monthes ago, they just get to write a 6 digit figure in there instead, followed by the words "YOU OWE US".
Did note that HMG chickened out of giving the ICO the same powers as the FSA has for the loss of personal data. (Nationwide 7 digit number!, for a laptop stolen from inside a locked house)
... You most definitely are not meant to take it that way...
If the data as encrypted, the third party supplier would have explicitly said so. The council would be screaming it from the rooftops.
The fact that they aren't anywhere near the roof tells me that this is most likely data in an obscure format. Knowing public bodies, probably Microsoft Works.
Someone needs to give these people a kick up the arse.
Why do they need a key to a box with a key in it? Surely they could cut out the bollocks and just have the council keep the key that would otherwise be in the box?
Ooooh, for security you say? Well in that case I propose a key to a box in which is a box with a key in it for the box inside that box where there is another key (add layers of "security" as appropriate).
/obligatory:
yo dawg I heard you like keys in your boxes so we put a key in your box so you can key your box while you put the key in your box.
One key benefit of this is to allow the council to give emergency accommodation to vulnerable people at very short notice without having to dig someone out of their bed, wait until they get to site then mess around doing handovers. If the decision is made to give someone emergency accommodation then give them the code to the box, they get the key and can go in immediately.
I think the idea is NOT so someone requiring emergency accomodation can get in, but more, as stated in the article, that it allows care workers to get into the homes of the elderly and infirm. Instead of having to check in and out hundreds of keys to doors, the workers get a list of calls, with a code to open the little box and use a key they know works.
The alternative = keys with addresses on tags (really secure when they lose that)
or someone pressing their emergency call button and the response team spending 20 minutes going though a bundle of 50+ keys to kind the right one.
Also if a carer has visited that day and an "emergency" extra visit is called, but that carer is halfway across town, nearest worker can get the code via SMS and help out.
My father is disabled and for a time had a care worker visit twice a day. The idea behind these was that a spare key to the front door was kept in a metal box with a combination lock bolted to the wall near the door.
The care agency have the code to the box so if they arrive and the door is locked, rather than waiting for the occupant to make their way to the door to unlock it (or if there has been an accident or fall and the resident can't get to the door), the care worker can just let themselves in and you (theoretically) don't have the security risk of handing over your door key to an agency.
Plus, if there is more than one care worker who visits (as they work shifts it may be a different person at different times of the day), you don't need to give each one a key, they just all have a copy of the box code.
I've said it before, I'll say it again, the only reliable way to ensure that data isn't lost on mobile devices is to introduce personal liability on the person who authorised its removal from a fixed storage server/device and the person who lost it.
First offence: a kick in the nuts/female parts from everyone whose data was lost/compromised. In this case, that's 4000 kicks in the nuts/female parts each; as they may be old/vulnerable people, they can delegate the kicking to a professional nut kicker of their choice.
Repeat offence: unlikely to happen but if it does then it should be considered as a capital crime.
Meh I'll knock it off the wall with a hammer then get to work on it with a big petrol powered disc cutter.
Also the ICO has started issuing fines for DPA breaches. So it ian't fanciful to expect this lot to cop a fine. The only bother is that it'll be paid by local tax payers. The personal liability idea would work but the unions would never allow it.
http://www.computerweekly.com/blogs/the-data-trust-blog/2010/11/ico-issues-first-fines---but-h.html
So the first thing that will happen is every piece of scum will put thier feelers out to find this stick so they can either use the info, or sell all or bits of it off!
Absolutely fucking disgusting to put people at risk like this! Some arse-munch in a council office, right-now, totally oblivious to the lives they have put at risk by losing this info.
This news once again stands as testament to the fact that current storage security solutions for removable storage are not adequate or do not fit the way that users and organisations need to operate in order to remain efficient and productive.
Complex endpoint security solutions that only allow specific USB devices or approved removable media to be used are extremely expensive and cumbersome, which almost certainly led to Leicester City Council relying on the rather out-dated need to lock up the memory stick in a safe every night.
By using a solution that could remotely self destruct the data the moment they realised the memory stick had been misplaced would have afforded them an extra level of security and protection.
"we have been assured by our supplier that the information on the device is not accessible to anyone who may find it"
[[not accessable to "anyone"]]... just to that particular group of people who might have, oooo dare I suggest, a computer?
Kill the person who lost the USB stick, kill their supervisor for employing them, kill the IT security head who didn't secure their IT system, kill the security person who let them leave the building with it. There's far too many of these blinkered useless phukwits earning disposable income these days. Our economy can no longer afford to feed them.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
